US-CERT Warns of Old SAP Software Vulnerability

Robinson+Cole Data Privacy + Security Insider
Contact

The U.S. Department of Homeland Security Computer Emergency Readiness Team (US-CERT) recently issued an alert to the public about a vulnerability in old software developed by SAP SE that cyberattackers are using to infiltrate companies’ systems.

According to the alert, “SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.” The vulnerability affects Java platforms of SAP. SAP has stated that the vulnerable component, Invoker Servlet, was disabled in 2010 and updated releases of the software do not contain the vulnerability. Although SAP issued a security advisory about the vulnerability (#1445998) in 2010, a recent report by a security firm indicated that it had discovered evidence that the old vulnerability has been used recently by cyberattackers in attempts to gain access to systems in approximately three dozen companies in all industries.

If successful in its use of the vulnerability, the cyberattacker is able to execute arbitrary operating systems commands and create SAP administration users using a Web browser without the need to use a valid SAP user ID and password. This in effect allows the attackers to gain free access to the system by creating their own user ID and password. According to the alert “Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.”

The bottom line is that when software companies, such as SAP, provide patches for security vulnerabilities, it is important to follow the instructions of the company and run the security configurations and recommendations to protect the system from the known vulnerability.

Heed US-CERT’s warning and check with your IT folks now to confirm that the SAP patch has been implemented.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide