SlideShare une entreprise Scribd logo

SAP security in figures

ERPScan
ERPScan

The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security. Obtained findings were presented at RSA APAC Conference 2013. This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.

Logiciels
1  sur  61
Télécharger pour lire hors ligne
Invest  in  security   to  secure  investments   SAP  Security  in  figures  2013   Alexander  Polyakov   CTO  ERPScan  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu=on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaEons  key  security  conferences  worldwide   •  25  Awards  and  nominaEons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
Agenda   •  SAP:  Intro   •  SAP:  vulnerabili=es   •  SAP:  threats  from  the  Internet   •  Cri=cal  SAP  services   •  Known  incidents     •  Future  trends  and  predic=ons   •  Conclusions   3  
SAP   •  The  most  popular  business  applica=on   •  More  than  240000  customers  worldwide     •  86%  of  Forbes  500  run  SAP     4  
Why  SAP  security?     •  Espionage   –  Stealing  financial  informa=on   –  Stealing  corporate  secrets   –  Stealing  supplier  and  customer  lists   –  Stealing  HR  data   •  Sabotage   –  Denial  of  service   –  Modifica=on  of  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela=ons   •  Fraud   –  False  transac=ons   –  Modifica=on  of  master  data     5  
SAP  Security   SAP  Vulnerabili=es   6  
Security  notes  by  year   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   More  than  2600  in  total   7  
Security  notes  by  criEcality   0   20   40   60   80   100   2012   2011   2010   2009   High  priority  vulnerabiliEes   0   2   4   6   8   10   12   2012   2011   2010   2009   Low  priority  vulnerabiliEes   0   200   400   600   800   1000   1200   1400   1600   1800   2000   1  -­‐  HotNews   2  -­‐  Correc=on  with  high  priority   3  -­‐  Correc=on  with  medium  priority   4  -­‐  Correc=on  with  low  priority   6  -­‐  Recommenda=ons/addi=onal  info   By  the  end  of  April  2013   8  
Security  notes  by  type   25%   22%   20%   9%   7%   5%   4%   4%   3%  1%   Top  10  vulnerabiliEes  by  type   1  -­‐  XSS   2  -­‐  Missing  authorisa=on  check   3  -­‐  Directory  traversal   4  -­‐  SQL  Injec=on   5  -­‐  Informa=on  disclosure   6  -­‐  Code  injec=on   7  -­‐  Unauthen=ca=on  bypass   8  -­‐  Hardcoded  creden=als   9  -­‐  Remore  code  execu=on   10  -­‐  Verb  tampering   9  
Acknowledgments   Number  of  vulnerabili=es     found  by  external  researchers:     •   2010  -­‐  58     •   2011  -­‐  107   •   2012  -­‐  89   •   2013  -­‐  52     The  record  of  vulnerabili1es  found  by  external  researchers  was   cracked  in  January  2013:  76%   0   10   20   30   40   50   60   70   2010   2011   2012   2013   Percentage  of  vulnerabiliEes  found  by   external  researchers:   10  
Acknowledgments   •  More  interest  from  other  companies                            *  Number  of  vulnerabili1es  that  were  sent  to  SAP  but  were   rejected  because  they  were  already  found  before  by  other   company  of  SAP  internal  code  review.     0   1   2   3   4   5   6   7   2010   2011   2012   Number  of  already  patched  issues  per  year   11  
SAP  security  talks  at  conferences     0   5   10   15   20   25   30   35   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   12  
Talks  about:   •  Common:  SAP  Backdoors,  SAP  Rootkits,  SAP  Forensics   •  Services:  SAP  Gateway,  SAP  Router,  SAP  NetWeaver,  SAP  GUI,   SAP  Portal,  SAP  Solu=on  Manager,  SAP  TMS,  SAP  Management   Console,  SAP  ICM/ITS   •  Protocols:  DIAG,  RFC,  SOAP  (MMC),  Message  Server,  P4   •  Languages:  ABAP  Buffer  Overflow,  ABAP  SQL  Injec=on,  J2EE   Verb  Tampering,  J2EE  Invoker  Servlet   •  Overview:  SAP  Cyber-­‐aiacks,  Top  10  Interes=ng  Issues,  Myths   about  ERP   Almost  all  every  part  of  SAP  was  hacked 13  
Top  5  SAP  vulnerabiliEes  2012   1.  SAP  NetWeaver  DilbertMsg  servlet    SSRF    (June)   2.  SAP  HostControl  command  injec=on                      (May)         3.  SAP  SDM  Agent  command  injec=on                        (November)   4.  SAP  Message  Server  buffer  overflow                    (February)   5.  SAP  DIAG  buffer  overflow                                                        (May)     14  
SAP  NetWeaver  DilbertMsg  servlet    SSRF   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Medium   Availability:   Anonymously  through  the  Internet   Ease  of  exploitaEon:   Medium   Future  impact:                                                          High  (New  type  of  aiack)   CVSSv2:   10   Advisory:   hip://erpscan.com/advisories/dsecrg-­‐12-­‐036-­‐sap-­‐xi-­‐ authen=ca=on-­‐bypass/     Patch:   Sap  Note  1707494   Authors:   Alexander   Polyakov,   Alexey   Tyurin,   Alexander   Minozhenko   (ERPScan)   15  
SAP  HostControl  command  injecEon   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Anonymously  through  the  Internet   Ease  of  exploitaEon:   Easy  (a  Metasploit  module  exists)   Future  impact:                                          Low  (Single  issue)   CVSSv2:   10   Advisory:   hip://www.contex=s.com/research/blog/sap-­‐parameter-­‐ injec=on-­‐no-­‐space-­‐arguments/     Patch:   SAP  note  1341333   Author:   Contex=s   16  
SAP  J2EE  file  read/write   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Anonymously     Ease  of  exploitaEon:   Medium   Future  impact:   Low   CVSSv2:   10   Advisory:   hips://service.sap.com/sap/support/notes/1682613     Patch:   SAP  Note  1682613   Author:   Juan  Pablo   17  
SAP  Message  Server  buffer  overflow   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Anonymous   Ease  of  exploitaEon:   Medium.   Good   knowledge   of   exploit   wri=ng   for   mul=ple   plalorms  is  necessary   CVSSv2:   10.0   Advisory:   hip://www.zerodayini=a=ve.com/advisories/ZDI-­‐12-­‐112/     Patch:   SAP  Notes  1649840  and  1649838   Author:   Mar=n  Gallo   18  
SAP  DIAG  Buffer  overflow   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Low.  Trace  must  be  on   Ease  of  exploitaEon:   Medium   CVSSv2:   9.3   Advisory:   hip://www.coresecurity.com/content/sap-­‐netweaver-­‐ dispatcher-­‐mul=ple-­‐vulnerabili=es     Patch:   SAP  Note  1687910   Author:   Mar=n  Gallo   19  
SAP  Security   SAP    and  Internet   20  
SAP  on  the  Internet   •  Among  people  who  work  with  SAP,  a  popular  myth  exists  that   SAP  systems  are  inaccessible  from  the  Internet,  so  all  SAP   vulnerabili=es  can  only  be  exploited  by  an  insider.     21  
SAP  on  the  Internet   •  Companies  have  SAP  Portals,  SAP  SRMs,  SAP  CRMs  remotely   accessible   •  Companies  connect  different  offices  (by  SAP  XI)   •  Companies  are  connected  to  SAP  (through  SAP  Router)   •  SAP  GUI  users  are  connected  to  the  Internet   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control   Almost  all  business  applicaEons  have  web  access  now 22  
Google  search  for  web-­‐based  SAPs   •  As  a  result  of  the  scan,  695  unique  servers  with  different  SAP   web  applica=ons  were  found  (14%  more  than  in  2011)   •  22%  of  previously  found  services  were  deleted   •  35%  growth  in  the  number  of  new  services       23  
