How can a 13-year-old configuration flaw affect SAP systems?
Cybersecurity vendor Onapsis found a 13-year-old flaw that affects nine out of 10 SAP NetWeaver systems. Learn how the flaw affects SAP systems with expert Judith Myerson.
A 13-year-old SAP configuration flaw in SAP NetWeaver systems was discovered by cybersecurity vendor Onapsis. What does the configuration flaw affect and how can it be fixed?
According to a recent report from Onapsis Inc., a cybersecurity company based in Boston and specializing in monitoring and protecting SAP and Oracle business applications, a configuration flaw that was first reported to SAP by Onapsis CEO Mariano Nunez in 2005 is still leaving as many as nine out of 10 SAP systems vulnerable to compromise.
The configuration flaw affects SAP NetWeaver -- the foundation for many SAP applications deployed from worldwide locations. Targeted applications include supplier relationship management, product lifecycle management, enterprise resource planning, transportation management and SAP's next-generation digital business suite S/4HANA.
The original vulnerability enabled unauthenticated users to exploit unprotected remote function call gateways to bypass SAP security controls, potentially taking full remote control over SAP systems. While SAP addressed the configuration vulnerability by securely delivering access control lists, Onapsis reported earlier this year that security for some SAP services -- like SAP Message Services -- may still be vulnerable to remote attacks.
The flaw can be traced to the lack of secure Message Server access control list configurations on SAP systems; in particular, the profile network interface parameter ms/acl_info. An attacker can register a fake Application Server in the message server file with default access authorization to hostnames, domains and IP addresses. Port 3900 is the default for the Internal Message server port.
SAP systems administrators can fix this vulnerability by setting a value for the profile parameter using rdisp/msserv_internal = <value>. The default configuration sets the value for this parameter to zero, which indicates that no other port should be used for internal communication with application servers.
The message server then opens a second port in addition to its own port, called sapms<SID> (rdisp/msserv), that is used for internal communication with the application servers. The second port must be used to log on to an application server so the application server that logged on through port sapms<SID> is denied access. All fixes should be tested to ensure they will not create new vulnerabilities in SAP systems.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)