Old habits die hard —

Dozens of companies found open to SAP bug patched years ago

Dangerous Invoker servlet function was disabled in 2010, but it lives on.

Dozens of companies found open to SAP bug patched years ago

Update: May 12, 2016 8:50 PDT: The researchers who originally discovered the SAP vulnerability say they have uncovered evidence that 36 organizations were vulnerable to the bug. They say there's no evidence the organizations were actually breached. Ars has modified the original headline of this post to reflect this new information.

More than 36 organizations—some in the gas, telecommunications, and steel manufacturing industries—have been breached by attackers exploiting a vulnerability in older SAP business applications that gives them remote access to highly confidential data, the US government-sponsored CERT warned Wednesday.

The attacks were carried out over the past three years by attackers exploiting the "invoker servlet," which is a set of functions in SAP applications that allows users to run Java applications without use of a password or other authentication measure. Attackers outside the targeted organizations have abused the feature to gain access to sensitive data and possibly to take control over servers that process the data, according to researchers at security firm Onapsis.

"The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems," company researchers wrote in a blog post published Wednesday.

SAP fixed the vulnerability in 2010 when it disabled the invoker servlet by default. The companies getting hit by the attacks appear to be running SAP applications that either predate those updates or overrode the default settings, possibly to make the SAP offerings compatible with custom software.

The US CERT on Wednesday issued an advisory warning of the threat and recommending all SAP users disable the invoker servlet. It also detailed more than a dozen SAP platforms that are potentially susceptible to the attack. Administrators who manage SAP servers should check to make sure they're properly configured. If global enterprises in security-sensitive industries are vulnerable, chances are others are, too.

Channel Ars Technica