Google  search  by  country     24   FINLAND   RUSSIA   AUSTRIA   DENMARK   MEXICO   SPAIN   KOREA   NORWAY   BELGIUM   FRANCE   CANADA   BRAZIL   SWITZERLAND   ITALY   NETHERLANDS   CHINA   UNITED  KINGDOM   INDIA   GERMANY   UNITED  STATES   0   50   100   150   200   250   SAP  web  servers  by  country  (Top  20)  
Shodan  scan   41%   34%   20%   6%   SAP  NetWeaver  J2EE       SAP  NetWeaver  ABAP   SAP  Web  Applica=on  Server   Other  (BusinessObjects,SAP  Hos=ng,  etc)   94%   72%   30%   -­‐20%   -­‐55%   -­‐80%   -­‐60%   -­‐40%   -­‐20%   0%   20%   40%   60%   80%   100%   120%   Growth  by  applicaEon  server   A  total  of    3741  server  with  different  SAP  web  applicaEons  were   found 25  
Shodan  scan  by  country   0%   100%   200%   300%   400%   500%   600%   MEXICA   CHILE   INDIA   CHINA   TAIWAN   Growth  of  SAP  web  servers  (Top  5)   0   500   1000   1500   AUSTRALIA   TAIWAN   CHILE   MEXICO   DENMARK   NETHERLANDS   TURKEY   CANADA   SWITZERLAND   UNITED  KINGDOM   KOREA   CHINA   FRANCE   BELGIUM   BRAZIL   SPAIN   INDIA   ITALY   GERMANY   UNITED  STATES   SAP  web  servers  by  country   (Top  20)   26  
Internet  Census  2012  scan   •  Not  so  legal  project  by  Carna  Botnet     •  As  the  result  3326  IP’s  with  SAP  Web  applica=ons     NO  SSL   32%    SSL   68%   27  
SAP  NetWeaver  ABAP  -­‐    versions   •  7.3  growth  by  250%   •  7.2  growth  by  70%       •  7.0  loss  by  22%   •  6.4  loss  by  45%     35%   23%   19%   11%   6%   5%   NetWeaver  ABAP    versions  by   popularity   7.0  EHP  0      (Nov  2005)   7.0  EHP  2      (Apr    2010)     7.0  EHP  1      (Oct  2008)   7.3                              (Jun  2011)   6.2                              (Dec    2003)   6.4                            (Mar  2004)   The  most  popular  release  (35%,  previously  45%)  is  s=ll  NetWeaver   7.0,  and  it  was  released  in  2005!   But  security  is  gerng  beier. 28  
NetWeaver  ABAP  –  informaEon  disclosure   •  Informa=on  about  the  ABAP  engine  version  can  be  easily  found   by  reading  an  HTTP  response   •  Detailed  info  about  the  patch  level  can  be  obtained  if  the   applica=on  server  is  not  securely  configured     •  An  aiacker  can  get  informa=on  from  some  pages  like  /sap/ public/info   6%  (was  59%)  of  servers  s=ll  have  this  issue   29  
SAP  NetWeaver  ABAP  –  criEcal  services     •  Execute  dangerous  RFC  func=ons  using  HTTP  requests     •  NetWeaver  ABAP  URL  –  /sap/bc/soap/rfc   •  There  are  several  cri=cal  func=ons,  such  as:   -  Read  data  from  SAP  tables   -  Create  SAP  users   -  Execute  OS  commands,  Make  financial  transac=ons,  etc.   •  By  default,  any  user  can  have  access  to  this  interface  and  execute  the   RFC_PING  command.  So  there  are  2  main  risks:   -  If  there  is  a  default  username  and  password,  the  aiacker  can  execute  numerous   dangerous  RFC  func=ons   -  If  a  remote  aiacker  obtains  any  exis=ng  user  creden=als,  they  can  execute  a  denial  of   service  aiack    with  a  malformed  XML  packet   6%  (was  40%)  of  ABAP  systems  on  the  Internet  have  WebRFC   service 30  
SAP  NetWeaver  J2EE  -­‐  versions   •  7.31  growth  from  0  to  3%   •  7.30  growth  from  0  to  9%   •  7.02  growth  by  67%     •  7.0  loss  by  23%   •  6.4  loss  by  40%     44%   25%   10%   9%   9%   3%   NetWeaver  JAVA    versions  by   popularity   NetWeaver  7.00   NetWeaver  7.01   NetWeaver  7.02   NetWeaver  7.30   NetWeaver  6.40   NetWeaver  7.31   The  most  popular  release    (44%,  previously  57%)  is  s=ll   NetWeaver  7.0,  and  it  was  released  in  2005!   But  security  is  gerng  beier. 31  
NetWeaver  J2EE  –  informaEon  disclosure   •  Informa=on  about  the  J2EE  engine  version  can  be  easily  found   by  reading  an  HTTP  response.   •  Detailed  info  about  the  patch  level  can  be  obtained  if  the   applica=on  server  is  not  securely  configured  and  allows  an   aiacker  to  get  informa=on  from  some  pages:   –  /rep/build_info.jsp                                                                                  26%    (61%  last  year)   –  /bcb/bcbadmSystemInfo.jsp                                                      1.5%  (17%  last  year)   –  /AdapterFramework/version/version.jsp          2.7%  (a  new  issue)     32  
SAP  NetWeaver  J2EE  –  criEcal  services   •  NetWeaver  J2EE  URL:  /ctc/ConfigTool  (and  30  others)       •  Can  be  exploited  without  authenEcaEon   •  There  are  several  cri=cal  func=ons,  such  as:   •  Create  users   •  Assign  a  role  to  a  user   •  Execute  OS  commands   •  Remotely  turn  J2EE  Engine  on  and  off   •  Was  presented  by  us  at  BlackHat  2011     .     It  was  found  that  50%  (was  61%)  of  J2EE  systems  on  the  Internet   have  the  CTC  service  enabled.   33  
From  Internet  to  Intranet   34   SAP  Security  
*  Some  numbers  are  approximate  (mostly  less  than  in  real  world)   due  to  the  very  high  number  of  resources  that  needed  to  fully   analyze  internet  for  SAP  services  with  detailed  numbers.  We  use   op1mized  scan  approach  which  will  be  described  in  whitepaper.     35   Disclaimer  
SAP  Router   •  Special  applica=on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec=ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299     •  Internet  accessible    (Approximately  5000  IP’s  )   •  hip://www.easymarketplace.de/saprouter.php   Almost  every  third  company  have  SAP  router  accessible  from   internet  by  default  port.   36  
SAP  Router:  known  issues   •  Absence  of  ACL  –  15%   –   Possible  to  proxy  any  request  to  any  internal  address     •  Informa=on  disclosure  about  internal  systems  –  19%   –  Denial  of  service  by  specifying  many  connec=ons  to  any  of  the  listed  SAP   servers   –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL   •  Insecure  configura=on,  authen=ca=on  bypass  –  5%     •  Heap  corrup=on  vulnerability       37  
Port  scan  results   •  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed   to  the  Internet?   •  We  were  not   •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for   SAP  services   •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the   top  1000  companies   •  We  were  shocked  when  we  saw  them  first     38  
Port  scan  results   0   5   10   15   20   25   30   35   SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server   hipd   SAP  Message  Server     SAP  Router   Exposed  services  2011   Exposed  services  2013   Listed  services  should  not  be  accessible  from  the  Internet   39  
•  SAP  HostControl  is  a  service  which  allows  remote  control  of  SAP   systems   •  There  are  some  func=ons  that  can  be  used  remotely  without   authen=ca=on   •   Issues:   –  Read  developer  traces  with  passwords   –  Remote  command  injec=on   •  About  every  120th  (was  20th)  company  is  vulnerable  REMOTELY   •  About  35%  assessed  systems  locally     40   SAP  HostControl  service  
