The purpose of this report. is to show a high level view of SAP Security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan.
One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network. While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet. In some cases, lack of knowledge is the reason and sometimes companies want easy remote control, which is insecure.
For example, 212 SAP Routers were found in Germany which were created mainly to route access to internal SAP systems. SAP Routers themselves can have security misconfigurations but the real problem is that 8% of that companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012 .
We can conclude that the interest to SAP platform security has been growing exponentially. Taking into account the growing number of vulnerabilities and vast availability of SAP systems on the Internet, we predict that SAP systems can become a target not only for direct attacks (for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities
The original report containing detailed information can be found here SAP Security in figures: a global survey 2007-2011.