Security Experts:

Vulnerable SAP Deployments Make Prime Attack Targets

A Russian security firm, using a combination of TCP scans and Google, found that nearly a quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet. This discovery, the research says, dispels the myth that SAP systems are only available from the internal network, leading to the misconception that they are protected by design.

The company behind the research is ERPScan. Based in Saint Petersburg, Russia, they earn their living by being one of the few companies focused on SAP security. However, this has also earned the company a partnership with SAP—a relationship that skewed their overall report, as they withheld vulnerability data after being asked to do so by SAP.

SAP Security VulnerabilitiesBy March of this year, there were more than 2,000 security advisories (called notes) published by SAP. Of those, about 7% (124) have publically available PoC (proof-of-concept) exploit code available to the public. Many of the issues discovered by ERPScan are related to poor configuration or poor deployment planning.

For example, 212 SAP Routers were found in Germany, which were created mainly to route access to internal SAP systems.

“SAP Routers themselves can have security misconfigurations but the real problem is that 8% of that companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012,” the report notes.

Using some basic Google searches, ERPScan discovered hundreds of SAP deployments publically available to the Web. Most of them were using the J2EE server.

The J2EE server is more vulnerable than the ABAP engine is, with three vulnerabilities that can be exploited remotely (and anonymously). However ABAP has issues on its own, including several default user accounts that are widely known. A third deployment option – SAP BusinessObjects server, has both sets of vulnerabilities.

Starting with the discovered deployments, ERPScan said that 9% of them exposed the SAP management console, which if not patched properly, has a vulnerability that would allow a remote attacker to collect system parameters. Interestingly, most of the vulnerable installations were discovered in China, the second most vulnerable installation base was India. Both locations are emerging markets for SAP, where they have shown a stable amount of growth over the last several years.

Another issue with the vulnerable and exposed SAP installations is that many of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself.

It was found that 61% of J2EE systems on the Internet have the CTC service enabled. It is also vulnerable to the Verb Tampering vulnerability that allows authentication bypass and is still unpatched in most of the companies.

Moreover, 40% of ABAP NetWeaver systems on the Internet have the WebRFC service enabled, which allows critical business-related and administrative functions to be called via the Web. It’s secured by usernames and passwords, but plenty of default credentials are available that will offer an attacker a high degree of success.

“We can conclude that the interest to SAP platform security has been growing exponentially. Taking into account the growing number of vulnerabilities and vast availability of SAP systems on the Internet, we predict that SAP systems can become a target not only for direct attacks (for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities,” the report concludes.

“[The] main mission lies with administrators who should enforce security of their SAP systems by using guidelines, secure configuration, patch management, code review and continuous monitoring.”

In September 2011, an SAP spokesperson told SecurityWeek that the company works closely with security researchers to identify vulnerabilities and works independently to improve security in their products.

“A trend that we did observe over the last months is the fact that our customers take security more seriously and that our proactive information outreach to our customers is fruitful,” the spokesperson said at the time. “Security is a topic in more and more customer conversations and our security guidelines and recommendations, security services and fixes get more attention than before. This is a very positive trend as it helps to increase the security of our customers.”

The full report is available here in PDF format.

Related ReadingAuthentication Vulnerability Enables Attackers to Access SAP Systems

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.