•  SAP  MMC  allows  remote  control  of  SAP  systems   •  There  are  some  func=ons  that  can  be  used  remotely  without   authen=ca=on   •   Issues:   –  Read  developer  traces  with  passwords   –  Read  logs  with  JsessionIDs   –  Read  informa=on  about  parameters   •  About  every  40th  (was  11th)  company  is  vulnerable  REMOTELY   •  About  80%  systems  locally   41   SAP  Management  console  
SAP  Message  Server     •  SAP  Message  Server  –  load  balancer  for  App  servers   •  Usually,  this  service  is  only  available  inside  the  company   •  By  default,  the  server  is  installed  on  the  36NN  port   •  Issue:     –  Memory  corrup=on   –  Informa=on  disclose   –  Unauthorized  service  registra=on  (MITM)   •  About  every  60th  (was  every  10th)  company  is  vulnerable   REMOTELY   •  About  50%  systems  locally     42  
SAP  Message  Server  HTTP   •  HTTP  port  of  SAP  Message  Server   •  Usually,  this  service  is  only  available  inside  the  company   •  By  default,  the  server  is  installed  on  the  81NN  port   •  Issue:  unauthorized  read  of  profile  parameters   •  About  every  60th  (was  every  10th)  company  is  vulnerable   REMOTELY   •  About  90%  systems  locally   43  
•  SAP  Dispatcher  -­‐  client-­‐server  communica=ons   •  It  allows  connec=ng  to  SAP  NetWeaver  using  the  SAP  GUI   applica=on  through  DIAG  protocol   •  Should  not  be  available  from  the  Internet  in  any  way   •  Issues:   –  There  are  a  lot  of  default  users  that  can  be  used  to  connect  and  fully   compromise  the  system  remotely   –  Also,  there  are  memory  corrup=on  vulnerabili=es  in  Dispatcher   •  About  every  20th  (was  6th)  company  is  vulnerable  REMOTELY   44   Sap  Dispatcher  service  
But  who  actually  tried  to  exploit  it?   45  
Known  internal  fraud  incidents   •  Exploit  market  interest     •  Anonymous  aiacks   •  Insider  aiacks   •  Evil  subcontractors  and  ABAP  backdoors   46  
Market  Interest   •  Whitehat  buyers  and  sellers   –  Companies  like  ZDI  buy  exploits  for  SAP   –  Only  in  2012  ZDI  publish  5  cri=cal  SAP  issues   •  Whitehat  buyers  and  different  sellers   –  Companies  who  trade  0-­‐days  say  that  there  is  interest  from  both  sides   •  Black  market   –  Anonymous  aiack?   –  Why  not?     47  
Market  Interest   48  
Anonymous  ahack   Now,  it  adds,  “We  gained  full  access  to  the  Greek  Ministry  of   Finance.  Those  funky  IBM  servers  don't  look  so  safe  now,  do   they...”  Anonymous  claims  to  have  a  “sweet  0day  SAP  exploit”,   and  the  group  intends  to  “sploit  the  hell  out  of  it.”   •  This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened. 49  
Insider  ahacks   •  The  Associa=on  of  Cer=fied  Fraud  Examiners  (ACFE)  survey   showed  that  U.S.  organiza=ons  lose  an  es=mated  7%  of  annual   revenues  to  fraud.   •  Real  examples  that  we  met:   –  Salary  modifica=on   –  Material  management  fraud   –  Mistaken  transac=ons     50  
Evil  subcontractors  and  ABAP  Backdoors   •  They  exist!   •  Some=mes  it  is  possible  to  find  them   51  
What  had  happened  already?   •  Autocad  virus    (Industrial  espionage)   –  hip://www.telegraph.co.uk/technology/news/9346734/ Espionage-­‐virus-­‐sent-­‐blueprints-­‐to-­‐China.html   •  Internet-­‐Trading  virus  (Fraud)   –  Ranbys  modifica=on  for  QUICK   –  hip://www.welivesecurity.com/2012/12/19/win32spy-­‐ ranbyus-­‐modifying-­‐java-­‐code-­‐in-­‐rbs/   •  News  resources  hacking  (Sabotage)   –  hip://www.bloomberg.com/news/2013-­‐04-­‐23/dow-­‐jones-­‐ drops-­‐recovers-­‐ayer-­‐false-­‐report-­‐on-­‐ap-­‐twiier-­‐page.html       52  
What  can  be   Just  imagine  what  could  be  done  by  breaking:     •  One  SAP  system   •  All  SAP  Systems  of  a  company   •  All  SAP  Systems  on  par=cular  country   •  Everything   53  
SAP  strategy  in  app  security   •  Now  security  is  the  number  1  priority  for  SAP     •  Implemented  own  internal  security  process  SDLC   •  Security  summits  for  internal  teams   •  Internal  trainings  with  external  researchers   •  Strong  partnership  with  research  companies     •  Investments  in  the  automa=c  and  manual  security  assessment   of  new    and  old  soyware     54  
Future  threads  and  predicEons   •  Old  issues  are  being  patched,  but  a  lot  of  new  systems  have   vulnerabili=es   •  Number  of  vulnerabili=es  per  year  going  down  compared  to   2010,  but  they  are  more  cri=cal   •  Number  of  companies  who  find  issues  in  SAP  is  growing   •  S=ll  there  are  many  uncovered  areas  in  SAP  security   •  SAP  forensics  can  be  a  new  research  area  because  it  is  not  easy   to  find  evidence  now,  even  if  it  exists     55  
Forensics  as  a  new  trend  for  2013   •  If  there  are  no  aiacks,  it  doesn’t  mean  anything   •  Companies  don’t  like  to  share  informa=on  about  data   compromise   •  Companies  don’t  have  ability  to  iden=fy  aiack   •  Only  10%  of  systems  use  security  audit  at  SAP   •  Only  2%  of  systems  analyze  them   •  Only  1%  do  correla=on  and  deep  analysis     *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results   56  
Forensics  as  a  new  trend  for  2013   •  ICM  log  icm/HTTP/logging_0      70%     •  Security  audit  log  in  ABAP      10%   •  Table  access  logging  rec/client                                4%   •  Message  Server  log  ms/audit        2%   •  SAP  Gateway  access  log        2%           *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.       57  
Conclusion   •  -­‐  The  interest  in  SAP  plalorm  security  has  been  growing   exponen=ally,  and  not  only  among  whitehats   •  +  SAP  security  in  default  configura=on  is  gerng  much  beier   now   •  -­‐  SAP  systems  can  become  a  target  not  only  for  direct  aiacks   (for  example  APT)  but  also  for  mass  exploita=on   •  +  SAP  invests  money  and  resources  in  security,  provides   guidelines,  and  arranges  conferences   •  -­‐  unfortunately,  SAP  users  s=ll  pay  liile  aien=on  to  SAP   security   •  +  I  hope  that  this  talk  and  the  report  that  will  be  published  next   month  will  prove  useful  in  this  area       58  
Conclusion       Issues  are  everywhere                                            but  the  risks  and  price                                                                for  mi=ga=on  are  different     59  
Conclusion     I'd   like   to   thank   SAP   Product   Security   Response   Team   for   their   great  coopera1on  to  make  SAP  systems  more  secure.  Research   is  always  ongoing,  and  we  can't  share  all  of  it  today.  If  you  want   to   be   the   first   to   see   new   aVacks   and   demos,   follow   us   at   @erpscan  and  aVend  future  presenta1ons:                                        End  of  Оctober  –  Release  of  “SAP  Security  in  Figures  2013”     60  
Conclusion   We   devote   aVen1on   to   the   requirements   of   our   customers   and   prospects,   and   constantly   improve   our   product.   If   you   presume   that   our   scanner   lacks   a   par1cular  func1on,  you  can  e-­‐mail  us  or  give  us  a  call.  We   will   be   glad   to   consider   your   sugges1ons   for   the   next   releases  or  monthly  updates.   web:  www.erpscan.com      www.dsecrg.com     e-­‐mail:  info@erpscan.com,  sales@erpscan.com   61  

