2007 2013 · about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI...
Transcript of 2007 2013 · about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI...
SAP SECURITY IN FIGURES:
A GLOBAL SURVEY
2007–2013 Authors:
Alexander Polyakov
Alexey Tyurin
Other contributors:
Kirill Nikitenkov
Evgeny Neyolov
Alina Oprisko
Dmitry Shimansky
A GLOBAL SURVEY 2007–2013 0. Content
www.erpscan.com•www.eas-sec.org 1
Content
Content ......................................................................................................................................................... 1
Disclaimer ..................................................................................................................................................... 3
1. Intro ....................................................................................................................................................... 4
1.1. Corporate security changes........................................................................................................... 4
2. Brief results ........................................................................................................................................... 6
3. Vulnerability statistics .......................................................................................................................... 8
3.1. Number of SAP Security Notes ...................................................................................................... 8
3.2. SAP Security Notes sorted by criticality ........................................................................................ 9
3.3. SAP Security Notes sorted by type .............................................................................................. 10
3.4. Number of acknowledgements to external researchers ............................................................ 12
3.5. Amount of publicly available information ................................................................................... 15
3.6. Top 5 most valuable vulnerabilities in 2012 ............................................................................... 17
4. Growing interest ................................................................................................................................. 21
4.1. Number of security reports in technical conferences ................................................................. 21
5. SAP on the Internet ............................................................................................................................ 23
5.1. Google search results by country ................................................................................................ 23
5.2. Shodan search results by country ............................................................................................... 26
5.3. Internet Census scan ................................................................................................................... 29
5.4. PortScan search result by country .............................................................................................. 30
6. SAP versions ........................................................................................................................................ 32
6.1. ABAP engine versions .................................................................................................................. 32
6.2. J2EE engine versions ................................................................................................................... 33
6.3. OS popularity for SAP .................................................................................................................. 34
6.4. RDBMS popularity for SAP Backend ............................................................................................ 35
7. Critical services on the Internet ......................................................................................................... 35
7.1. SAProuter .................................................................................................................................... 35
7.2. WebRFC service as part of NetWeaver ABAP ............................................................................. 37
7.3. CTC service as part of NetWeaver J2EE ....................................................................................... 37
7.4. SAP Message Server HTTP ........................................................................................................... 38
7.5. SAP Management Console .......................................................................................................... 38
7.6. SAP Host Control ......................................................................................................................... 39
7.7. SAP Dispatcher service ................................................................................................................ 39
8. Future predictions and trends ............................................................................................................ 41
8.1. Internal threats............................................................................................................................ 41
8.2. External threats ........................................................................................................................... 41
SAP Security in Figures. 2007–2013
2
8.3. SAP forensics ............................................................................................................................... 42
8.4. What can happen? ...................................................................................................................... 42
8.4.1. Autocad virus ........................................................................................................................... 42
8.4.2. Internet-Trading virus ............................................................................................................. 43
8.4.3. News resources hacking (Sabotage)........................................................................................ 43
9. Conclusion ........................................................................................................................................... 44
About ERPScan ............................................................................................................................................ 45
About OWASP-EAS (EAS-SEC) ..................................................................................................................... 46
Open Security Project.............................................................................................................................. 46
Project mission ........................................................................................................................................ 46
Links and future reading ............................................................................................................................. 48
Our contacts ................................................................................................................................................ 52
A GLOBAL SURVEY 2007–2013 0. Disclaimer
www.erpscan.com•www.eas-sec.org 3
Disclaimer
The partnership agreement and relationship between ERPScan and SAP prevents us from publishing the
detailed information about vulnerabilities before SAP releases a patch. This whitepaper will only include
the details of those vulnerabilities that we have the right to publish as of the release date. However,
additional examples of exploitation that prove the existence of the vulnerabilities are available in
conference demos as well as at ERPScan.com [1].
Our SAP security surveys and research in other areas of SAP security do not end with this whitepaper.
