Many companies are negligent about SAP security, researchers say

Researchers found many servers with old SAP applications or critical SAP administrative services exposed to the Internet

SAP has significantly improved the security of its products over the past few years but many of its customers are negligent with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security researchers.

The biggest issue is that companies expose insecure SAP services to the Internet -- not only HTTP services, but also critical administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products for SAP systems, said Tuesday.

Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn't be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations, he said.

Most of the services have vulnerabilities that can be easily attacked, Polyakov said.

Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security testing tool.

The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates to a very large number of companies, he said.

Juan Perez-Etchegoyen, the chief technology officer at Onapsis, a Cambridge, Massachusetts-based company that develops security products for ERP systems, believes that the number of companies running vulnerable SAP systems is actually higher than what Polyakov estimates and that it's growing.

"What makes this worse is the fact that many systems are exposed to vulnerabilities with public exploits that have been known for five or even ten years. The risk for these organizations is huge," he said Wednesday via email.

Another problem is the high number of publicly accessible Web servers that run outdated SAP applications. Using Google search, ERPScan researchers identified 695 unique servers with different SAP Web applications, and an additional 3,741 servers were found using the SHODAN search engine.

SAP NetWeaver J2EE and SAP NetWeaver ABAP were the most common SAP applications found on the servers. However, the most common versions of these two applications were SAP NetWeaver ABAP version 7.0 EHP 0 and SAP NetWeaver J2EE version 7.00, both of which were released in 2005.

Deployments of older versions of these products are not necessarily vulnerable if their administrators applied all patches and followed all security advice issued by SAP over the years.

However, it is more likely for an old version deployment to be more vulnerable than a new one, because newer versions of these products are more secure in their default configurations, Polyakov said.

"The real problem is not that the systems were released in 2005, because SAP still has those under maintenance and releases security patches for vulnerabilities affecting them," Perez-Etchegoyen said. "The real threat is that some companies are not being able to apply them promptly, exposing themselves to cyberattacks."

Polyakov released some data about exposed SAP services earlier this month during a presentation at the RSA Asia Pacific 2013 security conference. However, more information about the results of ERPScan's research into the state of SAP security will be released in upcoming weeks as part of a larger report, he said.

Securing SAP systems is important because interest in SAP platform security has been growing among security researchers, but also among zero-day exploit buyers and sellers, according to Polyakov's RSA presentation slides.

Potential attacks against SAP systems could be driven by different motivations, Polyakov said.

Such attacks could be used to steal financial information, corporate secrets, human resources data, supplier and customer lists for economic espionage. They could also be used to perform false transactions and modify data for fraud purposes, or they could be used to disrupt systems or modify financial reports for sabotage.

Compromising SAP servers in order to attack other types of systems connected to them is also a possibility, Polyakov said. For example, SAP servers are sometimes connected to SCADA (Supervisory Control and Data Acquisition) systems in order to receive and process data from them, he said.

SCADA systems are used to control and monitor industrial, infrastructure, and facility-based processes.

Someone who compromises a SAP system could easily launch a denial-of-service attack against a SCADA system connected to it, Polyakov said.

A cyberwar-like scenario where someone creates a computer worm to attack SAP systems and disrupt business at major companies in one particular country would also be possible, Polyakov said. Such an attack could have a significant economic impact, he said.

"Some companies still believe that the risk of an attack is low because attackers require high skills," said Mariano Nunez, CEO of Onapsis, via email. "However, with the availability of public exploits and increased exposure, the barrier for entry is much lower than organizations perceive."

Nunez noted a positive change in the last two years with leading organizations starting to protect their SAP systems against cyberattacks. However, "the unfortunate reality is that, many organizations still believe SAP Security is only about roles and profiles, and leave their systems totally exposed to technical vulnerabilities," he said.

"We'd like to thank Alexander Polyakov for increasing our awareness for this important topic," SAP spokesman Hilmar Schepp, said Tuesday via email. Polyakov has been working with SAP for several years, and thanks to the close collaboration SAP was able to provide patches for various security issues, he said.

"SAP's software and solutions meet the highest security standards," Schepp said. The company is working closely with customers on implementation issues and advises them to activate the appropriate security configurations, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesCustomer Relationship ManagementOnapsisapplicationsBusiness Process Managementpatch managementsoftwareHRExploits / vulnerabilitiesdata protectionERPScansecuritySAP

More about GoogleRSASAP Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts