Many companies are negligent about SAP security, researchers say

Researchers found many servers with old SAP applications or critical SAP administrative services exposed to the Internet

SAP has significantly improved the security of its products over the past few years but many of its customers are negligent with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security researchers.

The biggest issue is that companies expose insecure SAP services to the Internet -- not only HTTP services, but also critical administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products for SAP systems, said Tuesday.

Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn't be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations, he said.

Most of the services have vulnerabilities that can be easily attacked, Polyakov said.

Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security testing tool.

The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates to a very large number of companies, he said.

Juan Perez-Etchegoyen, the chief technology officer at Onapsis, a Cambridge, Massachusetts-based company that develops security products for ERP systems, believes that the number of companies running vulnerable SAP systems is actually higher than what Polyakov estimates and that it's growing.

"What makes this worse is the fact that many systems are exposed to vulnerabilities with public exploits that have been known for five or even ten years. The risk for these organizations is huge," he said Wednesday via email.

Another problem is the high number of publicly accessible Web servers that run outdated SAP applications. Using Google search, ERPScan researchers identified 695 unique servers with different SAP Web applications, and an additional 3,741 servers were found using the SHODAN search engine.

SAP NetWeaver J2EE and SAP NetWeaver ABAP were the most common SAP applications found on the servers. However, the most common versions of these two applications were SAP NetWeaver ABAP version 7.0 EHP 0 and SAP NetWeaver J2EE version 7.00, both of which were released in 2005.

Deployments of older versions of these products are not necessarily vulnerable if their administrators applied all patches and followed all security advice issued by SAP over the years.

However, it is more likely for an old version deployment to be more vulnerable than a new one, because newer versions of these products are more secure in their default configurations, Polyakov said.

"The real problem is not that the systems were released in 2005, because SAP still has those under maintenance and releases security patches for vulnerabilities affecting them," Perez-Etchegoyen said. "The real threat is that some companies are not being able to apply them promptly, exposing themselves to cyberattacks."

Polyakov released some data about exposed SAP services earlier this month during a presentation at the RSA Asia Pacific 2013 security conference. However, more information about the results of ERPScan's research into the state of SAP security will be released in upcoming weeks as part of a larger report, he said.

Securing SAP systems is important because interest in SAP platform security has been growing among security researchers, but also among zero-day exploit buyers and sellers, according to Polyakov's RSA presentation slides.

Potential attacks against SAP systems could be driven by different motivations, Polyakov said.

Such attacks could be used to steal financial information, corporate secrets, human resources data, supplier and customer lists for economic espionage. They could also be used to perform false transactions and modify data for fraud purposes, or they could be used to disrupt systems or modify financial reports for sabotage.

Compromising SAP servers in order to attack other types of systems connected to them is also a possibility, Polyakov said. For example, SAP servers are sometimes connected to SCADA (Supervisory Control and Data Acquisition) systems in order to receive and process data from them, he said.

SCADA systems are used to control and monitor industrial, infrastructure, and facility-based processes.

Someone who compromises a SAP system could easily launch a denial-of-service attack against a SCADA system connected to it, Polyakov said.

A cyberwar-like scenario where someone creates a computer worm to attack SAP systems and disrupt business at major companies in one particular country would also be possible, Polyakov said. Such an attack could have a significant economic impact, he said.

"Some companies still believe that the risk of an attack is low because attackers require high skills," said Mariano Nunez, CEO of Onapsis, via email. "However, with the availability of public exploits and increased exposure, the barrier for entry is much lower than organizations perceive."

Nunez noted a positive change in the last two years with leading organizations starting to protect their SAP systems against cyberattacks. However, "the unfortunate reality is that, many organizations still believe SAP Security is only about roles and profiles, and leave their systems totally exposed to technical vulnerabilities," he said.

"We'd like to thank Alexander Polyakov for increasing our awareness for this important topic," SAP spokesman Hilmar Schepp, said Tuesday via email. Polyakov has been working with SAP for several years, and thanks to the close collaboration SAP was able to provide patches for various security issues, he said.

"SAP's software and solutions meet the highest security standards," Schepp said. The company is working closely with customers on implementation issues and advises them to activate the appropriate security configurations, he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags patchesCustomer Relationship ManagementOnapsisapplicationsBusiness Process Managementpatch managementsoftwareHRExploits / vulnerabilitiesdata protectionERPScansecuritySAP

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?