Internet-facing SAP systems suffering increased attacks

Security researcher Alexander Polyakov finds thousands of unpatched, insecure SAP servers scattered all over the world

Hundreds of organizations around the world are running unpatched, Internet-facing versions of SAP software, exposing them to data theft, APTs (advanced persistent threats), and other unpleasantness, according to security analyst Alexander Polyakov, CTO of ERPScan and founder of ZeroNights. Polyakov also said that SAP exploits are part of a thriving underground trade, particularly as organizations in Asian countries are exposing their systems with new SAP deployments.

"You need to do your HR and financials with SAP, so [if it is hacked] it is kind of the end of the business," Polyakov said at a presentation at RSA Conference Asia Pacific 2013, attended by SC Magazine's Darren Pauli. "If someone gets access to the SAP, they can steal HR data, financial data, or corporate secrets ... or get access to a SCADA system."

Vulnerabilities in SAP software, combined with the value of the data SAP systems utilize, have yielded increased attention from security researchers, per Polyakov: Nearly 60 percent of vulnerabilities found in 2013 were turned up by outsiders. The fact that SAP users are willing to open up interface to the Internet, whether for remote employees, connecting to remote offices, or remote management, increases the risks.

In his research, Polyakov found more than 4,000 servers hosting publicly facing SAP applications, 700 through Google and 3,471 via Shodan. He found that 35 percent of exposed SAP systems were running NetWeaver version 7 EHP 0, which hasn't been updated since November 2005. Another 23 percent of the SAP code he found was last updated in April 2010; 19 percent of the installations hadn't been patched since October 2008.

Polyakov found a comparable percentage of instances of SAP NetWeaver J2EE containing security holes through which attackers can create user accounts, assign roles, execute commands, and wreak other forms of havoc. He also determined that one in 40 organizations was vulnerable to remote exploits via SAP Management Console, while one in 120 organizations was susceptible via vulnerable HostControl, which allows for command injection. One in 20 organizations had a version of the SAP Dispatcher service for client-server communications containing default accounts that could be used to fully compromise SAP systems.

The researcher said the top five vulnerabilities for 2012 were as follows:

  1. SAP NetWeaver DilbertMsg servlet SSRF, which enables an attacker to access any files located in the SAP server file system
  2. SAP HostControl command injection, which allows for full code execution as the SAP administrator from an unauthenticated perspective
  3. SAP J2EE file read/write, through which a remote, unauthenticated attacker could compromise a system by exploiting an arbitrary file access vulnerability in the SAP J2EE Core Services
  4. SAP Message Server buffer overflow, which allows remote attackers to execute arbitrary code on vulnerable installations of SAP NetWeaver ABAP without authentication
  5. SAP DIAG buffer overflow, with which an unauthenticated, remote attacker can execute arbitrary code to launch a denial of service attack

Also part of his findings: One in three organizations had SAP routers publically available by a default port. Of the 5,000 exposed routers, 15 percent lacked ACLs (access control lists), 19 percent suffered information-disclosure holes which enable denial of service attacks, and five percent were improperly configured, allowing attackers to bypass authentication.

Polyakov will publish the entirety of his research next month. His slide presentation is available on the RSA website.

This story, "Internet-facing SAP systems suffering increased attacks," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.