Critical SAP Vulnerabilities in 2020

Mar 3, '20 by Joerg Schneider-Simon

While SAP helps businesses operate more efficiently through streamlined business processes, its complexity means it presents a significant attack surface for hackers.

Since businesses use SAP for managing their most sensitive business processes, it makes sense for SAP cybersecurity to be prominently addressed in an enterprises' security agenda. As more businesses migrate systems to the cloud, such as with SAP S/4 HANA, it's crucial for companies to be aware of current and potential vulnerabilities, so they can protect this vital business information and system data.

2020 is poised to feature increased cloud use and increased efficiencies through process optimization, and while these technologies benefit organizations, they can also increase risks. Here are some critical SAP vulnerabilities that should be on your cybersecurity agenda in 2020.

Vulnerabilities in the Cloud

Businesses are increasingly global, and the impact of this growth reaches into every aspect of daily operations. Notably, to efficiently manage global supply chains, enterprises are increasingly leveraging IoT devices.

This ability to connect and obtain real-time data can massively increase efficiencies. SAP Leonardo IoT, Edge Services, and Cloud Platform IoT can play essential roles in processing this data-driven intelligence from machines. These applications enable device management and integration, while creating a foundation for secure data consumption.

However, as has been demonstrated repeatedly, IoT devices are rarely designed with security in mind. Additionally, the form factor and limited resources on these devices often limit or even negate the ability to run separate security tools on the device itself.

As the scope of SAP systems can be quite broad, opportunities for misconfigurations abound. An increase in usage typically signals an accompanying increase in risk. Although cloud SAP offers agility and the ability to collect vast amounts of valuable data, the wide footprint can also increase the temptation for hackers to take advantage of vulnerabilities.

Vulnerabilities in SAP GUI

2020 may also see increased exploitation of vulnerabilities in SAP GUI. Gamker, a modified banking trojan, uses keylogging to record all keystrokes entered into any application running on infected computers. It captures log-in credentials (usernames and passwords), including those entered in SAP client applications.

In past years, high-severity security vulnerabilities were identified that exposed workstations to remote command execution. In these and other identified weaknesses, clients could potentially open the door to ransomware attacks against SAP Mobile Platform (SMP) users. In particular, ransomware and malware actors have shifted focus over the past decade and now increasingly target large enterprises. The attack vectors are sophisticated and continually changing, and there is no magic tool to stop them in their tracks. 

Patches and updates serve as the primary remedy against these vulnerabilities. Businesses should ensure they are staying up to date on recommended patches and updates. This sounds like a straightforward prescription for security, but since SAP systems are so complex, many businesses still run old, unpatched SAP versions, which increases and sustains their vulnerability.

Colliding Patch Days in 2020

Speaking of the importance of patch dates, 2020 will bring with it a schedule of substantial new patch releases to fix known vulnerabilities in six enterprise systems vendor applications and platforms. The first occurred on January 14, 2020, with SAP addressing vulnerabilities including missing authorization checks, denial of service, content spoofing, and cross-site scripting.

Additionally, the vulnerability intelligence world is poised to experience a phenomenon similar to the what is known as the “Fujiwhara effect” — the meeting of two hurricanes. In 2020, major vendors, including Oracle, Microsoft, Adobe, SAP, Siemens, and Schneider Electric, will release their patches on the exact same days: January 14, April 14, and July 14. Other large vendors, including Apple, Google, Mozilla, Intel, Cisco, F5, and Juniper, may also release patches on these same days.

The concern here is evident. Organizations already struggle with staying on top of routine patches for one enterprise system, such as SAP. If an enterprise uses several systems and services (which is highly likely), then maintaining a secure systems landscape is that much more difficult. This increases the likelihood that operations will be interrupted or worse, that a critical patch update will be missed, which will enable vulnerabilities to persist.

Keeping SAP Systems Safe in 2020 and Beyond

Writer Haruki Murakami once wrote about metaphorical storms, noting that life presents challenges that are often overwhelming. "But one thing is certain," Murakami wrote, "When you come out of the storm, you won't be the same person who walked in."

The same holds for organizations. Cyber threats are an ongoing challenge, and the more substantial events we can expect in 2020, such as the convergence of patch days, will continue to challenge organizations.

At the same time, perhaps this perfect storm has a silver lining. Cybersecurity teams that have struggled in the past to persuade the C-suite about the importance and value of strong cybersecurity efforts may now be able to build a stronger case for buy-in on massive security measures that will improve security and strengthen their systems landscapes.

This underscores the need for open communication. Security should be an organization-wide, top-down effort that goes beyond silos. If your organization has an SAP or applications security team, this team should work in concert with the overall security team to ensure users are educated on threats and policies and procedures are in place to minimize risks. With better communication and a tighter focus on addressing known vulnerabilities, organizations can position themselves to begin the new decade stronger, more cohesive, and well prepared for whatever threat may come their way.

bowbridge helps secure the City of Essen's data and systems from cyberattack. Read the case study.