Vulnerable SAP Deployments Make Prime Attack Targets

wiredmikey writes "Using a combination of TCP scans and Google, security researchers found that nearly a quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet. This discovery, researchers from ERPScan say, dispels the myth that SAP systems are only available from the internal network, leading to the misconception that they are protected by design. By March 2012, there were more than 2,000 security advisories published by SAP. Of those, about 7% (124) have publicly available PoC (proof-of-concept) exploit code available to the public. Many of the issues discovered are related to poor configuration or poor deployment planning. For example, 212 SAP Routers were found in Germany, which were created mainly to route access to internal SAP systems. Another issue with the vulnerable and exposed SAP installations is that many of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself."

Re:where can i download a trial version of SAP?

[fuzzyfuzzyfungus]

I cant find it anywhere on the SAP site!

If you think that a 'demo' is an executable you download, rather than something delivered by a besuited sales team, you might not be a potential customer...

Re:

[c_g_hills]

The book "SAP - A Map of The Minefield" by Stephen Birchall is a good read.

Re:

[buchner.johannes]

If I were a somewhat serious security researcher, I would install a couple of SAP and SCADA honeypots.

Perhaps fishing for executables that run, check the environment and then do nothing.

Re:

[Anonymous Coward]

http://www.sdn.sap.com/irj/scn/nw-downloads

It's just the SAP Netweaver application server though - don't expect any business functionality there.

You need to contact SAP for a demo of the whole SAP ECC suite - you might get a huge box with installation media/manuals and a temporary 1 year license.

Re:where can i download a trial version of SAP?

[cvtan]

If you are an individual, you don't want it and if you are a company, you REALLY don't want it.

Re:

[Anonymous Coward]

If you are an individual, you don't want it and if you are a company, you REALLY don't want it.

Care to support that opinion with reasons?

Re:

[Impy the Impiuos Imp]

Is this the same SAP that's (mis)used by companies to do employee timesheet entry?

God is so, I'm surpeised it took this long.

Re:

[Anonymous Coward]

I'm guessing that's because Microsoft radically changed the UI of Windows Server starting with 2003, making it much more complex to use than the desktop version of Windows (XP).

Ummm, no. Win 2003 has the exact same UI as windows XP. Also, both XP & 2003 can be set to the "classic" interface which makes it look like windows 2000.

IIRC it also mandated Active Directory instead of the old PDC/BDC setup, which was a clear improvement, but a fairly complex one for customers to transition through.

Active Direc

Re:

[Anonymous Coward]

Also, both XP & 2003 can be set to the "classic" interface which makes it look like windows 2000.

When they say "unsupported OS that is full of security issues all by itself." they're referring the the current versions of NT - Versions 5 and above.

The "unsupported OS" proviso is just to point out that they're experienced Microsoft customers and are familiar with their support team.

Re:

[bleedingsamurai]

Having only grazed over the article, Windows NT is Microsoft's current flagship operating system. Windows NT 6.1 being their latest "stable" release marketed under the names Windows 7 and Windows Server 2008 R2

But if they really meant "Windows NT" as in Windows NT 4.0, then I agree, that is pretty darn bad

Re:

[fuzzyfuzzyfungus]

I suspect that the JVM(s) involved in some of these deployments might be a bit behind the curve, as well...

Re:Windows NT?? Really? It's 2012!

[Guy Harris]

Having only grazed over the article, Windows NT is Microsoft's current flagship operating system. Windows NT 6.1 being their latest "stable" release marketed under the names Windows 7 and Windows Server 2008 R2

But if they really meant "Windows NT" as in Windows NT 4.0, then I agree, that is pretty darn bad

Given that the paper from ERPScan [erpscan.com] lists the OSes atop which SAP runs as "Windows NT", "AIX", "Linux", "SunOS", "HP-UX", and "OS/400", I suspect that when they say "Windows NT" they mean, as you suggest, "Windows NT the family of operating systems, older ones of which were sold under the name "Windows NT" and newer versions of which aren't", not "Windows NT 3.x and 4.0", i.e. Windows Server 20xx (and Windows 2000/XP/Vista/7, if anybody's running it on their desktop) are lumped under "Windows NT" (and Solaris N is lumped under "SunOS").

