2007 2013 · about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI...

SAP SECURITY IN FIGURES:

A GLOBAL SURVEY

2007–2013 Authors:

Alexander Polyakov

Alexey Tyurin

Other contributors:

Kirill Nikitenkov

Evgeny Neyolov

Alina Oprisko

Dmitry Shimansky

A GLOBAL SURVEY 2007–2013 0. Content

www.erpscan.com•www.eas-sec.org 1

Content

Content ......................................................................................................................................................... 1

Disclaimer ..................................................................................................................................................... 3

1. Intro ....................................................................................................................................................... 4

1.1. Corporate security changes........................................................................................................... 4

2. Brief results ........................................................................................................................................... 6

3. Vulnerability statistics .......................................................................................................................... 8

3.1. Number of SAP Security Notes ...................................................................................................... 8

3.2. SAP Security Notes sorted by criticality ........................................................................................ 9

3.3. SAP Security Notes sorted by type .............................................................................................. 10

3.4. Number of acknowledgements to external researchers ............................................................ 12

3.5. Amount of publicly available information ................................................................................... 15

3.6. Top 5 most valuable vulnerabilities in 2012 ............................................................................... 17

4. Growing interest ................................................................................................................................. 21

4.1. Number of security reports in technical conferences ................................................................. 21

5. SAP on the Internet ............................................................................................................................ 23

5.1. Google search results by country ................................................................................................ 23

5.2. Shodan search results by country ............................................................................................... 26

5.3. Internet Census scan ................................................................................................................... 29

5.4. PortScan search result by country .............................................................................................. 30

6. SAP versions ........................................................................................................................................ 32

6.1. ABAP engine versions .................................................................................................................. 32

6.2. J2EE engine versions ................................................................................................................... 33

6.3. OS popularity for SAP .................................................................................................................. 34

6.4. RDBMS popularity for SAP Backend ............................................................................................ 35

7. Critical services on the Internet ......................................................................................................... 35

7.1. SAProuter .................................................................................................................................... 35

7.2. WebRFC service as part of NetWeaver ABAP ............................................................................. 37

7.3. CTC service as part of NetWeaver J2EE ....................................................................................... 37

7.4. SAP Message Server HTTP ........................................................................................................... 38

7.5. SAP Management Console .......................................................................................................... 38

7.6. SAP Host Control ......................................................................................................................... 39

7.7. SAP Dispatcher service ................................................................................................................ 39

8. Future predictions and trends ............................................................................................................ 41

8.1. Internal threats............................................................................................................................ 41

8.2. External threats ........................................................................................................................... 41

http://www.erpscan.com/

http://www.eas-sec.org/

SAP Security in Figures. 2007–2013

2

8.3. SAP forensics ............................................................................................................................... 42

8.4. What can happen? ...................................................................................................................... 42

8.4.1. Autocad virus ........................................................................................................................... 42

8.4.2. Internet-Trading virus ............................................................................................................. 43

8.4.3. News resources hacking (Sabotage)........................................................................................ 43

9. Conclusion ........................................................................................................................................... 44

About ERPScan ............................................................................................................................................ 45

About OWASP-EAS (EAS-SEC) ..................................................................................................................... 46

Open Security Project.............................................................................................................................. 46

Project mission ........................................................................................................................................ 46

Links and future reading ............................................................................................................................. 48

Our contacts ................................................................................................................................................ 52

A GLOBAL SURVEY 2007–2013 0. Disclaimer


Disclaimer

The partnership agreement and relationship between ERPScan and SAP prevents us from publishing the

detailed information about vulnerabilities before SAP releases a patch. This whitepaper will only include

the details of those vulnerabilities that we have the right to publish as of the release date. However,

additional examples of exploitation that prove the existence of the vulnerabilities are available in

conference demos as well as at ERPScan.com [1].

Our SAP security surveys and research in other areas of SAP security do not end with this whitepaper.

You can find the latest updates about the statistics of SAP services found on the Internet and other

endeavors of the EAS-SEC project [2] at SAPScan.com [3].

The survey was conducted by ERPScan as part of contribution to the EAS-SEC non-profit organization,

which is focused on Enterprise Application Security awareness.

This document or any part of it cannot be reproduced in whole or in part without prior written

permission of ERPScan. SAP AG is neither the author nor the publisher of this whitepaper and is not

responsible for its content. ERPScan is not responsible for any damage that can be incurred by

attempting to test the vulnerabilities described here. This publication contains references to SAP AG

products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or

registered trademarks of SAP AG in Germany.



http://erpscan.com/

http://sapscan.com/


4

1. Intro

ERP system is the heart of any large company. It enables all the critical business processes, from

procurement, payment and transport to human resources management, product management and

financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can

mean enormous losses, potentially leading to termination of business processes. In 2006 through 2010,

according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 7%

of yearly revenue on average. Global fraud loss is estimated at more than $3.5 trillion for 2010–2012[5].

Thus, a typical entity loses 5% of annual revenue to fraud. The average value for 4 years is 6%. That is

why we decided to increase awareness in this area.

The wide-spread myth that ERP security is limited to SoD matrix has been dispelled lately and seems

more like an ancient legend now. Within the last 7 years, SAP security experts have spoken a great deal

about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI client

workstations [6]. Interest in the topic has been growing exponentially: in 2006, there was 1 report [7]on

SAP at a technical conference dedicated to hacking and security, whereas in 2011 there were more than

20 of them already. In 2012, the popularity of the topic inspired more than to 30 various reports, and by

the middle of 2013, about 20 reports had been issued in only half a year. A variety of hack tools has

been released that prove the possibility of SAP attacks [8], [9], [10].

According to the statistics of vulnerabilities found in business applications, there were more than 100

vulnerabilities patched in SAP products in 2009, while it grew to more than 500 in 2010. By the August

of 2013, there are more than 2700 SAP Security notes about vulnerabilities in various SAP components.

1.1. Corporate security changes

The development of corporate infrastructure tends to move from a decentralized model towards

integration of business processes into united systems. Not long ago, there would be several servers in a

company, including mail server, file server, domain controller, etc. However, these functions have been

integrating into a united business application, resulting in more convenient access but also in a united

failure point. Business applications and ERP systems store all of the critical corporate data, from

financial reports and personal information to lists of contractors and corporate secrets. Such a system

would be the main target of an insider or an external attacker, and their ultimate aim is nowhere near

administrative access to the domain controller.

Losses to internal fraud constituted 6% of yearly revenue on average

Most of SAP vulnerabilities allow an unauthorized user to gain access to all critical

business data, so it is necessary to consider the main attack vectors and the ways to

secure those highly critical systems

A GLOBAL SURVEY 2007–2013 1. Intro


Nevertheless, many information security officers are, unfortunately, scarcely informed about the

security of business applications like SAP. Another problem is that the function of providing security lies

on the system owner rather than the CISO, and owners only respond to themselves. In the end, nobody

is responsible for the security of the most critical system elements.

Less global problems are, for example:

• Lack of qualified specialists – SAP specialists in most companies see SAP security as the SoD matrix

only, whereas CISOs hardly understand SAP threats, not to mention advanced tweaks.

• Great range of advanced configuration – There are more than 1000 parameters in the standard

system configuration, plus a great range of advanced options, not to mention segregation of access

rights to various objects like transactions, tables, RFC procedures etc. For example, web interfaces to

access the system alone can amount to several thousands. Securing a configuration of this scale can be

hard even for a single system.

• Customizable configuration – There are no two similar SAP systems because most parameters are

customized for every client in one way or the other. Furthermore, custom programs are developed and

their security is to be accounted for, too, in a complex assessment.

The purpose of this report is to provide a high-level overview of SAP security in figures so that the area is

not just theoretically comprehensible but based on actual numbers and metrics – from the information

about the number of found issues and their popularity to the number of vulnerable systems, all acquired

as a result of a global scan [3].




6

2. Brief results

Vulnerabilities

Old issues are being patched, but a lot of new systems have vulnerabilities. SAP acquires new

companies and invents new technologies faster than researchers analyze them.

Number of vulnerabilities per year is going down compared to 2010, but they have become

more critical.

69% of issues closed by SAP are marked as critical.

Top 5 issues are more critical now than they were last year. Almost all of them have CVSS 10

(the highest rate).

Interest

Number of companies which find issues in SAP is growing (2 times comparing to previous year),

and the percentage of issues found with the help of external researchers is getting higher and

higher.

The interest in SAP platform security has been growing exponentially, and not only among whitehats.

SAP systems can become a target both for direct attacks (e. g. APT) and for mass exploitation because a

range of simply exploitable and widely installed services is accessible from the Internet.

Internet

Almost 5000 SAP Routers were found and 85% of them vulnerable to remote code execution

Almost 30% growth of web-based SAP solutions (90% growth of SAP Portal).

Giant growth of Latin American and Asian segment of web-based SAP systems.

Most popular release (35%) is still NetWeaver 7.0, and it was released in 2005.

One third of Internet-facing SAP web services does not use SSL at all.

Number of internet-exposed services is 3-5 times lower (depends on the service) but still

relevant.

Internal

Number of internally exposed critical services and vulnerabilities is extremely big (30–95%

depending on the service).

Only 10% of systems have security audit log enabled.

Internal fraud and ABAP-specific backdoors are more likely now.

Defense

• SAP security in default configuration is getting much better.

[+] SAP invests money and resources in security, provides guidelines, and arranges conferences.

[-] Unfortunately, SAP users still pay little attention to SAP security.

A GLOBAL SURVEY 2007–2013 2. Brief results


Predictions

Still a lot of uncovered areas in SAP security.

SAP forensics can be a new research area because it is not easy to find evidence now, even if it

exists.

New types of cyber-weapons which target ERP systems can appear shortly.




8

3. Vulnerability statistics

The information about vulnerabilities in SAP sorted by their popularity, criticality and the affected

systems is given here. The top 5 most valuable publicly known vulnerabilities are presented as well.

3.1. Number of SAP Security Notes

Every month on SAP Critical Patch Day (every second Tuesday), SAP releases one or more internal

advisories called SAP Security Notes. Such an advisory usually stores information about one or more

vulnerabilities found in SAP products or misconfigurations that bear some risk to SAP systems. The first

SAP Security Note was published in 2001. In 2007, the number of published notes began to grow

exponentially.

Figure 3.1–1 Number of Sap Security Notes per year (The data was collected on September 1, 2013, when a total of 2718 notes had been published)

During 2011, the approximate number of SAP Security Notes published every month on the Critical

Patch Day was about 61. In 2012, this number increased to 54 notes, and by the middle of 2013, it

equaled to 29 notes a month on average. In comparison to other software vendors, this is more than in

Microsoft, Oracle, or Cisco. Needless to say, just 4 years ago (2009) this number was much lower

(approximately 6 times).

1 13 10 10 27 14 78131

833

731

641

230

0

100

200

300

400

500

600

700

800

900

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

As of September 1, 2013, 2718 SAP Security Notes have been published

http://service.sap.com/securitynotes

A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics


Figure 3.1–2 Average number of the Notes which are released every month per year

From the two previous figures, you can draw a conclusion that the number of security notes has been

going down a little since the peak in 2010. However, the number is still huge, and, as you will see in the

following figures, the percentage of highly critical vulnerabilities is getting higher.

3.2. SAP Security Notes sorted by criticality

SAP has 5 different levels of criticality for published notes:

1. Hot News

2. Correction with high priority

3. Correction with medium priority

4. Correction with low priority

5. Recommendations/additional info

Figure 3.2–1 Number of Sap Security Notes, sorted by criticality level, compared: 2011 – light, 2013 – dark

70

6254

29

0

10

20

30

40

50

60

70

80

2010 2011 2012 2013

163

1355

371

74

58

178

1896

507

79

58

0 200 400 600 800 1000 1200 1400 1600 1800 2000

1 - HotNews

2 - Correction with high priority

3 - Correction with medium priority

4 - Correction with low priority

6 - Recommendations/additional info

Most of the issues (69%) have high priority, which means that about 2/3 of the

published vulnerabilities must be corrected quickly




10

Figure 3.2–2 Percentage of High priority vulnerabilities per year

Figure 3.2–3 Percentage of Low priority vulnerabilities per year

As you can see, the overall number of security vulnerabilities found in SAP is getting lower, but

researchers have started to focus on critical vulnerabilities.

3.3. SAP Security Notes sorted by type

All published SAP Security Notes were analyzed by their popularity. The most popular types of issues are

presented below.

32,86

69,99

77,70 80,34

59,57

0

10

20

30

40

50

60

70

80

90

2009 2010 2011 2012 2013

9,54

4,08

1,09 1,400,43

0

2

4

6

8

10

12

2009 2010 2011 2012 2013



Figure 3.3–1 SAP Security Notes, sorted by type

About 20% of found vulnerabilities are not included in the top 10 because a lot of unique issues exist in

SAP systems. Some of them are available in our presentation called “Top 10 most interesting SAP

vulnerabilities and attacks”[11].

In addition, we compared the SAP vulnerability lists for 2012 and 2013 and the OWASP Top10 to see if

there are any differences between web-based issues and business application issues and if there are any

changes.

Vulnerability type Popularity in SAP till mid 2013

Popularity in SAP till mid 2012

Popularity in SAP till mid 2011

Growth by percent

Popularity in CWE

Place in OWASP TOP 10

1 - XSS 1 3 (+2) 2(+1) 0.53 2 1

2 - Missing authorization check

2 2 1(-1) 0.28 3 2

3 - Directory traversal 3 1(-2) 3 0.10 10 3

4 - SQL Injection 4 4 4 0.05 4 4

5 - Information disclosure 5 5 6(+1) 0.36 8 5

6 - Code injection 6 8(+2) 8(+2) 0.57 7 6

7 - Authentication bypass 7 6(-1) 5(-2) 0.18 3 7

8 - Hardcoded credentials 8 7(-1) 7(-1) 0.17 N/A 8

9 - Remote code execution 9 9 9 0.13 1 9

10 - Verb tampering 10 10 N/A 0.11 N/A 10

25%

22%

20%

9%

7%

5%

4%4%

3%

1%

Top 10 types of vulnerabilities

1 - XSS

2 - Missing authorisation check

3 - Directory traversal

4 - SQL Injection

5 - Information disclosure

6 - Code injection

7 - Authentication bypass

8 - Hardcoded credentials

9 - Remore code execution

10 - Verb tampering

3 most common vulnerabilities cover 42% (was 41 %) of all found issues.

Top 10 issues cover 63% (was the same) of all issues.




12

As you can see, the situation has changed slightly. We can only guess the core reason for those changes

because many different factors can lead to them and the numbers may not be very representative. But

here are some ideas.

The main factors which can influence those numbers are:

Growing number of web-based applications and thus growing number of web vulnerabilities.

Enhancements in Static Code Analysis software which shows us that the number of issues which

can be easily found using simple regular expressions is getting low. On the other hand, the

number of issues that require more accurate static code analysis including data flow is getting

high.

So, taking into account those things, we can conclude that:

Growing number of XSS vulnerabilities is predictable due to the popularity of web-based

applications, especially in J2EE stack, and also due to the improvement of static code analysis.

Falling number of directory traversal issues is predictable due to the fact that they are easy to

find and most of them have already been found before. Also, SAP has added some

improvements and additional authorization checks for directory traversal issues in new releases.

Growing number of code injection vulnerabilities is due to the high criticality and the fact that

any injection flaws will be easier to find with more advanced static code analysis tools.

On the other hand, such issues as hardcoded credentials will be harder to find with every year

precisely because they are very easy to find (i. e., most of them have already been found by

simple regular expressions).

There are some areas which are different for WEB and ERP programming vulnerabilities. This situation is

another proof that business applications need a different approach and different priorities when we talk

about SDLC processes.

3.4. Number of acknowledgements to external researchers

In 2010, SAP decided to give acknowledgements to external security researchers for the vulnerabilities

found in their products [12]. In the figure, you can see the number of vulnerabilities that were found by

external researchers since 2010.



Figure 3.4–1 Number of vulnerabilities found by external researchers per year

In 2010, there were just 16 companies that had acknowledgements from SAP, but by the middle of

2013, we have counted 46 different companies and 3 researchers, which is almost 3 times more.

Figure 3.4–2 Number of companies acknowledged by SAP per year

External companies and researchers were acknowledged by SAP for helping to close 353 vulnerabilities

in SAP products. Most companies were acknowledged just for one vulnerability while ERPScan has

almost a quarter of all acknowledgements with 83 acknowledgements in total (much more than any

other contributor).

57

102

81

113

2010 2011 2012 2013

0

20

40

60

80

100

120

16

29

34

46

0

5

10

15

20

25

30

35

40

45

50

2010 2011 2012 2013

The 80/20 rule works almost perfectly: 80 % of vulnerabilities were found by 17.5% of

companies




14

Figure 3.4–3 Percentage of acknowledgements vs. number of companies

The ratio of vulnerabilities found by external researchers versus vulnerabilities found by SAP internally is

growing, as does the number of external researchers.

Figure 3.4–4 Percentage of acknowledgements to external researchers per year

What else can be archived from the relationship of SAP with external researchers? Recently, we have

been receiving more and more responses from SAP PSRT to our reports about vulnerabilities, saying that

they have already been patched before. This can be due to two reasons, and each of them is good news

for SAP users. Firstly, SAP AG itself has significantly improved their internal SDLC and vulnerability

research, so some issues were already found by SAP. Secondly, two different researchers sometimes get

credits for the same issue, which means that the number of researchers is going to increase.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 5 10 15 20 25 30 35 40 45 50

6,84

13,95 12,64

49,13

0

10

20

30

40

50

60

2010 2011 2012 2013



Figure 3.4–5 Number of duplicated issues sent by ERPScan researchers per year

3.5. Amount of publicly available information

The most critical threat is connected to the vulnerabilities which contain information about the methods

of exploitation (detailed advisories, POC codes and working exploits) publicly available. Information was

gathered from three most popular sources:

Security Focus [13] – Detailed advisories, sometimes with POC code, can usually be found here. All the

vulnerabilities published here have high probability of exploitation. 149 vulnerability advisories (5.5% of

all vulnerabilities) were found here (as of September 1).

2

4

6

5

0

2

4

6

8

10

12

2009 2010 2011 2012 2013

The record of bugs found by external researchers was cracked in January 2013: 76%




16

Figure3.5–1 Advisories per year from SecurityFocus

Exploit-DB [16]– Usually, exploit codes that can be 100% used without any modification and additional

knowledge of exploiting systems can be found here. All the vulnerabilities published here have critical

probability of exploitation. A total of 49 exploits (1.8% of all vulnerabilities) were found here (as of

September 1).

Figure 3.5–2 Exploits per year from Exploit-DB

In the figure below, you can find vulnerabilities categorized by probability and ease of exploitation

according to the amount of information available to hackers at public sources, as opposed to classified

information from SAP Security Notes.

12 3

10

18

8

22

30

25

12

18

0

5

10

15

20

25

30

35

40

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

1

45

34

3

5

11

4 45

0

2

4

6

8

10

12

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013



Figure 3.5–3 SAP vulnerabilities by probability and ease of exploitation, as of September 1, 2013

3.6. Top 5 most valuable vulnerabilities in 2012

Out of the many published vulnerabilities, we have chosen the top 5 with the most significant threats

published in 2012:

• SAP NetWeaver J2EE – DilbertMSG SSRF [17]

• SAP Host Control – Command Injection [18]

• SAP NetWeaver J2EE – File Read/Write[19]

• SAP Message Server – Buffer Overflow[20]

• SAP Dispatcher – DIAGprotocol Buffer Overflow[21]

We chose 2 main factors among others to understand the most valuable issues disclosed in 2012:

• Accessibility – It is a major factor. Means whether it is possible to exploit a vulnerability from the

Internet without user authorizations.

• Criticality – How critical the harm to the system will be.

1. SAP NetWeaver J2EE – DilbertMSG SSRF

The vulnerability was found in the XML parser of SAP NetWeaverJ2EE engine. Actually, it is several

vulnerabilities that lead to SSRF (Server Side Request Forgery) attack, allowing an anonymous attacker

from the Internet to send any TCP packet to any internal network and many other things like reading of

OS files, bypassing Message Server security, Denial of Service attacks and so on. This type of attack may

not be as critical as others, which will be presented below, but it opens a new type of issues, and similar

problems can appear in future.

2718

353 149 490

500

1000

1500

2000

2500

3000

SAP Security noteavailable (100%)

Some informationavailable (13%)

Advisory or POC available(5,5%)

Exploit available (1,8%)




18

Espionage: Critical

Sabotage: Critical

Fraud: Medium

Availability: Anonymously through the Internet

Ease of exploitation: Medium

Future impact: High (New type of attack)

CVSSv2: 7.3

Advisory: http://erpscan.com/advisories/dsecrg-12-036-sap-xi-authentication-bypass/

Patch: SAPNote1707494

Author: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan)

2. SAP Host Control – Code Injection

The vulnerability was found in the SAP Host Control service of SAP NetWeaver ABAP engine, which

listens to the TCP port 1128 by default. This vulnerability allows an anonymous attacker to execute any

OS command by injecting it into SOAP packet. However, this vulnerability only works when SAP is

installed on top of MaxDB Database. This issue took second place due to three factors: ease of

exploitation, availability of exploit on the Internet, huge amount of exposed SAP Host Control services

on the internet.

Espionage: Critical

Sabotage: Critical

Fraud: Critical

Availability: Anonymously through the Internet

Ease of exploitation: Easy (Metasploit module exist)

Future impact: Low (Single issue)

CVSSv2: 10

Advisory: http://www.contextis.com/research/blog/sap-parameter-injection-no-space-arguments/

Patch: SAP note 1341333

Author: Contextis



3. SAP NetWeaver J2EE – File Read/Write

This vulnerability was found in SAP NetWeaver J2EE stack and allow anonymous attacker to obtain read

and write access to any file on operation system. Criticality of that issue is 10 by CVSS. The only two

facts which put this issue only on third place is that vulnerable service available internally and secondly

there is no public information about details of exploiting this issue.

4. SAP Message Server – Buffer Overflow

Remote buffer overflow vulnerability with ability to execute any code on OS level with the rights of

<SID> adm user was found in SAP Message Server service. Vulnerability was sold to ZDI and criticality of

this issue was marked as 10 by CVSS which is the highest point. Another critical thing is that this service

can be also exposed to the internet which will be detailed later.

Espionage: Critical

Sabotage: Critical

Fraud: Critical

Availability: Anonymous

Ease of exploitation: Medium. Good knowledge of exploit writing for multiple platforms is necessary

CVSSv2: 10.0

Advisory: http://www.zerodayinitiative.com/advisories/ZDI-12-112/

Patch: SAP note 1649840 and 1649838

Author: Martin Gallo

Espionage: Critical

Sabotage: Critical

Fraud: Critical

Availability: Anonymously


Future impact: Low

CVSSv2: 10

Advisory: https://service.sap.com/sap/support/notes/1682613

Patch: 1682613

Author: Juan Pablo




20

5. SAP Dispatcher – DIAG protocol buffer overflow

SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP

NetWeaver using the SAP GUI application through DIAG protocol. Martin Gallo from Core Security found

multiple buffer overflow vulnerabilities that can lead to the denial of service attack and one of them also

allows code execution [22].

The exploit code was published on May 9 and an unauthorized cybercriminal can exploit it without any

rights. The good news is that this vulnerability only works when DIAG trace is set to level 2 or 3 which is

not a default value but a possible one anyway.

Espionage: Critical

Sabotage: Critical

Fraud: Critical

Availability: Low. Trace must be on


CVSSv2: 9.3

Advisory: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities

Patch: 1687910

Author: Martin Gallo

https://service.sap.com/sap/support/notes/1687910

A GLOBAL SURVEY 2007–2013 4. Growing interest


4. Growing interest

While most of the security trends and possible threats are focused on mobile, cloud, social networks

and critical infrastructure which will potentially have threats in near future, there is a topic called ERP

security and threats to those systems exist now. That’s why the number of companies which are focused

on ERP security and which sell software for its assessment is growing. So the number of security

consulting companies that try to sell special consulting services for ERP security is growing as well.

4.1. Number of security reports in technical conferences

Since 2006, SAP security begins to receive a lot of attention in technical security conferences like

CanSecWest, BlackHat, HITB and others. There were also some talks that have SAP-related research in

2004 such as from Phonoelit. Since 2010, this trend expands to other conferences; more and more

companies and researchers begin to publish their research in the field of SAP security. In 2006–2009,

talks were mostly focused on showing typical information security threats in SAP landscapes such as SAP

web application security, SAP client-side security, SAP backdoors and Trojans. The last year discussions

were focused on retrospective and defense areas like SAP Forensics.