Recommandé

Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksErtunga Arsal
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 Englishguest5bd7a1
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 

Recommandé

Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Sap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksSap Security Hacks and Mitigation - Timeless Attacks
Sap Security Hacks and Mitigation - Timeless AttacksErtunga Arsal
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 Englishguest5bd7a1
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...akquinet enterprise solutions GmbH
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]akquinet enterprise solutions GmbH
 
B&G Guide (Final)
B&G Guide (Final)B&G Guide (Final)
B&G Guide (Final)Ross Higgins
 
Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes
 

Contenu connexe

Tendances

Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...akquinet enterprise solutions GmbH
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 

Tendances (20)

Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]
 

En vedette

Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energirahmiyati95
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap securityyektek
 
How to Archive and Read FI_ACCOUNT in SAP R/3
How to Archive and Read FI_ACCOUNT in SAP R/3How to Archive and Read FI_ACCOUNT in SAP R/3
How to Archive and Read FI_ACCOUNT in SAP R/3Mohammad Ali Rajabi
 
Benefits of Data Archiving in Data Warehouses
Benefits of Data Archiving in Data WarehousesBenefits of Data Archiving in Data Warehouses
Benefits of Data Archiving in Data WarehousesVineet
 
Анализ безопасности и много другое
Анализ безопасности и много другоеАнализ безопасности и много другое
Анализ безопасности и много другоеCisco Russia
 
Data Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bwData Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bwramesh rao
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsUL Transaction Security
 

En vedette (18)

B&G Guide (Final)
B&G Guide (Final)B&G Guide (Final)
B&G Guide (Final)
 
Danielle Tronnes 2016 resume
Danielle Tronnes 2016 resumeDanielle Tronnes 2016 resume
Danielle Tronnes 2016 resume
 
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
 
Media pembelajaran usaha dan energi
Media pembelajaran usaha dan energiMedia pembelajaran usaha dan energi
Media pembelajaran usaha dan energi
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Introduction on sap security
Introduction on sap securityIntroduction on sap security
Introduction on sap security
 
