Palo Alto, CA - November 18, 2011 ERPScan specialists demonstrated the concept of a SAP worm targeted to SAP systems which can be available from the Internet with use of a critical vulnerability in J2EE engine at the HITB (Malaysia) and HackerHalted (Miami) conferences.
The report attracted a lot of attention and was highly appreciated by foreign colleagues. The world tour, devoted to SAP J2EE platform security, is over. Right now our specialists prepare for the next year, which definitely will bring us new and interesting reports.
From past events press releases
Many SAP clients still don't understand that even if one technical vulnerability was overlooked or unpatched, it may have dire impact on the whole company security. Right now there are more than 1500 available SAP Security Notes containing details of different vulnerabilities in the SAP products. The worm, when released, will be able to detect vulnerable SAP servers and exploit them using a vulnerability in the J2EE engine. After that it will upload a payload into the server. As the server usually uses trusted RFC connections to other internal servers, the worm's payload can obtain credentials for the trusted connections and connect itself to these servers. Therefore it will be able to download financial information, human resources and material management, inventory and other critical data. The information about trusted connections itself can be valuable for an attacker.
If there isn't any trusted connection, the worm uses default usernames and passwords to get access to other internal servers. Once the worm is lodged into the server, it is hard to detected it for years even if the vulnerability is patched. An attacker just needs to send a special command to get any kind of critical corporate data. More of this, an attacker can overwrite bank account numbers and manipulate money transfers.
The vulnerability report can be downloaded here: