ERPScan Security Scanner for SAP

(25 May 2012) Upcoming webinar: ERPScan Security Scanner for SAP 2.0 Review

admin — Thu, 03 May 2012 09:30:28 +0000

Attention! We will accept requests only from corporate emails. https://www3.gotomeeting.com/register/666896790

Today, almost all critical operations like procurements, stock resources management, human resources management, financial reports and much more, and all the data related to them, are stored in SAP system. This is why the main target for an insider or an external attacker would be to gain illicit access to SAP with the purpose of malicious manipulation of company resources. In spite of the increasing popularity of ERP systems security in the security community, companies are still vulnerable to cybercriminal and insider attacks. At this moment SAP has released more than 2000 Security notes closing various vulnerabilities, which is quite a lot, especially if you keep in mind that sometimes it is enough to get access to all business critical data through only one issue. An example was presented at BlackHat last summer. On the other side, almost every company develops custom ABAP code which can also have vulnerabilities and backdoors left by developers - said Alexander Polyakov, CTO of ERPScan.

Speaker: Alexander Polyakov CTO ERPScan

(6 July 2012) Upcoming Presentation At Just4meeting conference at Portugal “Top 10 SAP Vulnerabilities And Attacks By Alexander Polyakov ERPScan CTO”

admin — Thu, 03 May 2012 09:10:16 +0000

(21-26 July 2012) Upcoming Presentation At BlackHat USA “SSRF vs. Business Critical Applications” By Alexander Polyakov ERPScan CTO and Dmitry Chastuchin”

admin — Thu, 03 May 2012 09:00:01 +0000

ERPScan has released a new version of Security Scanner for SAP: ERPScan v2.0

admin — Tue, 24 Apr 2012 07:55:55 +0000

ERPScan company, one of the key players in ERP security, has released ERPScan Security Scanner for SAP 2.0 – a complex solution to continuously monitor all areas of SAP security, from vulnerability assessment and misconfigurations to ABAP code review and analysis of business-critical privileges.

One of the most significant changes is a new module which can make static analysis of ABAP code security. It makes ERPScan the only solution on the market which makes both security assessment of platform and code review. We have also significantly increased the number of anonymous checks which can be performed in Penetration testing mode to help companies identify issues without using credentials in the system. The new engine can help to perform audit and compliance checks not just through RFC – it allows making complete scan through the web-interface which is a great feature for external penetration tests and can make pen-testers’ lives easier.

“Today, almost all critical operations like procurements, stock resources management, human resources management, financial reports and much more, and all the data related to them, are stored in SAP system. This is why the main target for an insider or an external attacker would be to gain illicit access to SAP with the purpose of malicious manipulation of company resources. In spite of the increasing popularity of ERP systems security in the security community, companies are still vulnerable to cybercriminal and insider attacks. At this moment SAP has released more than 2000 Security notes closing various vulnerabilities, which is quite a lot, especially if you keep in mind that sometimes it is enough to get access to all business critical data through only one issue. An example was presented at BlackHat last summer. On the other side, almost every company develops custom ABAP code which can also have vulnerabilities and backdoors left by developers”, said Alexander Polyakov, CTO of ERPScan.

Using ERPScan, all kinds of customers can decrease their expenses and get different benefits.

Consulting companies can save time and resources. ERPScan allows them to significantly simplify the task of assessment by automating most of the ordinary checks, so auditors can pay more attention to the analysis of the customized part. Moreover, the unique database of checks gives consulting companies competitive advantages.
CISOs can effectively monitor security of SAP systems and prevent insider and hacker threats.
Penetration testers can easily perform black-box and white-box assessments of SAP with the largest knowledge base in the world and 0-day vulnerabilities.
SAP team can manage business-critical authorizations and control development by applying preventive measures.

“SAP security assessment, according to our experience, usually takes quite a long time. Additionally, the complexity of the system and the large amount of different installation types require the participation of specialists from various fields of security. Even the application server may have either ABAP or Java platform, and they require completely different specialists, not to mention particular applications and modules. ERPScan allows you to significantly simplify the task of assessment by automating most of the ordinary checks, so you can pay more attention to the analysis of the customized part”, said Alexander Polyakov.

