Palo Alto, CA – January 23, 2014 ERPScan warns that SAP vulnerabilities can threaten enterprises unless companies install the solutions provided by SAP. Recently, Nvidia Corporation had to close access to their client support website, nvcare.nvidia.com, because of certain information that had been published about a vulnerability on the website.
The details of the vulnerability have been published at various computer security conferences more than once. SAP has released the relevant patches long ago (SAP Security Notes 1467771, 1445998, 1589525 and 1624450).
In spite of all those warnings, Nvidia employees had not installed the updates and had not closed the vulnerability. Unfortunately, the example of Nvidia is highly illustrative, but not unique. Using a simple Google Dork ‘inurl:/irj/portal’, one can find a lot of vulnerable SAP Portal systems belonging to various companies.
Better than any words, this fact proves that even large enterprises tend to forget about the security of internal critical business systems.
On January 5, Chinese research group published some details of a vulnerability which allowed code execution in the OS of SAP servers. In the report was mentioned, that the issue was presented in SAP NetWeaver and used as a back-end. This vulnerability was discovered by ERPScan research team three years ago. It allowed a remote user to execute arbitrary code and gain full control over the system. An attacker could use it to bypass authentication and to gain access to the critical servlet (in the case of Nvidia it was Configservlet). This was possible because of the mechanism called Invoker Servlet, which is enabled in SAP by default, and allows referring to servlets by special links. In other words, an attacker could simply refer to a servlet by the URI ‘/ctc/servlet/ConfigServlet’ and get access without any role, while a request to the URI ‘/ctc/ConfigServlet’ would check if the user has any access rights.
This vulnerability is critical because, on top of compromising server OS, it can also help to access to the critical business data, stored in the victim ERP system.
This attack on SAP Portal along with many others is described in details in the Breaking SAP Portal presentation by ERPScan. More interesting issues also mentioned in the 12 Years of SAP Security in Figures research paper.