During almost 10 years of research almost every part of SAP were somehow breached and almost every

area was discussed in terms of security

► Common: SAP Backdoors, SAP Rootkits, SAP Forensics

► Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI, SAP Portal, SAP Solution

Manager, SAP TMS, SAP Management Console [23], SAP ICM/ITS

► Protocols: DIAG[24], RFC, SOAP (MMC), Message Server, P4[25]

► Languages: ABAP Buffer Overflow [26], ABAP SQL Injection [27], J2EE Verb Tampering [28], J2EE

Invoker Servlet [25] [29] [30]

► Overview: SAP Cyber-attacks, Top 10 Interesting Issues, Myths about ERP

Since 2003, almost every part of SAP was somehow breached and almost every area was

discussed on technical security conferences




22

Figure 4.1–1 Number of SAP security talks presented at different conferences by year *

Number of SAP security talks presented in different conferences every year is shown in the slides. For

2013, an approximate number is estimated based on the first 4 months.

*Data was collected from different conference websites as of August 15, 2013

1 1 1 1 1 24

12

25

32

17

0

5

10

15

20

25

30

35

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

A GLOBAL SURVEY 2007–2013 5. SAP on the Internet


5. SAP on the Internet

Among many people who work with SAP, a popular myth is that SAP systems are inaccessible from the

Internet, so all SAP vulnerabilities can only be exploited by an insider.

Business applications are not only accessible internally; this myth comes from 10 years ago when

mainframes were prevalent. Business is changing and companies want to have their applications

connected. They need to connect to departments worldwide, share data with clients via web portals,

SRM and CRM systems and get access from any place with mobile solutions.

► Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible

► Companies connect different offices (by SAP XI)

► Companies are connected to SAP (through SAProuter)

► SAP GUI users are connected to the Internet

► Administrators open management interfaces to the Internet for remote control

This part of the report is destined to destroy the myth by showing how many companies make which

services available for remote access, and how those services are vulnerable to the latest threats.

5.1. Google search results by country

These statistics were collected using the well-known Google search requests [31].

Application server type Search string

SAP NetWeaver ABAP Inurl:/SAP/BC/BSP

SAP NetWeaver J2EE Inurl:/irj/portal

SAP Business Objects inurl:infoviewap

As a result of the scan, 695 (was 610) unique servers with different SAP web applications were found. It

is 14 % more than in 2011 including that fact that 22 % of services that were found in 2011 now are not

available but 35 % of new services appear. The J2EE server seems to be the most popular platform.

Unfortunately, this server is more vulnerable than the ABAP engine, having at least 3 different

vulnerabilities that can be executed anonymously and give full access to the system. On the other hand,

the ABAP engine has numerous default users [32] that can be used by attackers. SAP BusinessObjects

server has both problems.

Almost all business applications have web access now




24

Figure 5.1–1 SAP application servers by type

Figure 5.1–2 SAP application servers by country (by Google search)

SAP web servers

SAP NetWeaver J2EE - 44%

SAP Web Application Server (ICM) - 27%

SAP BusinessObjects - 16%

SAP NetWeaver ABAP - 11%

Application server Number %

SAP NetWeaver J2EE 268 44 %

SAP Web Application Server 163 27 %

SAP BusinessObjects 106 17 %

SAP NetWeaver ABAP 73 12 %



Figure 5.1–3 Overall number of SAP application servers found in Google, sorted by country (top 20)

Figure 5.1-4 Overall number of SAP NetWeaver J2EE servers found in Google, sorted by country (top 10)

5666681010121212141518212223

3294

225

FINLAND

RUSSIA

AUSTRIA

DENMARK

MEXICO

SPAIN

KOREA

NORWAY

BELGIUM

FRANCE

CANADA

BRAZIL

SWITZERLAND

ITALY

NETHERLANDS

CHINA

UNITED KINGDOM

INDIA

GERMANY

UNITED STATES

0 50 100 150 200 250

SAP web applications by country (Google)

578

99

111313

22

2793

0 20 40 60 80 100

CANADA

ITALY

NETHERLANDS

BRAZIL

FRANCE

SWITZERLAND

UNITED KINGDOM

CHINA

INDIA

GERMANY

UNITED STATES

SAP NetWeaver J2EE by country (Google)




26

Figure 5.1–5 Overall number of SAP NetWeaver ABAP servers found in Google, sorted by country (top 10)

Figure 5.1–6 Overall number of SAP WebAS servers found in Google, sorted by country (top 10)

5.2. Shodan search results by country

Another source which can help to find SAP web interfaces available on the Internet is called

www.shodanhq.com. The difference is that this service not only finds those applications which were

“crawled” by web spiders but it scans the whole Internet for the 80th port (others, too) and can be used

for finding more SAP systems.

1

1

2

2

2

2

3

4

21

26

0 5 10 15 20 25 30

UNITED KINGDOM

CHINA

CANADA

SPAIN

AUSTRIA

HUNGARY

DENMARK

INDIA

GERMANY

UNITED STATES

SAP NetWeaver ABAP by country (Google)

244

555

67

943

44

0 10 20 30 40 50

FRANCE

UNITED KINGDOM

NORWAY

INDIA

CHINA

KOREA

ITALY

BELGIUM

NETHERLANDS

GERMANY

UNITED STATES

SAP Web Application Servers by country (Google)

A total of 3741 (was 2677) servers with different SAP web applications were found



Figure 5.2–1 SAP application servers by type

SAP NetWeaver J2EE platform is the most popular on the Internet and it is still growing a lot. Comparing

with previous year by ShodanHQ statistics, the number of Internet-located SAP Portals doubled during

the previous year!

Figure 5.2–2 Growth by application server

41%

34%

20%6%

SAP Application servers by type

SAP NetWeaver J2EE

SAP NetWeaver ABAP

SAP Web Application Server

Other (BusinessObjects,SAP Hosting,etc)

94%

72%

30%

-20%

-55%

-80%

-60%

-40%

-20%

0%

20%

40%

60%

80%

100%

120%




28

Figure 5.1–3 SAP application servers by country (by ShodanHQ search)

Figure 5.2–4 Overall number of SAP application servers found in ShodanHQ, sorted by country (top 20)

38

53

55

65

70

84

88

93

105

109

110

118

119

123

124

131

180

232

840

1080

0 200 400 600 800 1000 1200

AUSTRALIA

TAIWAN

CHILE

MEXICO

DENMARK

NETHERLANDS

TURKEY

CANADA

SWITZERLAND

UNITED KINGDOM

KOREA

CHINA

FRANCE

BELGIUM

BRAZIL

SPAIN

INDIA

ITALY

GERMANY

UNITED STATES

SAP web servers by country (Top 20)



Statistics that were gathered by country are very interesting especially if we compare it with the

previous year. It will show us where there is a growth of SAP market: in Latam and Asia.

Figure 5.2–5 Growth of SAP web servers (Top 5)

5.3. Internet Census scan

This year, one interesting project was presented. It was done by an anonymous researcher using not so

legal techniques such as exploiting devices and making worldwide scan from them on popular ports. It

would have been great if this list had contained all ports but, unfortunately for us, it is useful only for

the 80th port. 3326 IP addresses with SAP web applications were found, which is close to the number

that we got from Shodan. This data also gives us information about SSL usage. It turned out that almost

one third of Internet-facing SAP applications don’t use SSL, which is extremely bad statistics.

Figure 5.3–1 Usage of SSL by SAP applications

562%

280%

119% 111% 96%0%

100%

200%

300%

400%

500%

600%

MEXICO CHILE INDIA CHINA TAIWAN

Growth of SAP web servers (Top 5)

NO SSL32%

SSL68%

Usage of SSL by SAP applications




30

5.4. PortScan search result by country

The most interesting and complex research was performed by scanning the Internet not only for web

services but also for services which shouldn't be accessible from the Internet.

At first stage, it has been performed with a simple algorithm which only scans subnets of the servers

that were found during Google and ShodanHQ scan (about 1000 subnets in total). Many ports were

found which are listened by SAP Applications such as Message Server HTTP, SAP Gateway, and

SAPHostControl. During the scan, information about publicly available SAP services such as SAP Host

Control, SAP Dispatcher, SAP Message Server, SAP Management Console was collected.

Figure 5.4–1 SAP application servers by country (by PortScan (Nmap) search)

In the picture, you will find the percentage of German companies that expose their unnecessary SAP

services to the Internet. The number of open ports will be updated online at sapscan.com [3] – the

official site of this project.