How to Archive and Read FI_ACCOUNT in SAP R/3
How to Archive and Read FI_ACCOUNT in SAP R/3How to Archive and Read FI_ACCOUNT in SAP R/3
How to Archive and Read FI_ACCOUNT in SAP R/3
 
Benefits of Data Archiving in Data Warehouses
Benefits of Data Archiving in Data WarehousesBenefits of Data Archiving in Data Warehouses
Benefits of Data Archiving in Data Warehouses
 
Sap archiving process
Sap archiving processSap archiving process
Sap archiving process
 
Анализ безопасности и много другое
Анализ безопасности и много другоеАнализ безопасности и много другое
Анализ безопасности и много другое
 
Data Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bwData Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bw
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
SAP HANA
SAP HANASAP HANA
SAP HANA
 
HR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM AuthorizationsHR Security in SAP: Securing Data Beyond HCM Authorizations
HR Security in SAP: Securing Data Beyond HCM Authorizations
 

Similaire à SAP security in figures

Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 

Similaire à SAP security in figures (20)

Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP Mobile
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in Prague
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
 
Gunadarma workshop security
Gunadarma workshop securityGunadarma workshop security
Gunadarma workshop security
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 

Dernier

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 

Dernier (20)

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 

SAP security in figures

  • 1. Invest  in  security   to  secure  investments   SAP  Security  in  figures  2013   Alexander  Polyakov   CTO  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu=on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaEons  key  security  conferences  worldwide   •  25  Awards  and  nominaEons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. Agenda   •  SAP:  Intro   •  SAP:  vulnerabili=es   •  SAP:  threats  from  the  Internet   •  Cri=cal  SAP  services   •  Known  incidents     •  Future  trends  and  predic=ons   •  Conclusions   3  
  • 4. SAP   •  The  most  popular  business  applica=on   •  More  than  240000  customers  worldwide     •  86%  of  Forbes  500  run  SAP     4  
  • 5. Why  SAP  security?     •  Espionage   –  Stealing  financial  informa=on   –  Stealing  corporate  secrets   –  Stealing  supplier  and  customer  lists   –  Stealing  HR  data   •  Sabotage   –  Denial  of  service   –  Modifica=on  of  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela=ons   •  Fraud   –  False  transac=ons   –  Modifica=on  of  master  data     5  
  • 6. SAP  Security   SAP  Vulnerabili=es   6  
  • 7. Security  notes  by  year   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   More  than  2600  in  total   7  
  • 8. Security  notes  by  criEcality   0   20   40   60   80   100   2012   2011   2010   2009   High  priority  vulnerabiliEes   0   2   4   6   8   10   12   2012   2011   2010   2009   Low  priority  vulnerabiliEes   0   200   400   600   800   1000   1200   1400   1600   1800   2000   1  -­‐  HotNews   2  -­‐  Correc=on  with  high  priority   3  -­‐  Correc=on  with  medium  priority   4  -­‐  Correc=on  with  low  priority   6  -­‐  Recommenda=ons/addi=onal  info   By  the  end  of  April  2013   8  
  • 9. Security  notes  by  type   25%   22%   20%   9%   7%   5%   4%   4%   3%  1%   Top  10  vulnerabiliEes  by  type   1  -­‐  XSS   2  -­‐  Missing  authorisa=on  check   3  -­‐  Directory  traversal   4  -­‐  SQL  Injec=on   5  -­‐  Informa=on  disclosure   6  -­‐  Code  injec=on   7  -­‐  Unauthen=ca=on  bypass   8  -­‐  Hardcoded  creden=als   9  -­‐  Remore  code  execu=on   10  -­‐  Verb  tampering   9  
  • 10. Acknowledgments   Number  of  vulnerabili=es     found  by  external  researchers:     •   2010  -­‐  58     •   2011  -­‐  107   •   2012  -­‐  89   •   2013  -­‐  52     The  record  of  vulnerabili1es  found  by  external  researchers  was   cracked  in  January  2013:  76%   0   10   20   30   40   50   60   70   2010   2011   2012   2013   Percentage  of  vulnerabiliEes  found  by   external  researchers:   10  
  • 11. Acknowledgments   •  More  interest  from  other  companies                            *  Number  of  vulnerabili1es  that  were  sent  to  SAP  but  were   rejected  because  they  were  already  found  before  by  other   company  of  SAP  internal  code  review.     0   1   2   3   4   5   6   7   2010   2011   2012   Number  of  already  patched  issues  per  year   11  
  • 12. SAP  security  talks  at  conferences     0   5   10   15   20   25   30   35   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   12  
  • 13. Talks  about:   •  Common:  SAP  Backdoors,  SAP  Rootkits,  SAP  Forensics   •  Services:  SAP  Gateway,  SAP  Router,  SAP  NetWeaver,  SAP  GUI,   SAP  Portal,  SAP  Solu=on  Manager,  SAP  TMS,  SAP  Management   Console,  SAP  ICM/ITS   •  Protocols:  DIAG,  RFC,  SOAP  (MMC),  Message  Server,  P4   •  Languages:  ABAP  Buffer  Overflow,  ABAP  SQL  Injec=on,  J2EE   Verb  Tampering,  J2EE  Invoker  Servlet   •  Overview:  SAP  Cyber-­‐aiacks,  Top  10  Interes=ng  Issues,  Myths   about  ERP   Almost  all  every  part  of  SAP  was  hacked 13  
  • 14. Top  5  SAP  vulnerabiliEes  2012   1.  SAP  NetWeaver  DilbertMsg  servlet    SSRF    (June)   2.  SAP  HostControl  command  injec=on                      (May)         3.  SAP  SDM  Agent  command  injec=on                        (November)   4.  SAP  Message  Server  buffer  overflow                    (February)   5.  SAP  DIAG  buffer  overflow                                                        (May)     14  
