Global report from ERPScan concerning SAP security has exposed many critical aspects of the companies that run SAP.
One of the major objectives of this research was to clear the misconception about SAP systems that they have no danger from the hackers and they are only available from the internal network.
SAP and other consulting companies are of the opinion that internal access to unwanted administrative services should be limited. It was discovered that many companies are not able to configure their landscape properly and end up exposing critical services to the internet.
There are many reasons behind this fault but most common error is lack of knowledge and companies’ likeness for remote control, which is a threat to the security.
Let’s take an example here, 212 SAP Routers were found in Germany and they were responsible for routing access to internal SAP systems. There is a possibility of SAP Routers to have security misconfigurations but the real problem lies in the fact that 8% of those companies expose SAD Dispatcher service openly to the internet circumventing SAP Router. This service can effortlessly be misused by logging in with default credentials or by messing with some of the weaknesses that were patched by SAP.
Another interesting finding of the research is that 9% of the researched samples (1000 companies that use SAP all over the world) reveal the SAP Management console, which has the ability to be affected by unauthorized gathering of system parameters remotely from the internet. The location of most of them is China (55%) and India (20%)
The Key point of the research is as follow:
- Many issues have high priority and that means about 2/3 of the vulnerabilities needed to be corrected quickly.
- 2677 unique servers with various SAP internet applications were on the web utilizing Shodan Search.
- 59% of them are in threat of disclosing information.
- Windows NT (28%) and AIX (25%) are the most popular OS for SAP
- 40% of ABAP NetWeaver systems have WebRFC service enabled which permits calling critical business-related and administrative functions. Usually it has the usernames and passwords system but still default credentials are in use in many cases.
- 61% of J2EE systems on the web have the CTC systems working. It is vulnerable to the Verb Tampering vulnerability that let authentication bypass and it is still not patched in many companies.