More new functions:

Support of different web application types (bsp/iviews/jsp/webservices/webdynpro’s)
More than 5000 different checks covering misconfigurations, vulnerabilities, access to web-applications; search for 50 different types of vulnerabilities in ABAP code
Elaborated black-box vulnerability assessment
Cataloguing of SAP systems and services

“Earlier, you needed to implement many different solutions to secure SAP from threats, now it is all in one place”, said Ilya Medvedovsky, CEO of ERPScan.

Installation of vendor’s patch does not always guarantee security

admin — Mon, 26 Mar 2012 10:30:11 +0000

Experts from ERPScan Company, specialized in business applications security and SAP security, found out that even well-timed installation of vendor’s patch does not always guarantee security because the fixes are not always correct. In 2011, three critical patches from the key software vendors like SAP, IBM and VMware actually did not fix or not completely fixed vulnerabilities that ERPScan or other researchers had found in their products. This allows potential attackers to continue exploiting the vulnerabilities, whereas all most scanners and auditors would say that the problem is no more because patch is installed.

On the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan Company, shared his experience in penetration testing and presented the results of a recently conducted research of Lotus Domino security.

His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.

In the demonstration, a private vulnerability in Lotus Domino was quite quickly disassembled, the resulting exploit used, the existing patch bypassed and a critical 0-day vulnerability found. The result was an attack on the Domino Controller service (the Lotus Domino administration service) which allows full server compromise.

Vulnerable services were also exposed which, one would suppose, should not be accessible from the Internet. Moreover, in the course of the research, services with the 0-day vulnerability and ever older vulnerabilities were found on the USA government servers (the .gov domain), on the servers of Russian universities and, curiously enough, even in the corporate network of IBM itself.

Thus, it can be concluded that penetration threats are quite easily actualized for pretty much any network; even governments and corporate giants are vulnerable to attacks from the Internet, such as those made by LulzSec and Anonymous.

Links to vulnerabilities:

Vulnerability in IBM Lotus (ZDI)
Vulnerability in VMware (Advisory,Vendor’s patch)
Vulnerabilities in SAP (Advisory, New patch, Old patch); another one is still being patched again.

Alexey’s presentation can be found here.

Whitepaper “Lotus Domino: Penetration Through the Controller” from BlackHat Europe 2012

admin — Mon, 26 Mar 2012 10:20:59 +0000

On the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan Company, shared his experience in penetration testing and presented the results of a recently conducted research of Lotus Domino security.

His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.

Whitepaper "Lotus Domino: Penetration Through the Controller", BlackHat Europe 2012

Presentation “Lotus Domino: Penetration Through the Controller” from BlackHat Europe 2012

admin — Mon, 26 Mar 2012 10:18:39 +0000

His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.

"Lotus Domino: Penetration Through the Controller", BlackHat Europe 2012

SAP security updates in March and missing authorization vulnerabilities

admin — Thu, 22 Mar 2012 17:11:44 +0000

SAP has released monthly critical patch update for March 2012. This patch update closes many vulnerabilities in SAP products. Overall, more than 40 vulnerabilities were fixed, including 7 found by third-party researchers. Also, this month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.

I would like to tell you more about the corrected vulnerabilities and the risks that they involve.

1. (1607850) SAP BW – critical information disclosure. No details are available. Criticality, according to CVSS, is 7.5.
2. (1580244) SAP BASIS – missing authorization check in an RFC function. Criticality, according to CVSS, is 3.5.
3. (1656549) SAP Portal – XSS vulnerability. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Criticality, according to CVSS, is 4.3.
4. (1657891) SAP BASIS – missing authorization checks in RFC function. Criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from information disclosure to full system compromise.
5. (1591427) SAP BASIS – XSS vulnerability. Criticality, according to CVSS, is 4.3.
6. (1658947) SAP Portal – information disclosure. Criticality, according to CVSS, is 4.0.
7. (1600755) SAP HR – ABAP code injection through missing input validity checks. Criticality, according to CVSS, is 6.0.

