Almost one quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet.
By using a using a combination of TCP scans and Google, it is possible to find the network via the Internet which can show that SAP is not protected by design, according to Russian security researcher ERPScan.
By March of this year, there were more than 2,000 security advisories (called notes) published by SAP. Of those, about 7% (124) have publically available PoC (proof-of-concept) exploit code available to the public. Many of the issues discovered by ERPScan relate to poor configuration or poor deployment planning.
In one case, 212 SAP Routers were in Germany, created mainly to route access to internal SAP systems.
“SAP Routers themselves can have security misconfigurations but the real problem is that 8% of those companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012,” the report notes.
Using some basic Google searches, ERPScan discovered hundreds of SAP deployments publically available to the Web. Most of them were using the J2EE server.
The J2EE server is more vulnerable than the ABAP engine is, with three vulnerabilities that are remotely exploitable. However, ABAP has issues on its own, including several default user accounts that are widely known. A third deployment option – SAP BusinessObjects server, has both sets of vulnerabilities.
Starting with the discovered deployments, ERPScan said 9% of them exposed the SAP management console, which if not patched properly, has a vulnerability that would allow a remote attacker to collect system parameters. Researchers found most of the vulnerable installations in China, the second most vulnerable installation base was India. Both locations are emerging markets for SAP, where they show a stable amount of growth over the last several years.
Another issue with the vulnerable and exposed SAP installations is that quite a few of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself.
It was found that 61% of J2EE systems on the Internet have the CTC service enabled. It is also vulnerable to the Verb Tampering vulnerability that allows authentication bypass still unpatched in most of the companies.
Moreover, 40% of ABAP NetWeaver systems on the Internet have the WebRFC service enabled, which allows critical business-related and administrative functions to call up via the Web. It ends up secured by usernames and passwords, but plenty of default credentials are available that will offer an attacker a high degree of success.