  • 15. SAP  NetWeaver  DilbertMsg  servlet    SSRF   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Medium   Availability:   Anonymously  through  the  Internet   Ease  of  exploitaEon:   Medium   Future  impact:                                                          High  (New  type  of  aiack)   CVSSv2:   10   Advisory:   hip://erpscan.com/advisories/dsecrg-­‐12-­‐036-­‐sap-­‐xi-­‐ authen=ca=on-­‐bypass/     Patch:   Sap  Note  1707494   Authors:   Alexander   Polyakov,   Alexey   Tyurin,   Alexander   Minozhenko   (ERPScan)   15  
  • 16. SAP  HostControl  command  injecEon   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Anonymously  through  the  Internet   Ease  of  exploitaEon:   Easy  (a  Metasploit  module  exists)   Future  impact:                                          Low  (Single  issue)   CVSSv2:   10   Advisory:   hip://www.contex=s.com/research/blog/sap-­‐parameter-­‐ injec=on-­‐no-­‐space-­‐arguments/     Patch:   SAP  note  1341333   Author:   Contex=s   16  
  • 17. SAP  J2EE  file  read/write   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Anonymously     Ease  of  exploitaEon:   Medium   Future  impact:   Low   CVSSv2:   10   Advisory:   hips://service.sap.com/sap/support/notes/1682613     Patch:   SAP  Note  1682613   Author:   Juan  Pablo   17  
  • 18. SAP  Message  Server  buffer  overflow   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Anonymous   Ease  of  exploitaEon:   Medium.   Good   knowledge   of   exploit   wri=ng   for   mul=ple   plalorms  is  necessary   CVSSv2:   10.0   Advisory:   hip://www.zerodayini=a=ve.com/advisories/ZDI-­‐12-­‐112/     Patch:   SAP  Notes  1649840  and  1649838   Author:   Mar=n  Gallo   18  
  • 19. SAP  DIAG  Buffer  overflow   Espionage:   CriEcal   Sabotage:   Cri=cal   Fraud:   Cri=cal   Availability:   Low.  Trace  must  be  on   Ease  of  exploitaEon:   Medium   CVSSv2:   9.3   Advisory:   hip://www.coresecurity.com/content/sap-­‐netweaver-­‐ dispatcher-­‐mul=ple-­‐vulnerabili=es     Patch:   SAP  Note  1687910   Author:   Mar=n  Gallo   19  
  • 20. SAP  Security   SAP    and  Internet   20  
  • 21. SAP  on  the  Internet   •  Among  people  who  work  with  SAP,  a  popular  myth  exists  that   SAP  systems  are  inaccessible  from  the  Internet,  so  all  SAP   vulnerabili=es  can  only  be  exploited  by  an  insider.     21  
  • 22. SAP  on  the  Internet   •  Companies  have  SAP  Portals,  SAP  SRMs,  SAP  CRMs  remotely   accessible   •  Companies  connect  different  offices  (by  SAP  XI)   •  Companies  are  connected  to  SAP  (through  SAP  Router)   •  SAP  GUI  users  are  connected  to  the  Internet   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control   Almost  all  business  applicaEons  have  web  access  now 22  
  • 23. Google  search  for  web-­‐based  SAPs   •  As  a  result  of  the  scan,  695  unique  servers  with  different  SAP   web  applica=ons  were  found  (14%  more  than  in  2011)   •  22%  of  previously  found  services  were  deleted   •  35%  growth  in  the  number  of  new  services       23  
  • 24. Google  search  by  country     24   FINLAND   RUSSIA   AUSTRIA   DENMARK   MEXICO   SPAIN   KOREA   NORWAY   BELGIUM   FRANCE   CANADA   BRAZIL   SWITZERLAND   ITALY   NETHERLANDS   CHINA   UNITED  KINGDOM   INDIA   GERMANY   UNITED  STATES   0   50   100   150   200   250   SAP  web  servers  by  country  (Top  20)  
  • 25. Shodan  scan   41%   34%   20%   6%   SAP  NetWeaver  J2EE       SAP  NetWeaver  ABAP   SAP  Web  Applica=on  Server   Other  (BusinessObjects,SAP  Hos=ng,  etc)   94%   72%   30%   -­‐20%   -­‐55%   -­‐80%   -­‐60%   -­‐40%   -­‐20%   0%   20%   40%   60%   80%   100%   120%   Growth  by  applicaEon  server   A  total  of    3741  server  with  different  SAP  web  applicaEons  were   found 25  
  • 26. Shodan  scan  by  country   0%   100%   200%   300%   400%   500%   600%   MEXICA   CHILE   INDIA   CHINA   TAIWAN   Growth  of  SAP  web  servers  (Top  5)   0   500   1000   1500   AUSTRALIA   TAIWAN   CHILE   MEXICO   DENMARK   NETHERLANDS   TURKEY   CANADA   SWITZERLAND   UNITED  KINGDOM   KOREA   CHINA   FRANCE   BELGIUM   BRAZIL   SPAIN   INDIA   ITALY   GERMANY   UNITED  STATES   SAP  web  servers  by  country   (Top  20)   26  
  • 27. Internet  Census  2012  scan   •  Not  so  legal  project  by  Carna  Botnet     •  As  the  result  3326  IP’s  with  SAP  Web  applica=ons     NO  SSL   32%    SSL   68%   27  
  • 28. SAP  NetWeaver  ABAP  -­‐    versions   •  7.3  growth  by  250%   •  7.2  growth  by  70%       •  7.0  loss  by  22%   •  6.4  loss  by  45%     35%   23%   19%   11%   6%   5%   NetWeaver  ABAP    versions  by   popularity   7.0  EHP  0      (Nov  2005)   7.0  EHP  2      (Apr    2010)     7.0  EHP  1      (Oct  2008)   7.3                              (Jun  2011)   6.2                              (Dec    2003)   6.4                            (Mar  2004)   The  most  popular  release  (35%,  previously  45%)  is  s=ll  NetWeaver   7.0,  and  it  was  released  in  2005!   But  security  is  gerng  beier. 28  
  • 29. NetWeaver  ABAP  –  informaEon  disclosure   •  Informa=on  about  the  ABAP  engine  version  can  be  easily  found   by  reading  an  HTTP  response   •  Detailed  info  about  the  patch  level  can  be  obtained  if  the   applica=on  server  is  not  securely  configured     •  An  aiacker  can  get  informa=on  from  some  pages  like  /sap/ public/info   6%  (was  59%)  of  servers  s=ll  have  this  issue   29  
  • 30. SAP  NetWeaver  ABAP  –  criEcal  services     •  Execute  dangerous  RFC  func=ons  using  HTTP  requests     •  NetWeaver  ABAP  URL  –  /sap/bc/soap/rfc   •  There  are  several  cri=cal  func=ons,  such  as:   -  Read  data  from  SAP  tables   -  Create  SAP  users   -  Execute  OS  commands,  Make  financial  transac=ons,  etc.   •  By  default,  any  user  can  have  access  to  this  interface  and  execute  the   RFC_PING  command.  So  there  are  2  main  risks:   -  If  there  is  a  default  username  and  password,  the  aiacker  can  execute  numerous   dangerous  RFC  func=ons   -  If  a  remote  aiacker  obtains  any  exis=ng  user  creden=als,  they  can  execute  a  denial  of   service  aiack    with  a  malformed  XML  packet   6%  (was  40%)  of  ABAP  systems  on  the  Internet  have  WebRFC   service 30  
