May-10-2012 Presentation at Kuwait InfoSecurity “Top 10 most interesting vulnerabilities and attacks in SAP” by Alexander Polyakov
Kuwait – May 10, 2012 Alexander Polyakov, CTO of ERPScan, attended the Kuwait InfoSecurity 2012 conference with a presentation highlighting the TOP 10 most interesting vulnerabilities and attacks on SAP. He spoke about a buffer overflow vulnerability in ABAP Kernel, a DoS attack through the SAP NetWeaver ABAP web interface, bad password encryption in SAPGUI, specific vulnerabilities of ABAP language.
The first place was assigned to the Verb Tampering vulnerability which was presented at BlackHat in August, 2011. The vulnerability was discovered in the J2EE engine of SAP NetWeaver. It allows an anonymous attacker to fully compromise an SAP system. About 40 different applications vulnerable to this attack were found. The most critical one allows creating any user, assigning him any role in the system and executing any OS command.[slideshare id=49688865&doc=2012kuwaitinfosecurity-150622141610-lva1-app6891]
The credit for exposing all the mentioned issues and many more must be given to ERPScan Research subdivision. The research subdivision has received multiple acknowledgements from SAP and bears the title of the leading SAP SE partner in discovering and solving vulnerabilities.
To protect your ERP system, we advise that you regularly install SAP security notes and, of course, use ERPScan Security Scanner for SAP which already contains more than 6000 checks for various security issues and new ABAP code security assessment module.