Last week, US-CERT (the U.S. Computer Emergency Readiness Team) issued an alert about an old SAP security hole after a vendor flagged that attackers were still using it. The initial problem was that SAP had apparently fixed the hole some six years ago, but gave users the choice whether to protect themselves or not.
Candidly, that's an odd choice to offer IT execs, but it's easier to understand when remembering that SAP's business is selling software, not securing systems. Yes, selling systems that will allow huge security problems seems stunningly short-sighted but it's a sales-driven company.
Before jumping into the details of this alert, this situation raises the question of how much of a practical impact a US-CERT alert has. From SAP's perspective, they flagged this hole and gave customers the option to deal with it or ignore it. The "ignore it" option was attractive because it meant no disruption in service or functionality.
From an IT perspective, that's an interesting issue. "I could do this and be blamed today for the system going down while it's being patched—or I could roll the dice and hope that a security problem will happen on someone else's watch." That's why security patches should be mandatory. It's like giving a 4-year-old the choice of eating their spinach or having dessert. There are some choices that shouldn't be offered.
In theory, a US-CERT alert takes this issue up a level. A software patch notification may only go to IT but a US-CERT alert will cross the desks of the CISO's team. But—people, this is a 6-year-old hole. And it's not like no one discovered the hole until now. It was patched six years ago and widely announced and distributed six years ago. It's hard to take very seriously this kind of heads up from US-CERT. Reminding people of a 6-year-old patch is an emergency?
Let's take a look at what US-CERT said. The alert said "The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems. Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems."
There is indeed a practical benefit to this. Six years is twice the lifetime of the typical enterprise CIO and is generally longer than most IT staff. In other words, there's a fine chance that almost no one on your IT team today was in the same job when this alert was issued. Even if they knew about the SAP patch and took it seriously, they could have easily assumed that their predecessors (OK, their predecessor's predecessors) had already patched it. A heads-up that bad guys are actively leveraging this hole is important.
More from the US-CERT advisory: "In order to mitigate this vulnerability, US-CERT recommends users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet. These recommendations apply to SAP systems in public, private, and hybrid cloud environments."
The alert then did something that US-CERT often does, which I would argue undermines overall US-CERT alerts. They listed a variety of garden-variety security steps—best practices, if you will—that serves to imply that this message is not important.
Here's what US-CERT suggested: "Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships. Analyze systems for malicious or excessive user authorizations. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities. Monitor systems for suspicious user behavior, including both privileged and non-privileged users. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations."
Really, US-CERT? "Monitor systems for suspicious user behavior, including both privileged and non-privileged users"? You don't see how that serves to dilute the perceived urgent and important nature of this alert?
That's much of the problem with US-CERT. They combine important alerts with obvious standard procedures, undermining their own alerts.