10 % of companies that use SAP expose critical services like Gateway or Dispatcher

directly to the Internet bypassing SAProuter security



Figure 5.4–2 Percent of companies that expose critical SAP services to the Internet

4,72

1,73 2,36

0,63 0,792,36

9,92

0

5

10

15

20

25

SAPDispatcher

SAP MMC SAP MessageServer

SAPHostControl

SAP ITS Agate SAP MessageServer httpd

SAP Router

Exposed critical SAP services

Exposed services 2013

Exposed services 2011




32

6. SAP versions

We have checked the major versions of the ABAP and J2EE engines which were found on the Internet to

understand the lifecycle of released products and to know which version is the most popular now. We

have also checked the popularity of OS and RDBMS which are used with SAP.

6.1. ABAP engine versions

ABAP versions were collected by connecting to the root of an application server and parsing the HTTP

response methods. We also used an information disclosure vulnerability. Information about SAP

NetWeaver version can easily be found if the application is configured insecurely so that it allows an

attacker to get information from the /sap/public/info URL. We were happy to note that, comparing with

previous year, the number of Internet-facing systems with information disclosure vulnerabilities highly

decreased.

Release version is vital for security. For example, the most powerful security options, like disabling

access to all BSP, are installed by default in EHP 2, and EHP 2 is only installed on 23 % (was 11) of all

servers. This means that even if SAP cares about the security of their systems, the best part of securing

SAP systems lies on administrators.

Figure 6.1–1 NetWeaverABAP versions by popularity

35%

23%

19%

11%6% 5%

7.0 EHP 0 (Nov 2005)

7.0 EHP 2 (Apr 2010)

7.0 EHP 1 (Oct 2008)

7.3 (Jun 2011)

6.2 (Dec 2003)

6.4 (Mar 2004)

After scanning all the available SAP NetWeaver ABAP servers, it was found that 6%

(previously 59 %) of them are vulnerable to information disclosure

The most popular release (35 %, previously 45 %) is NetWeaver 7.0, released in 2005!

A GLOBAL SURVEY 2007–2013 6. SAP versions


If we compare those results with previous year we will see good changes such as extremely high growth

in percent of 7.3 and 7.2 releases, well, the absolute growth of cause is quite small comparing with

overall.

7.3 growth by 250%

7.2 growth by 70%

7.0 loss by 22%

6.4 loss by 45%

6.2. J2EE engine versions

The information about the version of the J2EE engine can be easily found by reading an HTTP response.

However, detailed info about the patch level can be obtained if the application server is not securely

configured and allows an attacker to get information from some pages. As an example, there are at least

3 pages that disclose information about the J2EE engine:

/rep/build_info.jsp[33] 26% (61% last year)

/bcb/bcbadmSystemInfo.jsp[34] 1.5% (17% last year)

/AdapterFramework/version/version.jsp[35] 2.7% (a new issue)

The detailed information about the major versions is presented below.

Figure 6.2–1 Percentage of NetWeaver JAVA versions by popularity

If we compare those results with previous year, we will see good changes. New versions such as 7.31

and 7.3 appear with total 12 % of all servers. Detailed changes are here:

7.31 growth from 0 to 3 %

7.30 growth from 0 to 9 %

44%

25%

10%

9%9%

3%

NetWeaver JAVA versions by popularity

NetWeaver 7.00

NetWeaver 7.01

NetWeaver 7.02

NetWeaver 7.30

NetWeaver 6.40

NetWeaver 7.31




34

7.02 growth by 67 %

7.0 loss by 23 %

6.4 loss by 40 %

6.3. OS popularity for SAP

Using the /sap/public/info URL, it is possible to obtain information about OS versions for ABAP

implementations. While analyzing the results that were gathered from Internet facing SAP systems, we

found that the most popular OS is Windows NT (28%) and AIX (25%). According to our statistics from

internal SAP assessments, *.NIX systems are more popular in general, while Windows is more popular

for Internet facing SAP systems.

Figure 6.3–1 Percent of OS popularity for SAP

Windows NT - 28%

AIX - 25%

Linux - 19%

SunOS - 13%

HP-UX - 11%

OS/400 - 4%

The most popular OS for SAP are Windows NT (28 %) and AIX (25 %)

A GLOBAL SURVEY 2007–2013 7. Critical services on the Internet


6.4. RDBMS popularity for SAP Backend

The most popular RDBMS used as a backend for SAP is still Oracle – 59%. Other RDBMS systems are

listed below.

Figure 6.3–2 Percent of RDBMS popularity for SAP Backend

It should be mentioned that Oracle RDBMS installed with SAP is vulnerable to a very dangerous attack,

where authentication is bypassed and an unauthorized attacker obtains direct access to the database

system without any authorizations because of the improper use of REMOTE_OS_AUTHENT parameter. It

is a very old bug first published in 2002 but still active [36].

7. Critical services on the Internet

Apart from the web interfaces that should be enabled on the Internet because of various business

needs, such as SAP Portal, SAP SRM or SAP CRM solutions, there are some services that should not be

available externally at all. Not only do they bring a potential risk but they have real vulnerabilities and

misconfigurations which are well-known and well-described in public resources. Of course it is not the

full list of critical SAP services, just the most popular ones. The scan was performed across 1000

subnetworks of companies that use SAP worldwide

7.1. SAProuter

SAProuter is a special service which was made by SAP for a number of purposes such as:

Transfers requests from Internet to SAP (and not only)

Connect SAP systems between each other in many locations

Connect systems of different companies such as customers and partners

Oracle - 59%

DB2 - 19%

MsSQL - 17%

MaxDB - 5%

Services like SAP Dispatcher, SAP Message server, SAP Host Control and more, presented

on slides, should not be open for connecting through the Internet




36

The main mission of this service is to get updates from SAP and remotely install them on SAP systems. It

also provides access to Earlywatch services thus every company which uses SAP should install

SAProuter. There is a number of ways how to implement it either by configuring VPN access to SAP or by

remotely exposing SAP Router service to the Internet port which is by default 3299 and known for

everybody. More details can be found at Easy Service Marketplace [37].

The analysis of all SAProuters that were found remotely enabled in 1000 companies showed that 99

SAProuters were enabled on default port, i. e. approximately 10 % (was 32 %).

This result was not enough for us so we started another project intended to find out how many

SAProuters are on the Internet in total. First of all, we were interested in understanding how many of

them were vulnerable to existing issues as well as to a very critical heap overflow vulnerability that was

found by researchers from ERPScan team. The vulnerability allows getting full control of SAProuter

within one TCP packet and thus obtaining access to the internal corporate network. This issue was

closed in May 2013, and the details can be found in SAP Note 1820666. We decided to calculate the

number of vulnerable SAProuters almost 6 month after the patch was released.

Here are the results of the scan:

There were 4500 SAProuters in the whole Internet in total

15 % of the routers lacked ACL. It can be used to:

o Scan internal network

o If something is found during scan, to proxy any request to any internal address of SAP or

non-SAP system

19 % of routers have an information disclosure vulnerability related to internal systems. It can

be used to:

o Cause denial of service by specifying many connections to any of the listed SAP servers

(There is a limit by default, only 3000 connections is possible)

o Proxy any request to any internal address of SAP or non-SAP system if there is no ACL

5 % of routers have insecure configuration, authentication bypass which can be used to

configure the router without authentication remotely

Finally, 85 % of routers are still vulnerable to the Heap Overflow issue that was closed almost

half a year ago and can be used to break into any internal network of about 4500 different

companies around the world

There is also an additional SAP Note for SAProuter security: 1895350.

85% of almost 5000 SAP Routers on the Internet were found to be vulnerable



7.2. WebRFC service as part of NetWeaver ABAP

WebRFC is a web service which is available by default in the SAP NetWeaver ABAP platform. It allows

executing dangerous RFC functions using HTTP requests to the NetWeaver ABAP port and URL –

/sap/bs/web/rfc. Among those functions, there are several critical ones, such as:

Read data from SAP tables

Create SAP users

Execute OS commands

Make financial transactions etc.

By default, any user can have access to this interface and execute the RFC_PING command by sending

an XML packet. Other functions require additional authorizations. So there are 2 main risks:

If there is a default username and password in the system, an attacker can execute numerous

dangerous RFC functions because default users have dangerous rights.

If a remote attacker obtains any existing user credentials, he can execute a denial of service

attack on the server by sending the RFC_PING request with malformed XML packet [38][39].