  • 31. SAP  NetWeaver  J2EE  -­‐  versions   •  7.31  growth  from  0  to  3%   •  7.30  growth  from  0  to  9%   •  7.02  growth  by  67%     •  7.0  loss  by  23%   •  6.4  loss  by  40%     44%   25%   10%   9%   9%   3%   NetWeaver  JAVA    versions  by   popularity   NetWeaver  7.00   NetWeaver  7.01   NetWeaver  7.02   NetWeaver  7.30   NetWeaver  6.40   NetWeaver  7.31   The  most  popular  release    (44%,  previously  57%)  is  s=ll   NetWeaver  7.0,  and  it  was  released  in  2005!   But  security  is  gerng  beier. 31  
  • 32. NetWeaver  J2EE  –  informaEon  disclosure   •  Informa=on  about  the  J2EE  engine  version  can  be  easily  found   by  reading  an  HTTP  response.   •  Detailed  info  about  the  patch  level  can  be  obtained  if  the   applica=on  server  is  not  securely  configured  and  allows  an   aiacker  to  get  informa=on  from  some  pages:   –  /rep/build_info.jsp                                                                                  26%    (61%  last  year)   –  /bcb/bcbadmSystemInfo.jsp                                                      1.5%  (17%  last  year)   –  /AdapterFramework/version/version.jsp          2.7%  (a  new  issue)     32  
  • 33. SAP  NetWeaver  J2EE  –  criEcal  services   •  NetWeaver  J2EE  URL:  /ctc/ConfigTool  (and  30  others)       •  Can  be  exploited  without  authenEcaEon   •  There  are  several  cri=cal  func=ons,  such  as:   •  Create  users   •  Assign  a  role  to  a  user   •  Execute  OS  commands   •  Remotely  turn  J2EE  Engine  on  and  off   •  Was  presented  by  us  at  BlackHat  2011     .     It  was  found  that  50%  (was  61%)  of  J2EE  systems  on  the  Internet   have  the  CTC  service  enabled.   33  
  • 34. From  Internet  to  Intranet   34   SAP  Security  
  • 35. *  Some  numbers  are  approximate  (mostly  less  than  in  real  world)   due  to  the  very  high  number  of  resources  that  needed  to  fully   analyze  internet  for  SAP  services  with  detailed  numbers.  We  use   op1mized  scan  approach  which  will  be  described  in  whitepaper.     35   Disclaimer  
  • 36. SAP  Router   •  Special  applica=on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec=ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299     •  Internet  accessible    (Approximately  5000  IP’s  )   •  hip://www.easymarketplace.de/saprouter.php   Almost  every  third  company  have  SAP  router  accessible  from   internet  by  default  port.   36  
  • 37. SAP  Router:  known  issues   •  Absence  of  ACL  –  15%   –   Possible  to  proxy  any  request  to  any  internal  address     •  Informa=on  disclosure  about  internal  systems  –  19%   –  Denial  of  service  by  specifying  many  connec=ons  to  any  of  the  listed  SAP   servers   –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL   •  Insecure  configura=on,  authen=ca=on  bypass  –  5%     •  Heap  corrup=on  vulnerability       37  
  • 38. Port  scan  results   •  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed   to  the  Internet?   •  We  were  not   •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for   SAP  services   •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the   top  1000  companies   •  We  were  shocked  when  we  saw  them  first     38  
  • 39. Port  scan  results   0   5   10   15   20   25   30   35   SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server   hipd   SAP  Message  Server     SAP  Router   Exposed  services  2011   Exposed  services  2013   Listed  services  should  not  be  accessible  from  the  Internet   39  
  • 40. •  SAP  HostControl  is  a  service  which  allows  remote  control  of  SAP   systems   •  There  are  some  func=ons  that  can  be  used  remotely  without   authen=ca=on   •   Issues:   –  Read  developer  traces  with  passwords   –  Remote  command  injec=on   •  About  every  120th  (was  20th)  company  is  vulnerable  REMOTELY   •  About  35%  assessed  systems  locally     40   SAP  HostControl  service  
  • 41. •  SAP  MMC  allows  remote  control  of  SAP  systems   •  There  are  some  func=ons  that  can  be  used  remotely  without   authen=ca=on   •   Issues:   –  Read  developer  traces  with  passwords   –  Read  logs  with  JsessionIDs   –  Read  informa=on  about  parameters   •  About  every  40th  (was  11th)  company  is  vulnerable  REMOTELY   •  About  80%  systems  locally   41   SAP  Management  console  
  • 42. SAP  Message  Server     •  SAP  Message  Server  –  load  balancer  for  App  servers   •  Usually,  this  service  is  only  available  inside  the  company   •  By  default,  the  server  is  installed  on  the  36NN  port   •  Issue:     –  Memory  corrup=on   –  Informa=on  disclose   –  Unauthorized  service  registra=on  (MITM)   •  About  every  60th  (was  every  10th)  company  is  vulnerable   REMOTELY   •  About  50%  systems  locally     42  
  • 43. SAP  Message  Server  HTTP   •  HTTP  port  of  SAP  Message  Server   •  Usually,  this  service  is  only  available  inside  the  company   •  By  default,  the  server  is  installed  on  the  81NN  port   •  Issue:  unauthorized  read  of  profile  parameters   •  About  every  60th  (was  every  10th)  company  is  vulnerable   REMOTELY   •  About  90%  systems  locally   43  
  • 44. •  SAP  Dispatcher  -­‐  client-­‐server  communica=ons   •  It  allows  connec=ng  to  SAP  NetWeaver  using  the  SAP  GUI   applica=on  through  DIAG  protocol   •  Should  not  be  available  from  the  Internet  in  any  way   •  Issues:   –  There  are  a  lot  of  default  users  that  can  be  used  to  connect  and  fully   compromise  the  system  remotely   –  Also,  there  are  memory  corrup=on  vulnerabili=es  in  Dispatcher   •  About  every  20th  (was  6th)  company  is  vulnerable  REMOTELY   44   Sap  Dispatcher  service  
