The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
%in Midrand+277-882-255-28 abortion pills for sale in midrand
SAP security in figures
1. Invest
in
security
to
secure
investments
SAP
Security
in
figures
2013
Alexander
Polyakov
CTO
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu=on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presentaEons
key
security
conferences
worldwide
• 25
Awards
and
nominaEons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Agenda
• SAP:
Intro
• SAP:
vulnerabili=es
• SAP:
threats
from
the
Internet
• Cri=cal
SAP
services
• Known
incidents
• Future
trends
and
predic=ons
• Conclusions
3
4. SAP
• The
most
popular
business
applica=on
• More
than
240000
customers
worldwide
• 86%
of
Forbes
500
run
SAP
4
5. Why
SAP
security?
• Espionage
– Stealing
financial
informa=on
– Stealing
corporate
secrets
– Stealing
supplier
and
customer
lists
– Stealing
HR
data
• Sabotage
– Denial
of
service
– Modifica=on
of
financial
reports
– Access
to
technology
network
(SCADA)
by
trust
rela=ons
• Fraud
– False
transac=ons
– Modifica=on
of
master
data
5
10. Acknowledgments
Number
of
vulnerabili=es
found
by
external
researchers:
•
2010
-‐
58
•
2011
-‐
107
•
2012
-‐
89
•
2013
-‐
52
The
record
of
vulnerabili1es
found
by
external
researchers
was
cracked
in
January
2013:
76%
0
10
20
30
40
50
60
70
2010
2011
2012
2013
Percentage
of
vulnerabiliEes
found
by
external
researchers:
10
11. Acknowledgments
• More
interest
from
other
companies
*
Number
of
vulnerabili1es
that
were
sent
to
SAP
but
were
rejected
because
they
were
already
found
before
by
other
company
of
SAP
internal
code
review.
0
1
2
3
4
5
6
7
2010
2011
2012
Number
of
already
patched
issues
per
year
11
13. Talks
about:
• Common:
SAP
Backdoors,
SAP
Rootkits,
SAP
Forensics
• Services:
SAP
Gateway,
SAP
Router,
SAP
NetWeaver,
SAP
GUI,
SAP
Portal,
SAP
Solu=on
Manager,
SAP
TMS,
SAP
Management
Console,
SAP
ICM/ITS
• Protocols:
DIAG,
RFC,
SOAP
(MMC),
Message
Server,
P4
• Languages:
ABAP
Buffer
Overflow,
ABAP
SQL
Injec=on,
J2EE
Verb
Tampering,
J2EE
Invoker
Servlet
• Overview:
SAP
Cyber-‐aiacks,
Top
10
Interes=ng
Issues,
Myths
about
ERP
Almost
all
every
part
of
SAP
was
hacked
13
14. Top
5
SAP
vulnerabiliEes
2012
1. SAP
NetWeaver
DilbertMsg
servlet
SSRF
(June)
2. SAP
HostControl
command
injec=on
(May)
3. SAP
SDM
Agent
command
injec=on
(November)
4. SAP
Message
Server
buffer
overflow
(February)
5. SAP
DIAG
buffer
overflow
(May)
14
15. SAP
NetWeaver
DilbertMsg
servlet
SSRF
Espionage:
CriEcal
Sabotage:
Cri=cal
Fraud:
Medium
Availability:
Anonymously
through
the
Internet
Ease
of
exploitaEon:
Medium
Future
impact:
High
(New
type
of
aiack)
CVSSv2:
10
Advisory:
hip://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐
authen=ca=on-‐bypass/
Patch:
Sap
Note
1707494
Authors:
Alexander
Polyakov,
Alexey
Tyurin,
Alexander
Minozhenko
(ERPScan)
15
16. SAP
HostControl
command
injecEon
Espionage:
CriEcal
Sabotage:
Cri=cal
Fraud:
Cri=cal
Availability:
Anonymously
through
the
Internet
Ease
of
exploitaEon:
Easy
(a
Metasploit
module
exists)
Future
impact:
Low
(Single
issue)
CVSSv2:
10
Advisory:
hip://www.contex=s.com/research/blog/sap-‐parameter-‐
injec=on-‐no-‐space-‐arguments/
Patch:
SAP
note
1341333
Author:
Contex=s
16
17. SAP
J2EE
file
read/write
Espionage:
CriEcal
Sabotage:
Cri=cal
Fraud:
Cri=cal
Availability:
Anonymously
Ease
of
exploitaEon:
Medium
Future
impact:
Low
CVSSv2:
10
Advisory:
hips://service.sap.com/sap/support/notes/1682613
Patch:
SAP
Note
1682613
Author:
Juan
Pablo
17
18. SAP
Message
Server
buffer
overflow
Espionage:
CriEcal
Sabotage:
Cri=cal
Fraud:
Cri=cal
Availability:
Anonymous
Ease
of
exploitaEon:
Medium.
Good
knowledge
of
exploit
wri=ng
for
mul=ple
plalorms
is
necessary
CVSSv2:
10.0
Advisory:
hip://www.zerodayini=a=ve.com/advisories/ZDI-‐12-‐112/
Patch:
SAP
Notes
1649840
and
1649838
Author:
Mar=n
Gallo
18
19. SAP
DIAG
Buffer
overflow
Espionage:
CriEcal
Sabotage:
Cri=cal
Fraud:
Cri=cal
Availability:
Low.
Trace
must
be
on
Ease
of
exploitaEon:
Medium
CVSSv2:
9.3
Advisory:
hip://www.coresecurity.com/content/sap-‐netweaver-‐
dispatcher-‐mul=ple-‐vulnerabili=es
Patch:
SAP
Note
1687910
Author:
Mar=n
Gallo
19
21. SAP
on
the
Internet
• Among
people
who
work
with
SAP,
a
popular
myth
exists
that
SAP
systems
are
inaccessible
from
the
Internet,
so
all
SAP
vulnerabili=es
can
only
be
exploited
by
an
insider.
21
22. SAP
on
the
Internet
• Companies
have
SAP
Portals,
SAP
SRMs,
SAP
CRMs
remotely
accessible
• Companies
connect
different
offices
(by
SAP
XI)
• Companies
are
connected
to
SAP
(through
SAP
Router)
• SAP
GUI
users
are
connected
to
the
Internet
• Administrators
open
management
interfaces
to
the
Internet
for
remote
control
Almost
all
business
applicaEons
have
web
access
now
22
23. Google
search
for
web-‐based
SAPs
• As
a
result
of
the
scan,
695
unique
servers
with
different
SAP
web
applica=ons
were
found
(14%
more
than
in
2011)
• 22%
of
previously
found
services
were
deleted
• 35%
growth
in
the
number
of
new
services
23
24. Google
search
by
country
24
FINLAND
RUSSIA
AUSTRIA
DENMARK
MEXICO
SPAIN
KOREA
NORWAY
BELGIUM
FRANCE
CANADA
BRAZIL
SWITZERLAND
ITALY
NETHERLANDS
CHINA
UNITED
KINGDOM
INDIA
GERMANY
UNITED
STATES
0
50
100
150
200
250
SAP
web
servers
by
country
(Top
20)
25. Shodan
scan
41%
34%
20%
6%
SAP
NetWeaver
J2EE
SAP
NetWeaver
ABAP
SAP
Web
Applica=on
Server
Other
(BusinessObjects,SAP
Hos=ng,
etc)
94%
72%
30%
-‐20%
-‐55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth
by
applicaEon
server
A
total
of
3741
server
with
different
SAP
web
applicaEons
were
found
25
26. Shodan
scan
by
country
0%
100%
200%
300%
400%
500%
600%
MEXICA
CHILE
INDIA
CHINA
TAIWAN
Growth
of
SAP
web
servers
(Top
5)
0
500
1000
1500
AUSTRALIA
TAIWAN
CHILE
MEXICO
DENMARK
NETHERLANDS
TURKEY
CANADA
SWITZERLAND
UNITED
KINGDOM
KOREA
CHINA
FRANCE
BELGIUM
BRAZIL
SPAIN
INDIA
ITALY
GERMANY
UNITED
STATES
SAP
web
servers
by
country
(Top
20)
26
27. Internet
Census
2012
scan
• Not
so
legal
project
by
Carna
Botnet
• As
the
result
3326
IP’s
with
SAP
Web
applica=ons
NO
SSL
32%
SSL
68%
27
28. SAP
NetWeaver
ABAP
-‐
versions
• 7.3
growth
by
250%
• 7.2
growth
by
70%
• 7.0
loss
by
22%
• 6.4
loss
by
45%
35%
23%
19%
11%
6%
5%
NetWeaver
ABAP
versions
by
popularity
7.0
EHP
0
(Nov
2005)
7.0
EHP
2
(Apr
2010)
7.0
EHP
1
(Oct
2008)
7.3
(Jun
2011)
6.2
(Dec
2003)
6.4
(Mar
2004)
The
most
popular
release
(35%,
previously
45%)
is
s=ll
NetWeaver
7.0,
and
it
was
released
in
2005!
But
security
is
gerng
beier.
28
29. NetWeaver
ABAP
–
informaEon
disclosure
• Informa=on
about
the
ABAP
engine
version
can
be
easily
found
by
reading
an
HTTP
response
• Detailed
info
about
the
patch
level
can
be
obtained
if
the
applica=on
server
is
not
securely
configured
• An
aiacker
can
get
informa=on
from
some
pages
like
/sap/
public/info
6%
(was
59%)
of
servers
s=ll
have
this
issue
29
30. SAP
NetWeaver
ABAP
–
criEcal
services
• Execute
dangerous
RFC
func=ons
using
HTTP
requests
• NetWeaver
ABAP
URL
–
/sap/bc/soap/rfc
• There
are
several
cri=cal
func=ons,
such
as:
- Read
data
from
SAP
tables
- Create
SAP
users
- Execute
OS
commands,
Make
financial
transac=ons,
etc.
• By
default,
any
user
can
have
access
to
this
interface
and
execute
the
RFC_PING
command.
So
there
are
2
main
risks:
- If
there
is
a
default
username
and
password,
the
aiacker
can
execute
numerous
dangerous
RFC
func=ons
- If
a
remote
aiacker
obtains
any
exis=ng
user
creden=als,
they
can
execute
a
denial
of
service
aiack
with
a
malformed
XML
packet
6%
(was
40%)
of
ABAP
systems
on
the
Internet
have
WebRFC
service
30
31. SAP
NetWeaver
J2EE
-‐
versions
• 7.31
growth
from
0
to
3%
• 7.30
growth
from
0
to
9%
• 7.02
growth
by
67%
• 7.0
loss
by
23%
• 6.4
loss
by
40%
44%
25%
10%
9%
9%
3%
NetWeaver
JAVA
versions
by
popularity
NetWeaver
7.00
NetWeaver
7.01
NetWeaver
7.02
NetWeaver
7.30
NetWeaver
6.40
NetWeaver
7.31
The
most
popular
release
(44%,
previously
57%)
is
s=ll
NetWeaver
7.0,
and
it
was
released
in
2005!
But
security
is
gerng
beier.
31
32. NetWeaver
J2EE
–
informaEon
disclosure
• Informa=on
about
the
J2EE
engine
version
can
be
easily
found
by
reading
an
HTTP
response.
• Detailed
info
about
the
patch
level
can
be
obtained
if
the
applica=on
server
is
not
securely
configured
and
allows
an
aiacker
to
get
informa=on
from
some
pages:
– /rep/build_info.jsp
26%
(61%
last
year)
– /bcb/bcbadmSystemInfo.jsp
1.5%
(17%
last
year)
– /AdapterFramework/version/version.jsp
2.7%
(a
new
issue)
32
33. SAP
NetWeaver
J2EE
–
criEcal
services
• NetWeaver
J2EE
URL:
/ctc/ConfigTool
(and
30
others)
• Can
be
exploited
without
authenEcaEon
• There
are
several
cri=cal
func=ons,
such
as:
• Create
users
• Assign
a
role
to
a
user
• Execute
OS
commands
• Remotely
turn
J2EE
Engine
on
and
off
• Was
presented
by
us
at
BlackHat
2011
.
It
was
found
that
50%
(was
61%)
of
J2EE
systems
on
the
Internet
have
the
CTC
service
enabled.
33
35. *
Some
numbers
are
approximate
(mostly
less
than
in
real
world)
due
to
the
very
high
number
of
resources
that
needed
to
fully
analyze
internet
for
SAP
services
with
detailed
numbers.
We
use
op1mized
scan
approach
which
will
be
described
in
whitepaper.
35
Disclaimer
36. SAP
Router
• Special
applica=on
proxy
• Transfers
requests
from
Internet
to
SAP
(and
not
only)
• Can
work
through
VPN
or
SNC
• Almost
every
company
uses
it
for
connec=ng
to
SAP
to
download
updates
• Usually
listens
to
port
3299
• Internet
accessible
(Approximately
5000
IP’s
)
• hip://www.easymarketplace.de/saprouter.php
Almost
every
third
company
have
SAP
router
accessible
from
internet
by
default
port.