You can find the latest updates about the statistics of SAP services found on the Internet and other
endeavors of the EAS-SEC project [2] at SAPScan.com [3].
The survey was conducted by ERPScan as part of contribution to the EAS-SEC non-profit organization,
which is focused on Enterprise Application Security awareness.
This document or any part of it cannot be reproduced in whole or in part without prior written
permission of ERPScan. SAP AG is neither the author nor the publisher of this whitepaper and is not
responsible for its content. ERPScan is not responsible for any damage that can be incurred by
attempting to test the vulnerabilities described here. This publication contains references to SAP AG
products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or
registered trademarks of SAP AG in Germany.
SAP Security in Figures. 2007–2013
4
1. Intro
ERP system is the heart of any large company. It enables all the critical business processes, from
procurement, payment and transport to human resources management, product management and
financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can
mean enormous losses, potentially leading to termination of business processes. In 2006 through 2010,
according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 7%
of yearly revenue on average. Global fraud loss is estimated at more than $3.5 trillion for 2010–2012[5].
Thus, a typical entity loses 5% of annual revenue to fraud. The average value for 4 years is 6%. That is
why we decided to increase awareness in this area.
The wide-spread myth that ERP security is limited to SoD matrix has been dispelled lately and seems
more like an ancient legend now. Within the last 7 years, SAP security experts have spoken a great deal
about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI client
workstations [6]. Interest in the topic has been growing exponentially: in 2006, there was 1 report [7]on
SAP at a technical conference dedicated to hacking and security, whereas in 2011 there were more than
20 of them already. In 2012, the popularity of the topic inspired more than to 30 various reports, and by
the middle of 2013, about 20 reports had been issued in only half a year. A variety of hack tools has
been released that prove the possibility of SAP attacks [8], [9], [10].
According to the statistics of vulnerabilities found in business applications, there were more than 100
vulnerabilities patched in SAP products in 2009, while it grew to more than 500 in 2010. By the August
of 2013, there are more than 2700 SAP Security notes about vulnerabilities in various SAP components.
1.1. Corporate security changes
The development of corporate infrastructure tends to move from a decentralized model towards
integration of business processes into united systems. Not long ago, there would be several servers in a
company, including mail server, file server, domain controller, etc. However, these functions have been
integrating into a united business application, resulting in more convenient access but also in a united
failure point. Business applications and ERP systems store all of the critical corporate data, from
financial reports and personal information to lists of contractors and corporate secrets. Such a system
would be the main target of an insider or an external attacker, and their ultimate aim is nowhere near
administrative access to the domain controller.
Losses to internal fraud constituted 6% of yearly revenue on average
Most of SAP vulnerabilities allow an unauthorized user to gain access to all critical
business data, so it is necessary to consider the main attack vectors and the ways to
secure those highly critical systems
A GLOBAL SURVEY 2007–2013 1. Intro
www.erpscan.com•www.eas-sec.org 5
Nevertheless, many information security officers are, unfortunately, scarcely informed about the
security of business applications like SAP. Another problem is that the function of providing security lies
on the system owner rather than the CISO, and owners only respond to themselves. In the end, nobody
is responsible for the security of the most critical system elements.
Less global problems are, for example:
• Lack of qualified specialists – SAP specialists in most companies see SAP security as the SoD matrix
only, whereas CISOs hardly understand SAP threats, not to mention advanced tweaks.
• Great range of advanced configuration – There are more than 1000 parameters in the standard
system configuration, plus a great range of advanced options, not to mention segregation of access
rights to various objects like transactions, tables, RFC procedures etc. For example, web interfaces to
access the system alone can amount to several thousands. Securing a configuration of this scale can be
hard even for a single system.
• Customizable configuration – There are no two similar SAP systems because most parameters are
customized for every client in one way or the other. Furthermore, custom programs are developed and
their security is to be accounted for, too, in a complex assessment.