While we did not check if those systems had default passwords, according to different statistics obtained

from our research and the research of our colleagues, about 95 % of systems have at least 1 default user

account.

7.3. CTC service as part of NetWeaver J2EE

CTC is a web service which is installed by default on the NetWeaver J2EE engine. It allows managing the

J2EE engine remotely. This is a web service that can be found by Google and it often exists on SAP

Portals. It is possible to execute such functions as:

Create users

Assign a role to a user

Execute OS commands

Remotely turn J2EE Engine on and off

The researchers from ERPScan have presented a vulnerability [25] in this service which is called Verb

Tampering. It allows bypassing authorization checks for remote access to CTC service. It means that

anybody can remotely obtain full-unauthorized access to all business-critical data located in the J2EE

engine.

It was found that 6 % (was 40 %) of ABAP systems on the Internet have the WebRFC

service enabled




38

Unfortunately this year situation has not changed much and we have about half of all J2EE systems with

CTC installed and available from internet which is not good and we still see some services which are

vulnerable.

*While we did not scan those systems to find if they were vulnerable or not but, according to our

statistics from penetration tests, about 50 % of them are still vulnerable.

7.4. SAP Message Server HTTP

SAP Message Server HTTP is an HTTP port of SAP Message Server service which allows balancing the

load on SAP Application Servers. Usually this service is only available inside the company but some

implementations have been found that have external IP addresses, which is typically not needed for

business processes and can lead to critical actions. By default, the server is installed on the 81NN port

where NN is the system number [40]. One of the issues of SAP Message Server HTTP is a possibility to

get the values of the configuration parameters of SAP system remotely without authentication. It can be

used for future attacks.

During a sampling scan of 1000 sub networks which are assigned to companies that use SAP, 29

Message Server HTTP systems were found to be available (last year were 98).

7.5. SAP Management Console

SAP Management Console or SAPControl is a service which allows remote control of SAP systems. The

main functions are remote start and stop and they require the knowledge of username and password.

Apart from the functions which require authentication, there are some functions that can be used

remotely without authentication. Most of them allow reading different logs and traces and sometimes

system parameters. Those issues were well-covered by Chris John Riley, an independent researcher [33].

A more prevalent danger that ERPScan researchers have found is the possibility to find information

about JSESSIONID in the log files [11]. JSESSIONID is an identification by which HTTP sessions are

controlled. One of the possible attacks is to insert this JSESSIONID into a browser cookie and get

unauthorized access to a user’s session.

It was found that 50 % (61 %) of J2EE systems on the Internet have the CTC service

enabled

Approximately 2% (were 11%) companies expose Message Server HTTP to the internet

which is potentially vulnerable to unauthorized gathering of system parameters remotely



During the same scan as in the previous tests, it was found that 2 % of subnetworks have Management

console services open.

During our internal penetration tests, we see much higher number of vulnerable services.

Approximately 80 % of 250 scanned servers of companies that decided to participate in statistics were

found to be vulnerable to this issue.

7.6. SAP Host Control

SAP Host Control is a service which allows remote control of SAP systems. This service can be installed

manually on any host to remotely collect data from SAP systems. This service is usually works on TCP

port 1128. The main functions require the knowledge of username and password. Apart from the

functions which require authentication, there are some functions that can be used remotely without

authentication. First one is an ability to read developer traces without authentication. Those traces can

store passwords or other interesting data. Second vulnerability is more dangerous and was already

described in a list of top 5 vulnerabilities for 2012. Vulnerability allows remotely injecting OS command

and executing it on a server-side. [41]

During the same scan as in the previous tests, it was found that 0.6 % (while it was 2.6% last year) of

subnetworks have Management console services open. Actually it is quite a small number of systems

because this service is optional and installed manually.

During our internal penetration tests we saw a little bit more vulnerable services. Approximately 30% of

scanned 250 servers of companies which decided to participate in statistics were found to be vulnerable

to this issue.

7.7. SAP Dispatcher service

SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP

NetWeaver using the SAP GUI application through DIAG protocol. SAP Dispatcher port should not be

available from the Internet directly and even in the internal network only appropriate users or user

networks must have access. Keep in mind that we are talking about Dispatcher not WEB Dispatcher

which of course should be available from the Internet.

Nevertheless, during a brief scan of 1000 subnetworks, that 0.6 % (while it was 15% last year) of

subnetworks have Dispatcher service open.

Approximately 2 % (was 9 %) companies expose SAP MMC service to the internet which

is potentially vulnerable to unauthorized access to log files.

Approximately 1 % (was 2 %) companies expose SAP HostControl service to the internet

which is potentially vulnerable to unauthorized access to log files




40

Why it is dangerous?

First of all, this service allows direct connection to a SAP system using SAP GUI where all that an attacker

needs is a valid username and password. There are numerous default passwords in SAP and, according

to our statistics of penetration testing; about 95% of systems have default credentials.

Another problem, which was found by Core Security and described in top 5 SAP vulnerabilities for 2012,

is that the SAP Dispatcher service has multiple buffer overflow vulnerabilities that can lead to the denial

of service attack and one of them also allows code execution[42]. The exploit code was published on

May 9 2012 and an unauthorized cybercriminal can exploit it without any rights. The good news is that

this vulnerability only works when DIAG trace is set to level 2 or 3 which is not a default value but a

possible one anyway. There can be other issues in this service so it must be disabled for external access.

Every 6th company is vulnerable to DOS attacks and unauthorized access with default

passwords in SAP Dispatcher

A GLOBAL SURVEY 2007–2013 8. Future predictions and trends


8. Future predictions and trends

While there are so many issues in SAPб we still don’t see any HOT news about any company which was

breached with a vulnerability in SAP. In November 2012, Infosecurity Magazine published a story about

the Anonymous attack on the Finance Ministry of Greece where an exploit was allegedly used on their

SAP system, which led to a leak of critical inside documents. This information has no solid proof, and

SAP AG has no indication that the attack actually happened, but the publication itself is a sign of interest

in this topic. The reason why we don’t see much public information is that first of all nobody wants to

share information about breach especially internal. External breaches related to ERP systems are mostly

espionage and thus they are not likely to be find and the last one, which I suppose very shocking, is that

only few of companies monitor activity and analyze log files. So how can you be sure that there is no

breach when you can’t see what is happening in your system and if it has already been compromised?

Later we will show more results.

8.1. Internal threats

Internal attacks made by insiders are more likely to happen now and they are happening. According to

an ACFE research, losses to internal fraud constitute 6 % of yearly revenue on average. What is more?

45% of financial organizations have suffered frauds in the last 12 months compared to 30% in other

industries (by recent PWC survey [43]). Cybercrime accounted for 38% of economic crime incidents for

Financial Services organizations and will only grow with growing of IT industry. We personally have seen

a couple of examples of internal issues which can be categorized in 3 different areas: salary

manipulations, material manipulations, mistakes.

8.2. External threats

Not only hacktivists but other large companies, too, can be interested in attacks on ERP, stealing

corporate secrets, or executing DoS attacks on a competitor’s infrastructure.

We spoke to some commercial organizations that sell and buy exploits for private and government

companies (security intelligence services), and we were interested if there is a market for ERP exploits.

They said that there is interest from both sides. Even well-known exploit buying companies like ZDI buy

SAP exploits and vulnerabilities, only in 2012 five exploits for SAP were sold to ZDI and two of them are

so critical that they appear in our list of top 5 critical SAP issues for 2012.

Also, there are forums that sell access to botnets with IP ranges of specific companies. Nowadays, large

companies sometimes have more power than governments, so corporate wars are one of possible

scenarios, and business critical systems can be the most useful targets.




42

8.3. SAP forensics

Few examples have been made public yet. In most cases it is because very few organizations use at least

something to monitor malicious activity, so even if their system was compromised, they are not ready

for forensic investigation and cannot expose the fact of compromise. Companies don’t have ability to

identify attack. Based on our assessment of over 250 servers of companies that allowed us to share

results we found quite scary results. It was found that only 10% of systems use security audit at SAP

while 2% of those system logs are regularly analyzed. What is more is that less than 1% of companies do

deep analysis of SAP Security events and correlation. Taking into account those numbers, how most of

them can be sure that there was no compromise of their systems?

More detailed review of different log files which can be enabled give us result listed below.

Figure 8.3–1 Percent of enabled logs

The strange thing related to so big difference between HTTP logs and other logs is explained by the fact

that HTTP logging is enabled by default.