  • 45. But  who  actually  tried  to  exploit  it?   45  
  • 46. Known  internal  fraud  incidents   •  Exploit  market  interest     •  Anonymous  aiacks   •  Insider  aiacks   •  Evil  subcontractors  and  ABAP  backdoors   46  
  • 47. Market  Interest   •  Whitehat  buyers  and  sellers   –  Companies  like  ZDI  buy  exploits  for  SAP   –  Only  in  2012  ZDI  publish  5  cri=cal  SAP  issues   •  Whitehat  buyers  and  different  sellers   –  Companies  who  trade  0-­‐days  say  that  there  is  interest  from  both  sides   •  Black  market   –  Anonymous  aiack?   –  Why  not?     47  
  • 49. Anonymous  ahack   Now,  it  adds,  “We  gained  full  access  to  the  Greek  Ministry  of   Finance.  Those  funky  IBM  servers  don't  look  so  safe  now,  do   they...”  Anonymous  claims  to  have  a  “sweet  0day  SAP  exploit”,   and  the  group  intends  to  “sploit  the  hell  out  of  it.”   •  This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened. 49  
  • 50. Insider  ahacks   •  The  Associa=on  of  Cer=fied  Fraud  Examiners  (ACFE)  survey   showed  that  U.S.  organiza=ons  lose  an  es=mated  7%  of  annual   revenues  to  fraud.   •  Real  examples  that  we  met:   –  Salary  modifica=on   –  Material  management  fraud   –  Mistaken  transac=ons     50  
  • 51. Evil  subcontractors  and  ABAP  Backdoors   •  They  exist!   •  Some=mes  it  is  possible  to  find  them   51  
  • 52. What  had  happened  already?   •  Autocad  virus    (Industrial  espionage)   –  hip://www.telegraph.co.uk/technology/news/9346734/ Espionage-­‐virus-­‐sent-­‐blueprints-­‐to-­‐China.html   •  Internet-­‐Trading  virus  (Fraud)   –  Ranbys  modifica=on  for  QUICK   –  hip://www.welivesecurity.com/2012/12/19/win32spy-­‐ ranbyus-­‐modifying-­‐java-­‐code-­‐in-­‐rbs/   •  News  resources  hacking  (Sabotage)   –  hip://www.bloomberg.com/news/2013-­‐04-­‐23/dow-­‐jones-­‐ drops-­‐recovers-­‐ayer-­‐false-­‐report-­‐on-­‐ap-­‐twiier-­‐page.html       52  
  • 53. What  can  be   Just  imagine  what  could  be  done  by  breaking:     •  One  SAP  system   •  All  SAP  Systems  of  a  company   •  All  SAP  Systems  on  par=cular  country   •  Everything   53  
  • 54. SAP  strategy  in  app  security   •  Now  security  is  the  number  1  priority  for  SAP     •  Implemented  own  internal  security  process  SDLC   •  Security  summits  for  internal  teams   •  Internal  trainings  with  external  researchers   •  Strong  partnership  with  research  companies     •  Investments  in  the  automa=c  and  manual  security  assessment   of  new    and  old  soyware     54  
  • 55. Future  threads  and  predicEons   •  Old  issues  are  being  patched,  but  a  lot  of  new  systems  have   vulnerabili=es   •  Number  of  vulnerabili=es  per  year  going  down  compared  to   2010,  but  they  are  more  cri=cal   •  Number  of  companies  who  find  issues  in  SAP  is  growing   •  S=ll  there  are  many  uncovered  areas  in  SAP  security   •  SAP  forensics  can  be  a  new  research  area  because  it  is  not  easy   to  find  evidence  now,  even  if  it  exists     55  
  • 56. Forensics  as  a  new  trend  for  2013   •  If  there  are  no  aiacks,  it  doesn’t  mean  anything   •  Companies  don’t  like  to  share  informa=on  about  data   compromise   •  Companies  don’t  have  ability  to  iden=fy  aiack   •  Only  10%  of  systems  use  security  audit  at  SAP   •  Only  2%  of  systems  analyze  them   •  Only  1%  do  correla=on  and  deep  analysis     *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results   56  
  • 57. Forensics  as  a  new  trend  for  2013   •  ICM  log  icm/HTTP/logging_0      70%     •  Security  audit  log  in  ABAP      10%   •  Table  access  logging  rec/client                                4%   •  Message  Server  log  ms/audit        2%   •  SAP  Gateway  access  log        2%           *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.       57  
  • 58. Conclusion   •  -­‐  The  interest  in  SAP  plalorm  security  has  been  growing   exponen=ally,  and  not  only  among  whitehats   •  +  SAP  security  in  default  configura=on  is  gerng  much  beier   now   •  -­‐  SAP  systems  can  become  a  target  not  only  for  direct  aiacks   (for  example  APT)  but  also  for  mass  exploita=on   •  +  SAP  invests  money  and  resources  in  security,  provides   guidelines,  and  arranges  conferences   •  -­‐  unfortunately,  SAP  users  s=ll  pay  liile  aien=on  to  SAP   security   •  +  I  hope  that  this  talk  and  the  report  that  will  be  published  next   month  will  prove  useful  in  this  area       58  
  • 59. Conclusion       Issues  are  everywhere                                            but  the  risks  and  price                                                                for  mi=ga=on  are  different     59  
  • 60. Conclusion     I'd   like   to   thank   SAP   Product   Security   Response   Team   for   their   great  coopera1on  to  make  SAP  systems  more  secure.  Research   is  always  ongoing,  and  we  can't  share  all  of  it  today.  If  you  want   to   be   the   first   to   see   new   aVacks   and   demos,   follow   us   at   @erpscan  and  aVend  future  presenta1ons:                                        End  of  Оctober  –  Release  of  “SAP  Security  in  Figures  2013”     60  
  • 61. Conclusion   We   devote   aVen1on   to   the   requirements   of   our   customers   and   prospects,   and   constantly   improve   our   product.   If   you   presume   that   our   scanner   lacks   a   par1cular  func1on,  you  can  e-­‐mail  us  or  give  us  a  call.  We   will   be   glad   to   consider   your   sugges1ons   for   the   next   releases  or  monthly  updates.   web:  www.erpscan.com      www.dsecrg.com     e-­‐mail:  info@erpscan.com,  sales@erpscan.com   61