Today I will tell you about one of the most popular vulnerabilities, namely the missing authorization checks in RFC functions.

Overall, it is one of the most popular and most easily understandable types of vulnerabilities. Think about some RFC function which fulfills some critical action in the system; call it, for example, Z_RFCEXPLOIT (actually, the same applies to reports and transactions). The vulnerability is in the missing user authorization check (AUTHORITY-CHECK) in its code. In practice, it means that the Z_RFCEXPLOIT function can be called by any user, provided that he or she has sufficient privileges to call RFC functions at all.

There are 3 basic ways to call an RFC function.

1. In the dialog mode, using the SE37 transaction.
Privileged users usually have the rights for this kind of transaction though exceptions certainly exist.

2. Through remote call by RFC protocol
In this case, apart from authorization check for RFC function per se, system also checks that user has the right to access the RFC functions group (S_RFC authorization, FUGR field). This mitigates the risk of attack, but the risk remains in the case of high privileged accounts with default passwords, like SAP*, DDIC, EARLYWATCH, TMSADM or SAPCPIC.
It is notable that the last two accounts are found in % 95 of the systems we analyze, so the chances of attack are pretty high.

3. Though remote call by WEBRFC
It is commonly known that RFC commands can be called remotely through web interface located on the web port of SAP NetWeaver ABAP application server (relative address: /sap/bc/soap/rfc). What is specific about this method is that, first, in many organizations web interface is accessible through the Internet, and second, group authorization is not checked when calling an RFC function through this interface, which allows any user to make vulnerable RFC calls.

Thus, vulnerabilities connected with missing authorization should not be underestimated because they are easily exploited and do not require special privileges in the system. Taking into account that there are about 2 million RFC functions in SAP, such vulnerabilities will constantly reappear in SAP products, as well as in self-developed code whose security should be thoroughly cared about.

PS: According to ERPScan’s agreement with SAP we do not publish details of vulnerabilities until 3 months since update is released to give organizations time to install the patch.

Upcoming webinar (29 March): ERPScan Security Scanner for SAP Review

admin — Tue, 20 Mar 2012 19:36:10 +0000

For those who missed our previous webinar we will repeat it. Please keep in mind that we will register users only from corporate email.

ERP systems are the core of every enterprise. ERP systems contain all of the critical business processes running inside from purchasing, payment and shipping, human resource management, production, and financial planning. All the data stored in ERP systems is of a paramount importance and any illegal access can lead to losses or even business shutdown. In order to protect your business we strongly suggest an automated system to assess component security. In this webinar you will learn what kind of threats target SAP systems and how our products will keep you and your data secure.

ERPScan Security Scanner for SAP is an innovative product for integrated assessment of SAP platform security and standard compliance. The system enables conducting complex security assessments while scanning SAP servers for software vulnerabilities, misconfigurations, critical access, and also performs assessment for compliance to current standards and best practices including SAP best practices and ISACA guidelines.

SAP critical patch update March 2012

admin — Tue, 20 Mar 2012 11:17:47 +0000

SAP has released monthly critical patch update for March 2012. This patch update closes many vulnerabilities in SAP products. This month, 2 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.

Detailed list of corrected vulnerabilities is below:

An XSS vulnerability was found in SAP Portal. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Update is available in SAP Note 1656549. Criticality, according to CVSS, is 4.3.
Missing authorization checks in RFC function from BASIS module. Update is available in SAP Note 1657891. Criticality, according to CVSS, is 2.3. An attacker can execute vulnerable transaction, program or RFC function remotely without authentication because authorization check is missing. It can lead to different threats from information disclosure to full system compromise.

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from DSecRG on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Advisories for those issues with technical details will be available within 3 months on ERPScan.com and also on DSecRG.com.

Exploits will be available soon in ERPScan Security Scanner and ERPScan SaaS.