8.4. What can happen?

This report includes not only a review of current state but also predictions, so we decided to look at the

current situation and changes in terms of typical malware tried to understand what can be done in near

future. We have found 3 different examples of recent malicious software and types of attack which can

be a beginning of a new era of targeted attacks on corporations and their business applications.

8.4.1. Autocad virus

This example of industrial espionage is quite interesting. We think it is one of the first

examples of targeted industrial espionage attack focused on particular action. According to

research about this virus – it was made by Chinese to steal secret documents for

manufacturing. If we develop this idea, more target focused viruses can be found which

were made for stealing particular data from competitors. By knowing some SAP or other

70%

10%4% 2% 2%

0%

10%

20%

30%

40%

50%

60%

70%

80%

HTTP log Security audit log Table access log Message Server log SAP Gateway log

A GLOBAL SURVEY 2007–2013 8. Future predictions and trends


business application internals it is not hard to made virus which will, for example, target SAP

PLM system with using specific vulnerability and by knowing where exactly this system

stores relevant data [44].

8.4.2. Internet-Trading virus

Next interesting example is the Ranbys virus and its specific modification for QUICK platform

which is created for stock management. This virus can commit a fraud but scarier is that if

you manage it to automatically do something like buying the same things it will

automatically show stock bears a signal to sell more and finally it can make a collapse. As for

the SAP, we all know that bank account numbers are stored in a specific table and if there is

a worm which will modify this data there is a possibility to combine a power of a computer

worm with a fraud and finally get significant money transfer [45].

8.4.3. News resources hacking (Sabotage)

This example is a quite interesting also and shows us how easy it can be to fool market after

reporting false news. This idea also can be used by breaking organization’s portal based on

SAP and putting wrong information thus leading to stock manipulation [46].

So, you have seen just a couple of scary scenarios which can be done by breaking such critical software

as SAP. You can imagine how dangerous it can be to get control of all SAP systems of one country.




44

9. Conclusion

Old issues are being patched but many new systems have vulnerabilities. Number of vulnerabilities per

year going down compared to 2010, but they are more critical. Number of companies who search for

issues in SAP is growing so we can conclude that interest to SAP platform security has been growing

exponentially and there are positive points of that, for example – latest SAP products are more secure

by default. Taking into account the growing number of vulnerabilities and vast availability of SAP

systems on the Internet, we predict that SAP systems can become a target not only for direct attacks

(for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities. And

while so many issues have already been closed there are much more areas which are still not covered by

researchers and where can be lots of vulnerabilities. We are working closely with the SAP Security

Response Team on discovering and patching security issues and also SAP publishing secure

recommendations and guidelines showing administrators how to protect from most popular threats.

This area has been changed a lot during last year and SAP now investing much more resources and

money for internal SDLC processes and internal Security conferences.

Unfortunately as a year ago, the main mission still lies on administrators who should enforce security of

their SAP systems by using guidelines, secure configuration, patch management, code review and

continuous monitoring. Furthermore, we think that SAP forensics can be a new research area because

while having so complex log system in SAP it is not easy to find evidence now, even if it exists and the

more attacks will be in SAP systems the higher need will be for forensic investigation and continuous

monitoring of SAP security.

A GLOBAL SURVEY 2007–2013 0. About ERPScan


About ERPScan

ERPScan is an award-winning innovative company founded in 2010, honored as the Most innovative

security company by Global Excellence Awards as well as Emerging Vendor by CRN, and the leading SAP

AG partner in discovering and solving security vulnerabilities. ERPScan is engaged in ERP and business

application security, particularly SAP, and the development of SAP system security monitoring,

compliance, and cybercrime prevention software. Besides, the company renders consulting services for

secure configuration, development, and implementation of SAP systems which are used by SAP AG and

Fortune 500 companies, and conducts comprehensive assessments and penetration testing of custom

solutions.

Our flagship product is ERPScan Security Monitoring Suite for SAP: award-winning innovative software

and the only solution on the market to assess and monitor 4 tiers of SAP security: vulnerability

assessment, source code review, SoD conflicts, and SIEM/forensics. The software is successfully used by

the largest companies from industries like oil and gas, nuclear, banking, logistics, and avionics as well as

by consulting companies. ERPScan is a unique product which enables conducting a complex security

assessment and monitoring SAP security afterwards. ERPScan is an easily deployable solution which

scans basic SAP security configuration in 5 minutes and several clicks. ERPScan was designed to work in

enterprise systems and continuously monitor changes for multiple SAP systems. These features enable

central management of SAP system security with minimal time and effort.

The company’s expertise is based on research conducted by the ERPScan research subdivision which is

engaged in vulnerability research and analysis of critical enterprise applications and gain multiple

acknowledgments from biggest software vendors like SAP, Oracle, IBM, VMware, Adobe, HP, Kaspersky,

Apache, and Alcatel for finding 350+ vulnerabilities in their solutions. ERPScan experts are frequent

speakers in 40+ prime international conferences held in USA, Europe, CEMEA, and Asia, such as

BlackHat, RSA, HITB, and Defcon. ERPScan researchers lead project EAS-SEC, which is focused on

enterprise application security. ERPScan experts were interviewed by top media resources and

specialized infosec sources worldwide such as Reuters, Yahoo news, CIO, PCWorld, DarkReading, Heise,

Chinabyte. We have highly qualified experts in staff with experience in many different fields of security,

from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems,

accumulating their experience to conduct research in SAP system security.




46

About EAS-SEC

Project

EAS-SEC ( formerly part of the global strategy group OWASP Projects ) [47], a non-profit worldwide

organization focused on improving business application software security.

EAS-SEC is a guide for people involved in the acquisition, design and implementation of large-scale

applications, the so-called Enterprise Applications. Security of Enterprise Applications is one of the most

discussed topics in the general area of Applications security. This is due to the fact that such applications

control the organization resources including funds which may be lost as a result of any breach of

security.

Project mission

The purpose of the EAS-SEC project launched in 2010 is increase of awareness of business application

and enterprise applications security problems for users, administrators and developers and also the

creation of guidelines and tools to assess the safety, security, safe set-up and development of enterprise

applications. The general analysis of the main business applications was carried out and key areas of

safety to which it is necessary to pay attention both when developing and at introduction are collected.

In addition, there were two researches–«SAP Security in figures for 2011» [48]and «The state of SAP

security 2013: Vulnerabilities, threats and trends» [49]. The results of these reports have been

presented at key conferences such as RSA and have been highlighted in the press [50].

The EAS-SEC has a number of the main objectives on the basis of which subprojects are created:

1. Notification of broad masses about vulnerabilities of safety of corporate appendices, on means of

release of annual statistics of vulnerabilities of safety of corporate appendices. Subproject: Enterprise

Business Application Vulnerability Statistics [51];

2. Help to the companies which are engaged in release of the software, increase of safety of their

decisions, providing tools for the Enterprise Business Application Security Vulnerability Testing Guide

[52] subproject;

A GLOBAL SURVEY 2007–2013 0. About EAS-SEC


3. Development of free extended tools for an assessment of safety of corporate appendices, and for the

Enterprise Business Application Security Software [53] subproject;

4. The help to the companies in an assessment of safety of corporate appendices at the initial stages,

providing tools for the Enterprise Business Application Security Implementation Assessment Guide [54]

subproject.




48

Links and future reading

[1] «ERPScan – strategic SAP AG partner in security» [Internet]. Available: http://erpscan.com/.

[2] «OWASP-EAS» [Internet]. Available: http://eas-sec.org/.

[3] «Worldwide Public statistics of SAP systems» [Internet]. Available: http://sapscan.com/.

[4] «As economy falters, employee theft on the rise» [Internet]. Available:

http://www.lasvegassun.com/news/2009/nov/06/managing-fraud-lesson-recession/.

[5] «ACFE Report to the Nations» [Internet]. Available:

https://chapters.theiia.org/birmingham/Documents/Fraud___Internal_Audit_IIA_6Sep2012.pdf.

[6] «ERPScan publications: "SAP Security: attacking SAP clients"» [Internet]. Available:

http://erpscan.com/publications/sap-security-attacking-sap-clients/.

[7] «CanSecWest conference report by Steve Lord, Mandalorian» [Internet]. Available:

cansecwest.com/slides06/csw06-lord.ppt.

[8] «ERPScan’s SAP Pentesting Tool» [Internet]. Available: http://erpscan.com/products/erpscan-

pentesting-tool/.