Re:

[alen]

you don't understand how SAP works. it takes you years of testing and custom coding just to deploy it. patching and upgrading are hellish experiences

Re:

[Rich0]

Yup, I was walking around in a building I usually don't frequent at work and saw a sign that could be translated as "SAP Change Control" - it pointed to a cube farm, now nearly vacant as the SAP implementation is mostly done. I have no doubts that at one point of time they had 40 people doing nothing but keeping track of bug statuses.

Re:

[jd2112]

Windows NT has been out of support for a very long time. Even windows 2000 has been out of support for a while.

Given how much SAP costs, you think they could afford to upgrade to win2003 at least.

Given how much SAP costs, I'm guessing a lot of companies haven't been able to get budget approval for an upgrade that runs on a supported version of Windows. (Particularly in light of the epic cost overruns that are typical of a SAP deployment.)

Bad

[Dan East]

I have no idea what the hell SAP is, but it sounds really dangerous.

Re:Bad

[drinkypoo]

I have no idea what the hell SAP is, but it sounds really dangerous.

Not even SAP knows what SAP is, but if you have one of their salesdroids on site, they'll tell you it can do anything you ask them about...

Re:

[w.hamra1987]

you mean they're the latest ZOMBO.COM [zombo.com]?

Re:Bad

[Amouth]

It's easy

S = Send
A = Another
P = Payment

Re:Bad

[MtHuurne]

Indeed, it's one of those systems that is so expensive that its deployment has to be declared a success or the person who authorized it will be in trouble.

Re:Bad

[Amouth]

There is so much truth to that it's scary..

Re:

[djjockey]

Save
And
Pray!

Re:

[fuzzyfuzzyfungus]

If I remember correctly, SAP is currently the world's most respected reference implementation of Alan Perlis' Epigram 54 [archive.org].

Re:

[Amouth]

As an SAP consultant I agree with you, but let me take a moment to point to 81.

Re:

[anagama]

PickaSAP, any SAP: http://en.wikipedia.org/wiki/SAP [wikipedia.org]

Same boat -- TFA isn't that illuminating either.

Re:

[JWSmythe]

Ya, that had me going too.. I thought maybe they had shortened down SAAP (Software As A Product), or it was one of the billion Symantec products. Two links in from the story, it references this BlackHat PDF [blackhat.com], which finally does say SAP AG.

It's great to have short acronyms for stuff, but without any good context its worthless. It's like marketing people love their acronyms, so they can try to talk in military style alphabet soup. Well, at least the military alphabet soup ma

Re:

[Guy Harris]

I have no idea what the hell SAP is

It's the main product of SAP AG [sap.com], SAP ERP [sap.com].

Re:

[sjames]

Some claim ERP = Enterprise Resource Planning, but in fact, it is the sound you will make 8 times a day after drinking baking soda for the intense overproduction of acid in your stress riddled stomach during the installation project.

Re:

[PolygamousRanchKid]

SAP = Scheiss auf Privatleben

"Shit on your private life."

Answer - SAP wrapped in WCF fronted by SharePoint

[axonis]

Having pretty good success wrapping Baby SAP, aka SAP Business One in WCF (Windows Communication Foundation) through the SAP B1 DI API then consuming the resulting WCF IIS service through BCS (Business Connectivity Services) in SharePoint 2010, architecturally a very secure solution thats scalable to the cloud ie. SAP B1 on premise and SharePoint Online in cloud , and it just works !, especially when you present the required Business screens via forms server based InfoPath froms and handle the business logic via WF (Workflow Foundation) SharePoint workflow .... actually haven't seen anyone else do this and its very Elegant, I would recommend ... obiously there is Duet Enterprise for the big SAP R3 version and SharePoint, but less common than B1

Re:

[Anonymous Coward]

WOW!!!!

You must work for a consulting firm, only a consultant would think that solution is Elegant.

