Thursday, May 26, 2022

Ops, security team gaps lead to SAP vulnerabilities, says vendor

As Sapphire goes on this week in Orlando, by coincidence — or not — comes an interesting analysis of SAP vulnerabilities from a vendor that specializes in security solutions for the platform.

Boston-based Onapsis Inc. said Tuesday that after analysing customer installations it concluded over 95 percent of SAP systems were exposed to vulnerabilities that could lead to full compromise of the company’s business data and processes.

“The big surprise is that SAP cybersecurity is falling through the cracks at most companies due to a ‘responsibility’ gap between the SAP operations team and the IT security team,” Onapsis CEO Mariano Nunez said in a release. “The truth is that most patches applied are not security-related, are late or introduce further operational risk. Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications.”

“This trend is not only continuing, but exacerbating with SAP HANA,” Nunez said, which has brought a 450 per cent increase in new security patches specifically affecting this platform. With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise.”

The three biggest vulnerabilities it found were

  1. Customer information and credit card breaches using pivoting between SAP systems. The attack begins with a pivot from a system with lower security to a critical system in order to execute remote function modules in the destination system.
  2. Customer and supplier portal attacks. Backdoor users are created in the SAP J2EE User Management Engine. By exploiting a vulnerability, the hacker can obtain access to SAP Portals and Process Integration platforms and their connected, internal systems.
  3. Database warehousing attacks through SAP [NYSE: SAP] proprietary protocols. This attack is performed by executing operating system commands under the privileges of a particular user, and by exploiting vulnerabilities in the SAP RFC Gateway. The hacker is able to obtain and potentially modify any business information stored in the SAP database.

Customers have to stay up to date with the latest SAP Security Notes and ensure their systems are configured properly in order to meet compliance requirements and strengthened security, the vendor says.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.