[9] «ERPScan WEBXML Checker» [Internet]. Available: http://erpscan.com/products/erpscan-

webxml-checker/.

[10] «Sapyto – SAP Penetration Testing Framework» [Internet]. Available:

cybsec.com/EN/research/sapyto.php.

[11] «Top 10 most interesting SAP vulnerabilities and attacks» [Internet]. Available:

http://erpscan.com/wp-content/uploads/2012/06/Top-10-most-interesting-vulnerabilities-and-

attacks-in-SAP-2012-InfoSecurity-Kuwait.pdf.

[12] «Acknowledgments to Security Researchers» [Internet]. Available: http://scn.sap.com/docs/DOC-

8218.

[13] «Vulnerability Database Security Focus» [Internet]. Available: securityfocus.com.

[14] «Common Vulnerabilities and Exposures» [Internet]. Available: http://cve.mitre.org.

[15] «US National Vulnerability Database» [Internet]. Available: http://web.nvd.nist.gov/.

[16] «Exploit Database by Offensive Security» [Internet]. Available: http://exploit-db.com.

[17] «SAP NetWeaver J2EE – DilbertMSG SSRF» [Internet]. Available:

http://erpscan.com/advisories/dsecrg-12-036-sap-xi-authentication-bypass/.

[18] «SAP Host Control – Command injection» [Internet]. Available:

http://contextis.com/research/blog/sap-parameter-injection-no-space-arguments/.

A GLOBAL SURVEY 2007–2013 0. Links and future reading


[19] «SAP NetWeaver J2EE – File Read/Write» [Internet]. Available:

https://service.sap.com/sap/support/notes/1682613.

[20] «SAP Message Server – Buffer Overflow» [Internet]. Available:

http://www.zerodayinitiative.com/advisories/ZDI-12-112/ .

[21] «SAP Dispatcher – Diag protocol Buffer Overflow» [Internet]. Available:

http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities.

[22] «Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol» [Internet]. Available:

corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page

=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol&file=Slides.pdf.

[23] «SAP Management Console Information Disclosure» [Internet]. Available:

http://www.onapsis.com/get.php?resid=adv_onapsis-2011-002.

[24] «Systems Applications Proxy Pwnage» [Internet]. Available:

http://www.sensepost.com/cms/resources/labs/tools/poc/sapcap/44con_2011_release.pdf.

[25] «Architecture and program vulnerabilities in SAP’s J2EE engine» [Internet]. Available:

http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-

engine_whitepaper.pdf.

[26] «The ABAP Underverse» [Internet]. Available:

http://virtualforge.com/tl_files/Theme/whitepapers/BlackHat_EU_2011_Wiegenstein_The_ABAP

_Underverse-WP.pdf.

[27] «SQL Injection with ABAP» [Internet]. Available:

http://virtualforge.com/tl_files/Theme/Presentations/HITB2011.pdf.

[28] «SAP NetWeaver – Authentication bypass (Verb Tampering)» [Internet]. Available:

http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-

tampering/.

[29] «Invoker Servlet» [Internet]. Available:

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513597ec/fr

ameset.htm.

[30] «PROTECTING JAVA AND ABAP BASED SAP APPLICATIONS AGAINST COMMON ATTACKS»

[Internet]. Available:

http://virtualforge.com/tl_files/Theme/whitepapers/201106_SAP_Security_Recommendations_Pr

otecting_JAVA_ABAP.pdf.

[31] «SAP Infrastructure security internals: Google and Shodan hacking for SAP» [Internet]. Available:

http://erpscan.com/press-center/blog/sap-infrastructure-security-internals-google-and-shodan-

hacking-for-sap/.

[32] «SAP Application Server Security essentials: default passwords» [Internet]. Available:

http://erpscan.com/press-center/blog/sap-application-server-security-essentials-default-

passwords/.

[33] «SAP NetWeaver SLD – Information Disclosure» [Internet]. Available:




50

http://erpscan.com/advisories/dsecrg-11-023-sap-netweaver-sld-information-disclosure/.

[34] «NetWeaver BCB – Missing Authorization / Information disclosure» [Internet]. Available:

http://erpscan.com/advisories/dsecrg-11-027-netweaver-bcb-%E2%80%93-missing-authorization-

information-disclosure/.

[35] «SAP NetWeaver AdapterFramework – information disclosure» [Internet]. Available:

http://erpscan.com/advisories/dsecrg-12-050-sap-netweaver-adapterframework-information-

disclosure/.

[36] «ops$ mechanism» [Internet]. Available:

http://scn.sap.com/community/oracle/blog/2012/10/15/sunset-for-ops-mechanism-no-more-

supported-by-oracle-not-used-by-sap.

[37] «Easy Service Marketplace» [Internet]. Available: http://www.easymarketplace.de/saprouter.php.

[38] «SAP NetWeaver SOAP RFC – Denial of Service / Integer overflow» [Internet]. Available:

http://erpscan.com/advisories/dsecrg-11-029-sap-netweaver-soap-rfc-%E2%80%93-denial-of-

service-integer-overflow/.

[39] «SAP Netweaver XRFC — Stack Overflow» [Internet]. Available:

http://erpscan.com/advisories/dsecrg-10-005-sap-netweaver-xrfc-%E2%80%94-stack-overflow/.

[40] «TCP/IP Ports Used by SAP Applications» [Internet]. Available:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-

9bcc452c280b?QuickLink=index&overridelayout=true&42472931642836.

[41] «Scrubbing SAP clean with SOAP» [Internet]. Available:

http://www.slideshare.net/ChrisJohnRiley/sap-insecurity-scrubbing-sap-clean-with-soap.

[42] «CORE Labs Discovery of Six Vulnerabilities within SAP Netweaver» [Internet]. Available:

http://blog.coresecurity.com/2012/05/09/core-labs-discovery-of-six-vulnerabilities-within-sap-

netweaver/.

[43] «Fighting Economic Crime in the Financial Services sector» [Internet]. Available:

http://docs.media.bitpipe.com/io_10x/io_102267/item_485936/Economic%20crime%20in%20FS

%20sector.pdf.

[44] «Espionage virus sent blueprints to China» [Internet]. Available:

http://www.telegraph.co.uk/technology/news/9346734/Espionage-virus-sent-blueprints-to-

China.html.

[45] «Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems» [Internet]. Available:

http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/.

[46] «Associated Press Twitter Account Hacked in Market-Moving Attack» [Internet]. Available:

http://www.bloomberg.com/news/2013-04-23/dow-jones-drops-recovers-after-false-report-on-

ap-twitter-page.html.

[47] «The Open Web Application Security Project (OWASP)» [Internet]. Available:

https://www.owasp.org/index.php/Main_Page.

A GLOBAL SURVEY 2007–2013 0. Links and future reading


[48] «Безопасность SAP в цифрах. Результаты Digital Security за период 2007–2011» [В Интернете].

Available: http://scn.sap.com/docs/DOC-29427.

[49] «The state of SAP security 2013: Vulnerabilities, threats and trends» [Internet]. Available:

http://www.rsaconference.com/writable/presentations/file_upload/das-t03_final.pdf.

[50] G. Burton, «Companies exposed to attack by out-of-date SAP applications» [Internet]. Available:

http://www.computing.co.uk/ctg/news/2275640/companies-exposed-to-attack-by-outofdate-

sap-applications.

[51] «Enterprise Business Application Vulnerability Statistics» [Internet]. Available:

https://www.owasp.org/index.php/Enterprise_Business_Application_Vulnerability_Statistics.

[52] «Enterprise Business Application Security Vulnerability Testing Guide» [Internet]. Available:

https://www.owasp.org/index.php/Enterprise_Business_Application_Security_Vulnerability_Testi

ng_Guide_v1.

[53] «Enterprise Business Application Security Software» [Internet]. Available:

https://www.owasp.org/index.php/Enterprise_Business_Application_Security_Software.

[54] «Enterprise Business Application Security Implementation Assessment Guide» [Internet].

Available:

https://www.owasp.org/index.php/Enterprise_Business_Application_Security_Implementation_A

ssessment_Guide.

[55] «The ERP Security Challenge» [Internet]. Available:

http://www.cio.com/article/216940/The_ERP_Security_Challenge.




52

Our contacts

E-mail: [email protected]

PR: [email protected]

Web: www.erpscan.com

mailto:[email protected]

mailto:[email protected]


Date post:	01-Apr-2020
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times