I re-used part of my existing two factor authentication infrastructure as the gatekeeper to my Web based SAP installation. All of my SAP infrastructure is available to my employees and/or clients and you couldn't get to it, even if I told you how. None of the security companies have been able to defeat the gatekeeper, even with credentials. The best things, no additional costs or additional infrastructure t

Re:

[MickyTheIdiot]

Business software made for business by businessmen, with the predictable results.

Re:

[arglebargle_xiv]

The fuck does SAP stand for? The website doesn't even say. Fucking terrible OP.

Not sure about the 'A' and the 'P' but the 'S' can only stand for "Satanic".

SAP is horrible

[Mabhatter]

All the pieces and parts are hard enough to keep running on a good day. Thing takes weekly downtime just to cycle modules....even simple patches shut your business users out for hours. Upgrading your version and OS shuts your business down for a week just to properly test. Sure you can use Dev boxes an HA, but you have to have ALL the users PROVE IT WORKS. So you waste terrible amounts of their TIME the could be selling stuff!!

And of course, SAP doesn't INSTALL anything THEMSELVES. You have to use some fly-by-night third party. So just like Microsoft, it's YOUR fault when you didn't include hiring an extra $1m per year in employees to run the thing and use all the "secret settings" after they all leave you.

Re:

[tinkerton]

That's why it's called SAP. It drains your company of money and resources.

Everything on a net basically is on the Internet

[gweihir]

The only exception is completely isolated networks. But even those are vulnerable, even if you shoot people that breach the security. Just ask the Iranians about that.

Thinking that anything visible in parts of a corporate LAN is not reachable over the Internet is stupid and highly incompetent. Of course, you can have very tight network security and very isolated LAN segments. But until you invested a lot of effort and had competent external review of the security measures and have no direct reachability from the general LAN, that is not really going to help either.

What I strongly suspect here is just stupid management not willing to invest any money to even find out whether they have a problem. The general rule is that anything has to be considered insecure unless proven otherwise, not the other way round. Just stupidity, incompetence and greed, as usual. This high level of exposure is no surprise to any competent security expert.

And if you think SAP wouldn't be public...

[Let's All Be Chinese]

I know of at least one large company that thinks giving potential applicants a login on their SAP installation to "streamline the application process" is a good idea. Through a public-facing SAP web front-end.

How I know? I tried to apply there. Got rejected by some faceless jerk behind a SAP terminal somewhere far away, then needed HR to play helpdesk because removing my details from the system didn't work as promised. Think of it as an exit interview by email before you've even started.

Of course that syste

Stupid SAPGui

[sapped]

This might explain why they make it so ridiculously difficult to download the SAPGui. There was a time when they had it available on their FTP site. Now you need a OSS ID just to download the GUI. Of course the OSS ID supplied through my employer doesn't allow me to download and install the GUI. Thus, each time I get a new laptop it's a regular pain in the butt to get the latest version installed. Just let me download the damn thing already! If anybody knows if a simple easy place to download the latest SA

A little background...

[erp_consultant]

I haven't used SAP but I have implemented other enterprise software systems. Any enterprise system can fall out of compliance for various reasons. If even one component is unpatched (server OS, database, web server, etc.) then the whole system becomes potentially vulnerable. Sometimes customers delay apply patches. The complexity of these systems require a massive amount of regression testing whenever you change something. Many customers make the mistake of thinking that the work is done once the system goe

Re:

[Rich0]

At my employer I was walking through the office area that was doing much of the SAP work. There was a sign for change management pointing to a big cube farm. They needed an army of people just to juggle bug statuses.

Re:

[erp_consultant]

A lot of that depends on the implementer. If your company is unfortunate enough to have Accenture, Deloitte or IBM there then I can guarantee you that at least half the team is right out of college with little or no SAP experience. You will find them tucked away in the back somewhere. The client will probably have no interaction with them. The few experienced people will get all the face time with the client. Meanwhile, the youngsters will be training on SAP on your nickel. At $200/hr or more. This sort of