Companies expose critical SAP services to the Internet

Palo Alto, CA – June 18, 2012 A report called “SAP Security in figures – a global survey 2007-2011” has been published – a first public survey on SAP security vulnerabilities, metrics and threats.

The survey involved a TCP port scan made across the Internet which showed various critical services exposed by 5%-25% (depending on the service) of companies that run SAP. Their subnetworks were scanned in the framework of the survey.

One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network. While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet. In some cases, lack of knowledge is the reason and sometimes companies want easy remote control, which is insecure.

For example, 212 SAP Routers were found in Germany which were created mainly to route access to internal SAP systems. SAP Routers themselves can have security misconfigurations but the real problem is that 8% of that companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012.

Also, 9% of the researched sample (which included 1000 companies that use SAP all over the world) expose SAP Management console, which is vulnerable to unauthorized gathering of system parameters remotely from the Internet. Most of them are located in China (55%) and India (20%).

The report contains 40 pages of different metrics, as well as other findings such as:

  • As of April 26, 2012, more than 2000 SAP Security notes have been published.
  • Most of the issues (69%) have high priority, which means that about 2/3 of the published vulnerabilities must be corrected quickly.
  • A total of 2677 unique servers with different SAP web applications was found on the Internet using Shodan Search.
  • 59% of them are vulnerable to information disclosure.
  • The most popular OS for SAP are Windows NT (28%) and AIX (25%).
  • It was found that 40% of ABAP NetWeaver systems on the Internet have the WebRFC service enabled which allows calling critical business-related and administrative functions. It is secured by usernames and passwords but there is plenty of default credentials that work in most cases.
  • It was found that 61% of J2EE systems on the Internet have the CTC service enabled. It is vulnerable to the Verb Tampering vulnerability which allows authentication bypass and is still unpatched in most of the companies.

The original report containing detailed information, called “SAP Security in figures – a global survey 2007-2011”, can be found here.