SAP security vulnerabilities, metrics and threats
A global report from ERPScan dedicated to SAP security shows various critical services exposed by 5%-25% (depending on the service) of companies that run SAP.
One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network.
While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet.
In some cases, lack of knowledge is the reason and sometimes companies want easy remote control, which is insecure.
For example, 212 SAP Routers were found in Germany which were created mainly to route access to internal SAP systems. SAP Routers themselves can have security misconfigurations but the real problem is that 8% of that companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012 .
Also, 9% of the researched sample (which included 1000 companies that use SAP all over the world) expose SAP Management console, which is vulnerable to unauthorized gathering of system parameters remotely from the Internet. Most of them are located in China (55%) and India (20%).
Key findings:
- Most of the issues (69%) have high priority, which means that about 2/3 of the published vulnerabilities must be corrected quickly.
- A total of 2677 unique servers with different SAP web applications was found on the Internet using Shodan Search.
- 59% of them are vulnerable to information disclosure.
- The most popular OS for SAP are Windows NT (28%) and AIX (25%).
- It was found that 40% of ABAP NetWeaver systems on the Internet have the WebRFC service enabled which allows calling critical business-related and administrative functions. It is secured by usernames and passwords but there is plenty of default credentials that work in most cases.
- It was found that 61% of J2EE systems on the Internet have the CTC service enabled. It is vulnerable to the Verb Tampering vulnerability which allows authentication bypass and is still unpatched in most of the companies.
The complete report is available here.