The bombshell exploded directly at the beginning of the year: almost all computer chips worldwide are affected by the so-called "Spectre" and "Meltdown" attack scenarios. They have their effect on hardware level and are therefore not limited to an OS. To make matters worse, the required patches will slow down affected devices. A vulnerability could not possibly cause more ripples. From an SAP® customer's viewpoint, the question whether this affects the security of my SAP systems comes to mind. Are they even at risk and if so, how high is the risk? Find all important answers in this post.
- Spectre and Meltdown? What exactly are they?
The details about these vulnerabilities have been present in the media these past days, but were mostly only talked about superficially. The guys at cnet.com delivered a quite good summary though.
- Are SAP systems affected by them?
Since the found vulnerabilities in fact affect the hardware architecture of common processors, SAP systems are also affected. Of course only if the processors of these systems are affected, which is quite likely however. We can therefore assume that the majority of SAP systems is affected.
- Has it become simpler for hackers to attack SAP systems?
Not necessarily. Since it is, as mentioned before, a hardware-based problem, mainly data that is stored in the memory of the processor is affected. In SAP systems, this can naturally also include SAP data. It is more likely though that SAP systems, which are often only insufficiently protected (German only), serve as a point of entry for attacks on processors, from where malicious code will be distributed.
- What can SAP customers do now?
Most OS developers reacted quickly and have already delivered first patches and processor manufactures will provide respective fixes within the next days and weeks.
Especially the patches of the processor manufacturers have one considerable disadvantage from an SAP customer's point of view: they require a reboot of the system. We have already described that this cannot be simply done considering SAP's security advices.
- Is there a risk when I am in the cloud?
Customers that use the SAP Cloud have the advantage here. Cloud systems belonged to the first batch to be patched and only one system needed to be updated. Whoever wants to update the complete SAP system landscape on premise, has quite an Herculean task before them. A task that should be started as soon as possible. Experts fear that attackers will adopt Spectre and Meltdown into their attack arsenals to be able to get their hands on sensitive company data. Therefore we recommend to apply the patches as soon as possible.
- How can I protect myself?
Secure your SAP systems! Vulnerabilities in SAP landscapes arise mainly in three different ways:
- insecure configurations
- flawed custom code
- risky transports
If you manage to secure these floodgates as effectively as possible, you will eliminate the majority of risks. If you haven't given a security strategy a thought, we recommend our Vulnerability Assessment so that you get a feel for the security status of your SAP systems.