36
37. SAP
Router:
known
issues
• Absence
of
ACL
–
15%
–
Possible
to
proxy
any
request
to
any
internal
address
• Informa=on
disclosure
about
internal
systems
–
19%
– Denial
of
service
by
specifying
many
connec=ons
to
any
of
the
listed
SAP
servers
– Proxy
requests
to
internal
network
if
there
is
absence
of
ACL
• Insecure
configura=on,
authen=ca=on
bypass
–
5%
• Heap
corrup=on
vulnerability
37
38. Port
scan
results
• Are
you
sure
that
only
the
necessary
SAP
services
are
exposed
to
the
Internet?
• We
were
not
• In
2011,
we
ran
a
global
project
to
scan
all
of
the
Internet
for
SAP
services
• It
is
not
completely
finished
yet,
but
we
have
the
results
for
the
top
1000
companies
• We
were
shocked
when
we
saw
them
first
38
39. Port
scan
results
0
5
10
15
20
25
30
35
SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
hipd
SAP
Message
Server
SAP
Router
Exposed
services
2011
Exposed
services
2013
Listed
services
should
not
be
accessible
from
the
Internet
39
40. • SAP
HostControl
is
a
service
which
allows
remote
control
of
SAP
systems
• There
are
some
func=ons
that
can
be
used
remotely
without
authen=ca=on
•
Issues:
– Read
developer
traces
with
passwords
– Remote
command
injec=on
• About
every
120th
(was
20th)
company
is
vulnerable
REMOTELY
• About
35%
assessed
systems
locally
40
SAP
HostControl
service
41. • SAP
MMC
allows
remote
control
of
SAP
systems
• There
are
some
func=ons
that
can
be
used
remotely
without
authen=ca=on
•
Issues:
– Read
developer
traces
with
passwords
– Read
logs
with
JsessionIDs
– Read
informa=on
about
parameters
• About
every
40th
(was
11th)
company
is
vulnerable
REMOTELY
• About
80%
systems
locally
41
SAP
Management
console
42. SAP
Message
Server
• SAP
Message
Server
–
load
balancer
for
App
servers
• Usually,
this
service
is
only
available
inside
the
company
• By
default,
the
server
is
installed
on
the
36NN
port
• Issue:
– Memory
corrup=on
– Informa=on
disclose
– Unauthorized
service
registra=on
(MITM)
• About
every
60th
(was
every
10th)
company
is
vulnerable
REMOTELY
• About
50%
systems
locally
42
43. SAP
Message
Server
HTTP
• HTTP
port
of
SAP
Message
Server
• Usually,
this
service
is
only
available
inside
the
company
• By
default,
the
server
is
installed
on
the
81NN
port
• Issue:
unauthorized
read
of
profile
parameters
• About
every
60th
(was
every
10th)
company
is
vulnerable
REMOTELY
• About
90%
systems
locally
43
44. • SAP
Dispatcher
-‐
client-‐server
communica=ons
• It
allows
connec=ng
to
SAP
NetWeaver
using
the
SAP
GUI
applica=on
through
DIAG
protocol
• Should
not
be
available
from
the
Internet
in
any
way
• Issues:
– There
are
a
lot
of
default
users
that
can
be
used
to
connect
and
fully
compromise
the
system
remotely
– Also,
there
are
memory
corrup=on
vulnerabili=es
in
Dispatcher
• About
every
20th
(was
6th)
company
is
vulnerable
REMOTELY
44
Sap
Dispatcher
service
47. Market
Interest
• Whitehat
buyers
and
sellers
– Companies
like
ZDI
buy
exploits
for
SAP
– Only
in
2012
ZDI
publish
5
cri=cal
SAP
issues
• Whitehat
buyers
and
different
sellers
– Companies
who
trade
0-‐days
say
that
there
is
interest
from
both
sides
• Black
market
– Anonymous
aiack?
– Why
not?
47
49. Anonymous
ahack
Now,
it
adds,
“We
gained
full
access
to
the
Greek
Ministry
of
Finance.
Those
funky
IBM
servers
don't
look
so
safe
now,
do
they...”
Anonymous
claims
to
have
a
“sweet
0day
SAP
exploit”,
and
the
group
intends
to
“sploit
the
hell
out
of
it.”
