Today SAP announced that there is a "critical vulnerability" in the cryptographic libraries that form part of its SAP NetWeaver ABAP and SAP HANA systems, leaving them vulnerable to spoofing of their digital signatures.
In real terms this means that another system, if it exploited this vulnerability correctly, could pose as your system or forge logon tickets to gain access to your system. Thankfully SAP has released an update to these libraries which fixes the issue in SAP Note 2067859.
On the plus side...
In an email to customers and partners today SAP informed us that the vulnerability was discovered by an "SAP Internal research" team. This is a good thing for a number of reasons:
Firstly, it means that SAP is researching how its own systems can be exploited - something we would all hope they are working on but it's nice to see the fruits of their labour. Penetration testing of enterprise systems as large as SAP can be difficult and quite a daunting task so knowing they are working on this is most definitely a bonus.
Secondly, it means that this is not an exploit that was spotted being actively used in the wild. Being discovered by researchers rather than malicious groups is, of course, a good thing. So we have time to react and fix the issue before it becomes a problem.
Finally, responsible disclosure. Normally this relates to third parties telling a company about a problem with their product, but it also applies to the way companies disclose the vulnerability to the wider community. In this case, a fix and a detailed email illustrating clearly what the problem was and for that I applaud SAP. That said I would love to know how much time passed between discovery and disclosure as that may change my mind on this being a good thing but let’s err on the side of the positive.
On the downside...
The obvious negative for this vulnerability is of course the nature of it. Essentially in the worst case scenario your system could be compromised to the point of a malicious third party gaining privileged access to the system. Not a pleasant thought and combined with the slow pace at which SAP patches are generally applied means that we may see this vulnerability present in SAP systems for years to come.
What should we do?
There is a lot we can and should do. For now here are two main points.
- Firstly, of course, is apply the latest version of SAP's crypto libraries to all existing ABAP and SAP HANA systems to make sure they are up to date
- All system certificates or PSE's should be replaced to create a new digital signature for your system. This may seem unnecessary but seeing as your system had the potential to be compromised then you have a responsibility to revoke all existing certificates and issue new ones.
SAP as an enterprise system is far from immune to zero-day vulnerabilities and you should have a plan on how to react to new ones as they emerge. Right now and for the next few years we are in the age of privacy and security so this will not be the last security worry your enterprise will face - so plan, be proactive with security reviews and ensure you are ready for the next issue.
Don't get caught out!