Europe’s biggest software company, SAP, is the subject of a U.S. security alert over a vulnerability the firm disabled six years ago that can still give outside attackers remote control over older SAP systems if the software is not properly patched.
SAP fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.
The U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued an alert to the security industry on Wednesday advising SAP customers what they need to do to plug the holes. It is one of only three such security warnings the agency has issued so far this year. Details are at https://www.us-cert.gov/ncas/alerts/TA16-132A.
Dozens of companies have been exposed to these security gaps in recent years, and a far larger number of SAP customers remain vulnerable, said Onapsis, a firm that specializes in securing business applications from SAP and rival Oracle.
Get Data Sheet, Fortune‘s technology newsletter.
“This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, which works with SAP to plug security holes, told Reuters in advance of the U.S. security alert. “Still, most SAP customers are unaware that this is going on.”
SAP, whose software acts as the corporate plumbing for many multinationals and which claims 87% of the top 2000 global companies as customers, disclosed the vulnerability in 2010 and has offered software patches to fix the flaw.
SAP issued a statement that the vulnerable feature was fixed when the company introduced the software update six years ago. “All SAP applications released since then are free of this vulnerability,” the company said in an emailed statement.
However, it acknowledged that these changes were known to break—or disable—customized software developments that many customers had implemented using older versions of SAP’s programming language.
The problem continues because a sizable number of big SAP customers are known to depend on these older versions of the software that in many cases date back years, or in extreme examples, even decades.
The alert underscores how SAP software often is managed inside companies as an internal system, without heightened awareness it is susceptible to the sort of attacks that public-facing websites, email systems and networks suffer daily.
The trouble is less of a software issue than one of accountability for how such bugs get fixed, security experts say. Customers rely on a chain of consultants, external audit firms and specialized internal SAP security teams to decide when to install patches without risking destabilizing their systems.
SAP produces dozens of software patches each month to fix bugs in its software.
It is by no means unique. Microsoft, for example, pushes out similar patches on the second Tuesday of each month to millions of office network administrators, who must decide when to apply these fixes, a process dubbed “Patch Tuesday.”
But in the case of SAP, an unknown number of customers have not applied the fix. Security experts say because SAP systems contain sensitive financial, human resources and business strategy information, that means SAP security typically is the responsibility of specialists familiar with the complexities of the underlying business applications, rather than company-wide security teams who focus on outside cyber security threats.
SEGREGATION
Thirty-six enterprises have been found to have telltale signs of unauthorized access, according to a report to be published on Wednesday by Boston-based Onapsis and given to Reuters in advance.
Since 2013, the vulnerabilities of the 36 enterprises have been detailed on a Chinese-language online discussion forum, where methods for exploiting outdated or misconfigured SAP NetWeaver Java systems are openly described, Nunez said.
The targets were both prominent Chinese domestic companies and foreign joint ventures, Reuters confirmed.
Onapsis has subsequently found other susceptible SAP customers in the United States, Germany, and Britain, Nunez said, but he declined to name them.
The targets range from telecommunications to utilities, retail, automotive and steel firms and include more than a dozen with annual turnover of at least $10 billion, Onapsis said.
“We regard these (known victims) as just the tip of the iceberg, as well as an irrefutable answer to the question: ‘Are SAP applications being attacked?'” Onapsis said in its report. Onapsis also works on behalf of 200 SAP customers ranging from Daimler to Siemens to Westinghouse and the U.S. Army.
To find out what SAP’s CEO has to say about the economy, watch:
One major SAP customer who was subject to multiple attacks related to the flaw said that the software—originally created to help programmers rapidly test new features—had left open a backdoor to his organization’s inner workings.
When challenged about the issue, SAP’s initial response was to tell him, “‘This isn’t a vulnerability. It’s a feature. If you don’t like it you should turn it off’,” said the customer, who asked not to be named due to commercial sensitivities.
Google, the company behind Android software used to power three-quarters of the world’s smartphones, also issues regular security patches.
But just as is the case with SAP, phone makers and network operators must decide when to update their software, a gap that has left hundreds of millions of Android phone users vulnerable to widely known threats. U.S. regulators this week said they were investigating the roadblocks to more timely security updates for phone users.