• This attack has not been confirmed by the customer nor by the police authorities
in Greece investigating the case. SAP does not have any indication that it happened.
49
50. Insider
ahacks
• The
Associa=on
of
Cer=fied
Fraud
Examiners
(ACFE)
survey
showed
that
U.S.
organiza=ons
lose
an
es=mated
7%
of
annual
revenues
to
fraud.
• Real
examples
that
we
met:
– Salary
modifica=on
– Material
management
fraud
– Mistaken
transac=ons
50
51. Evil
subcontractors
and
ABAP
Backdoors
• They
exist!
• Some=mes
it
is
possible
to
find
them
51
53. What
can
be
Just
imagine
what
could
be
done
by
breaking:
• One
SAP
system
• All
SAP
Systems
of
a
company
• All
SAP
Systems
on
par=cular
country
• Everything
53
54. SAP
strategy
in
app
security
• Now
security
is
the
number
1
priority
for
SAP
• Implemented
own
internal
security
process
SDLC
• Security
summits
for
internal
teams
• Internal
trainings
with
external
researchers
• Strong
partnership
with
research
companies
• Investments
in
the
automa=c
and
manual
security
assessment
of
new
and
old
soyware
54
55. Future
threads
and
predicEons
• Old
issues
are
being
patched,
but
a
lot
of
new
systems
have
vulnerabili=es
• Number
of
vulnerabili=es
per
year
going
down
compared
to
2010,
but
they
are
more
cri=cal
• Number
of
companies
who
find
issues
in
SAP
is
growing
• S=ll
there
are
many
uncovered
areas
in
SAP
security
• SAP
forensics
can
be
a
new
research
area
because
it
is
not
easy
to
find
evidence
now,
even
if
it
exists
55
56. Forensics
as
a
new
trend
for
2013
• If
there
are
no
aiacks,
it
doesn’t
mean
anything
• Companies
don’t
like
to
share
informa=on
about
data
compromise
• Companies
don’t
have
ability
to
iden=fy
aiack
• Only
10%
of
systems
use
security
audit
at
SAP
• Only
2%
of
systems
analyze
them
• Only
1%
do
correla=on
and
deep
analysis
*
Based
on
the
assessment
of
over
250
servers
of
companies
that
allowed
us
to
share
results
56
57. Forensics
as
a
new
trend
for
2013
• ICM
log
icm/HTTP/logging_0
70%
• Security
audit
log
in
ABAP
10%
• Table
access
logging
rec/client
4%
• Message
Server
log
ms/audit
2%
• SAP
Gateway
access
log
2%
*
Based
on
the
assessment
of
over
250
servers
of
companies
that
allowed
us
to
share
results.
57
58. Conclusion
• -‐
The
interest
in
SAP
plalorm
security
has
been
growing
exponen=ally,
and
not
only
among
whitehats
• +
SAP
security
in
default
configura=on
is
gerng
much
beier
now
• -‐
SAP
systems
can
become
a
target
not
only
for
direct
aiacks
(for
example
APT)
but
also
for
mass
exploita=on
• +
SAP
invests
money
and
resources
in
security,
provides
guidelines,
and
arranges
conferences
• -‐
unfortunately,
SAP
users
s=ll
pay
liile
aien=on
to
SAP
security
• +
I
hope
that
this
talk
and
the
report
that
will
be
published
next
month
will
prove
useful
in
this
area
58
59. Conclusion
Issues
are
everywhere
but
the
risks
and
price
for
mi=ga=on
are
different
59
60. Conclusion
I'd
like
to
thank
SAP
Product
Security
Response
Team
for
their
great
coopera1on
to
make
SAP
systems
more
secure.
Research
is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you
want
to
be
the
first
to
see
new
aVacks
and
demos,
follow
us
at
@erpscan
and
aVend
future
presenta1ons:
End
of
Оctober
–
Release
of
“SAP
Security
in
Figures
2013”
60
61. Conclusion
We
devote
aVen1on
to
the
requirements
of
our
customers
and
prospects,
and
constantly
improve
our
product.
If
you
presume
that
our
scanner
lacks
a
par1cular
func1on,
you
can
e-‐mail
us
or
give
us
a
call.
We
will
be
glad
to
consider
your
sugges1ons
for
the
next
releases
or
monthly
updates.
web:
www.erpscan.com
www.dsecrg.com
e-‐mail:
info@erpscan.com,
sales@erpscan.com
61