In the past week, SAP® informed the public about a few SAP security vulnerabilities, which would have enabled attackers to unnoticeably steal data or sabotage SAP servers. Critical vulnerabilities found in SAP applications which are used by many customers.
These vulnerabilities have already been patched in respective security notes by SAP. Customers are advised to implement these security notes as soon as possible. Unfortunately, our experience shows that not all security notes are immediately implemented. A survey conducted for SAP customers by IT-Onlinemagazin shows that almost a third of all customers fails to implement security notes within three months of their releases.
Especially one of the vulnerabilities made public shows that customers should implement the respective security note as soon as possible as it exploits a weakness in Web Dynpro Island Development. Island Development is primarily used by developers to circumvent restrictions in the user interface of Web Dynpro applications. Conclusively, one can assume that these vulnerabilities can be found in many applications that can be reached via the public Internet.
In other words, the probability and the damage of an attack are quite high in this case. So, why are security notes nevertheless implemented that late? There are various possible reasons for this: missing resources to manage security notes or the worry that certain processes would not work anymore – which can lead to exorbitant costs in a productive SAP system. One has to consider that with the publication of said article, the attackers also know about the hole and will surely attempt to exploit it.
The only effective solution is establishing a patch management process. With our Security Advisory Service, we support our customers by analyzing all released security notes and compare them to the customers' SAP system landscape each month. If requested, we also assist with the implementation of the notes.
Another possibility is offered by so called Virtual Patching. This function is offered by SAP with the newest version of Enterprise Thread Detection (ETD): attacks, which aim for a certain vulnerability, are immediately recognized and countermeasures can be taken. Our advisory service for SAP ETD includes the setting up of such a virtual patching und on request also of the appropriate Managed Service to be able to recognize and classify these and other attacks.
For customers who use our SystemProfiler for securing their SAP system configuration, there is another option: with SystemProfiler, we offer over 500 checks which automatically find vulnerabilities and continuously monitor the configuration. Of course, we do not always cover newly found attack vectors like the aforementioned ones. Our SystemProfiler offers the possibility of creating on test cases without much effort so that vulnerabilities can be fixed in the short run. In combination with our CodeProfiler, which secures custom coding of ABAP as well as HANA developments and also comes with a few hundred checks, vulnerabilities like the ones just made public should not cause headaches to our customers. Feel free to contact us.