Companies using SAP tools should consider changing their server settings since the default settings allow attackers to gain access to corporate data.
The vulnerability is related to the factory configuration of the SAP NetWeaver software solution, which is left unchanged at most enterprises. SAP NetWeaver serves as the foundation for many tools, including popular products such as S/4HANA.
The problem affects the configuration responsible for transferring data between the various components of the SAP infrastructure, namely, between the Application Server (business applications), the SAP Message Server and the SAP Central Instance, where the enterprise data is stored.
The SAP Message Server plays the role of a mediator and performs SAP infrastructure load balancing during peak activity. When a new application is created, the system administrator must register it (Application Server) via the SAP Message Server. The registration process goes through port 3900.
The Access Message List (ACL) support is implemented in the SAP Message Server, but it is disabled by default and system administrators must activate it themselves. The fact is that all enterprises are different, and if ACL support is enabled by default, many of them might have problems with the initial configuration of business applications.
The problem with the SAP factory configuration has been known since 2005. At that time, the manufacturer issued a security notification and recommended that companies not leave the default settings and configure the ACL as soon as possible, and also allow access to port 3900 from trusted addresses.
In 2009 and 2010, the manufacturer issued two more safety notifications with further instructions. Also, studies have been made public that shed light on the possible consequences of using SAP without an ACL. However, according to the information security company Onapsis, 90% of its customers, who faced an audit of SAP security level, did not change the factory settings and did not include ACL.
According to experts, an attacker or even an employee of an enterprise can create a malicious application, register it in the corporate SAP infrastructure and use it to steal or modify corporate data.
Access Control List – determines who or what can access an object (program, process, or file), and which operations are allowed or forbidden for the subject (user, group of users) to perform.