Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Online SAP Deployments Widely Susceptible to Attack

During his talk earlier this month at RSA Conference Asia Pacific 2013, Alexander Polyakov, CTO of ERPScan, disclosed that there are thousands of unpatched and thus insecure SAP deployments online today, all over the world.

SAP Security Vulnerabilities

During his talk earlier this month at RSA Conference Asia Pacific 2013, Alexander Polyakov, CTO of ERPScan, disclosed that there are thousands of unpatched and thus insecure SAP deployments online today, all over the world.

SAP Security Vulnerabilities

According to the slides (PDF) from Polyakov’s talk, available here, nearly 60 percent of the known SAP vulnerabilities discovered this year were found by outside researchers, proving that there is a growing interest from the security community – due largely to the value of SAP deployments themselves.

As part of his research, Polyakov found 4,000 servers hosting public facing SAP applications. The servers were discovered by using simple keyword searches on Google and Shodan. Thirty-five percent of the servers discovered were deployed to the Web running NetWeaver version 7 EHP 0. This is a problem because the last time NetWeaver was patched against anything was in 2005.

Further, there were systems on the Web running NetWeaver that haven’t seen an update since April 2010, and more still that haven’t been patched since October 2008.

When it came to instances of SAP NetWeaver J2EE, Polyakov said he discovered similar numbers of vulnerable deployments including some with flaws that would enable an attacker to create user accounts, assign roles, execute commands, and more.

SAP security is extremely important, Polyakov noted, due to several types of risks, including a growing rate of interest from those in the exploit marketplace, anonymous attacks from criminals in remote locations, and insider attacks.

SAP software is used by 74% of the Fortune 500, often to manage highly valuable and extremely sensitive corporate data, including HR data and sales data. Some even have direct access to SCADA systems.

“You need to do your HR and financials with SAP,” Polyakov said during his presentation.

So if the SAP system is compromised he noted, “It is kind of the end of the business. If someone gets access to the SAP they can steal HR data, financial data or corporate secrets.”

A video of his presentation, available on YouTube, is embedded below.

Related Reading: Vulnerable SAP Deployments Make Prime Attack Targets

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.