Researchers at Onapsis and DHS CERT today published reports describing a critical SAP Invoker Servlet vulnerability that has been used to attack 36 global enterprises spanning 15 critical industries.

Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications.

The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today.

US-CERT also published an alert this morning, the first in its history for SAP applications.

The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps.

“The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems,” the Onapsis report says.

The issue lies in the Invoker Servlet, which is part of the standard J2EE specification and enables developers to test custom Java applications. When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls. Attackers, however, can take advantage of this same functionality to exploit these business critical systems.

“Anyone knowing the URL of the servlet can interact with an SAP application,” Onapsis CEO Mariano Nunez told Threatpost. “When you combine that with sensitive SAP functionality that can enable users to create user accounts or execute operating system commands, that’s where this becomes really critical.”

SAP provided the capability to disable Invoker Servlet by default more than five years ago in SAP Note 1445998; it is also disabled by default in 7.20 and 7.30 versions of the J2EE engine. Onapsis said that in exploits it observed, attackers were able to send crafted packets, over HTTP or HTTPS, to vulnerable SAP systems that bypass authentication controls and access the SAP Java Configuration Wizard/Template Installer. Access to this application gave the attackers the ability to execute arbitrary commands and create new accounts in the SAP system, Onapsis said.

“The impact of this attack is the worst possible outcome: a remote attacker can execute arbitrary operating systems commands with high-privileges and/or create SAP administration users, simply using a web browser and without the need to initially have a valid SAP user ID and password in the target system,” Onapsis said its report.

Nunez characterizes this issue as a vulnerability, even though SAP’s security note isn’t a traditional security patch.

“I think it’s a vulnerability,” he said. “It’s functionality that shouldn’t be available in production systems. Maybe SAP’s decision to remove it by default from newer versions says it’s a risk that has to be prevented.”

Onapsis also cautioned that despite the fact that it is possible to globally disable Invoker Servlet, the setting can be overridden by custom SAP Java applications, making it critical to review custom Java apps and monitor that any changes, such as from an old backup, maintain Invoker Servlet as disabled.

“That’s the tricky part where you can have a global setting enabling it, or it can be defined on a per-app basis,” Nunez said. “A custom application could have the setting on and it works even though it’s normally disabled. That’s why SAP security is so hard because these applications are so customizable.”

Many SAP business applications are built on top of the SAP Java framework that includes Invoker Servlet, including according to CERT:

SAP Enterprise Resource Planning (ERP),

SAP Product Lifecycle Management (PLM),

SAP Customer Relationship Management (CRM),

SAP Supply Chain Management (SCM),

SAP Supplier Relationship Management (SRM),

SAP NetWeaver Business Warehouse (BW),

SAP Business Intelligence (BI),

SAP NetWeaver Mobile Infrastructure (MI),

SAP Enterprise Portal (EP),

SAP Process Integration (PI),

SAP Exchange Infrastructure (XI),

SAP Solution Manager (SolMan),

SAP NetWeaver Development Infrastructure (NWDI),

SAP Central Process Scheduling (CPS),

SAP NetWeaver Composition Environment (CE),

SAP NetWeaver Enterprise Search,

SAP NetWeaver Identity Management (IdM), and

SAP Governance, Risk & Control 5.x (GRC).

Nunez pointed out that while this particular issue was critical enough to warrant an alert from US-CERT, SAP admins need to remain vigilant about patching business critical systems; SAP, for example, has a monthly security patch release cycle.

“This is just one vulnerability, but SAP patches roughly 30 a month,” Nunez said. “This says something about the lack of visibility security teams have around SAP vulnerabilities.”

SAP provided Threatpost with a statement:

“The vulnerable component in question “Invoker Servlet” was disabled by SAP in SAP NetWeaver 7.20 that was released in 2010. SAP has released patches to applications under maintenance and therefore, all SAP applications released since then are free of this vulnerability. “Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20. In the interest of security of SAP operations at customer sites, the security advisory 1445998 released by SAP in Nov 2010 notifies the customer that Invoker Servlet is disabled by default in SAP NetWeaver 7.20, and advises the customer to first disable Invoker Servlet in his environment and then deploy tested custom applications.”

This article was updated May 11 to include a statement from SAP.