Critical flaw found in SAP software

By Dylan Bushell-Embling
Thursday, 16 July, 2020

The ACSC has warned of a critical flaw in SAP software that could potentially allow attackers to take control of trusted SAP applications.

The critical vulnerability in the Java component LM Configuration Wizard within the SAP Netweaver Application Survey was uncovered by security firm Onapsis.

The vulnerability can be exploited remotely over HTTP without the need of a username or password. Due to these characteristics, it has been given the highest possible score of 10 on the Common Vulnerability Scoring System.

Once attackers have gained control, they would be able to read, modify or delete every database record or file in the system, according to Onapsis.

“Because of the type of unrestricted access an attacker would obtain by exploiting unpatched systems, this vulnerability also may constitute a deficiency in an enterprise’s IT controls for regulatory mandates,” the company said.

SAP has issued security patches for the vulnerability, which the ACSC urges uses of the products to implement as soon as possible.

Potentially vulnerable SAP solutions include all SAP Java-based solutions, including its popular ERP, CRM and supply chain management software. Onapsis estimates that as many as 40,000 SAP customers worldwide might be affected by the bug.

As a mitigation measure, the ACSC is recommending that organisations unable to immediately apply the patches disable the LM Configuration Wizard service.

If this cannot be completed immediately, the ACSC recommends organisations monitor SAP Netweaver systems and logs for any unusual activities.

Image credit: ©stock.adobe.com/au/Mila Gligoric