The purpose of this report is to provide a high-level overview of SAP security in figures so that the area is
not just theoretically comprehensible but based on actual numbers and metrics – from the information
about the number of found issues and their popularity to the number of vulnerable systems, all acquired
as a result of a global scan [3].
SAP Security in Figures. 2007–2013
6
2. Brief results
Vulnerabilities
Old issues are being patched, but a lot of new systems have vulnerabilities. SAP acquires new
companies and invents new technologies faster than researchers analyze them.
Number of vulnerabilities per year is going down compared to 2010, but they have become
more critical.
69% of issues closed by SAP are marked as critical.
Top 5 issues are more critical now than they were last year. Almost all of them have CVSS 10
(the highest rate).
Interest
Number of companies which find issues in SAP is growing (2 times comparing to previous year),
and the percentage of issues found with the help of external researchers is getting higher and
higher.
The interest in SAP platform security has been growing exponentially, and not only among whitehats.
SAP systems can become a target both for direct attacks (e. g. APT) and for mass exploitation because a
range of simply exploitable and widely installed services is accessible from the Internet.
Internet
Almost 5000 SAP Routers were found and 85% of them vulnerable to remote code execution
Almost 30% growth of web-based SAP solutions (90% growth of SAP Portal).
Giant growth of Latin American and Asian segment of web-based SAP systems.
Most popular release (35%) is still NetWeaver 7.0, and it was released in 2005.
One third of Internet-facing SAP web services does not use SSL at all.
Number of internet-exposed services is 3-5 times lower (depends on the service) but still
relevant.
Internal
Number of internally exposed critical services and vulnerabilities is extremely big (30–95%
depending on the service).
Only 10% of systems have security audit log enabled.
Internal fraud and ABAP-specific backdoors are more likely now.
Defense
• SAP security in default configuration is getting much better.
[+] SAP invests money and resources in security, provides guidelines, and arranges conferences.
[-] Unfortunately, SAP users still pay little attention to SAP security.
A GLOBAL SURVEY 2007–2013 2. Brief results
www.erpscan.com•www.eas-sec.org 7
Predictions
Still a lot of uncovered areas in SAP security.
SAP forensics can be a new research area because it is not easy to find evidence now, even if it
exists.
New types of cyber-weapons which target ERP systems can appear shortly.
SAP Security in Figures. 2007–2013
8
3. Vulnerability statistics
The information about vulnerabilities in SAP sorted by their popularity, criticality and the affected
systems is given here. The top 5 most valuable publicly known vulnerabilities are presented as well.
3.1. Number of SAP Security Notes
Every month on SAP Critical Patch Day (every second Tuesday), SAP releases one or more internal
advisories called SAP Security Notes. Such an advisory usually stores information about one or more
vulnerabilities found in SAP products or misconfigurations that bear some risk to SAP systems. The first
SAP Security Note was published in 2001. In 2007, the number of published notes began to grow
exponentially.
Figure 3.1–1 Number of Sap Security Notes per year (The data was collected on September 1, 2013, when a total of 2718 notes had been published)
During 2011, the approximate number of SAP Security Notes published every month on the Critical
Patch Day was about 61. In 2012, this number increased to 54 notes, and by the middle of 2013, it
equaled to 29 notes a month on average. In comparison to other software vendors, this is more than in
Microsoft, Oracle, or Cisco. Needless to say, just 4 years ago (2009) this number was much lower
(approximately 6 times).
1 13 10 10 27 14 78131
833
731
641
230
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
As of September 1, 2013, 2718 SAP Security Notes have been published
A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics
www.erpscan.com•www.eas-sec.org 9
Figure 3.1–2 Average number of the Notes which are released every month per year
From the two previous figures, you can draw a conclusion that the number of security notes has been
going down a little since the peak in 2010. However, the number is still huge, and, as you will see in the
following figures, the percentage of highly critical vulnerabilities is getting higher.
3.2. SAP Security Notes sorted by criticality
SAP has 5 different levels of criticality for published notes:
1. Hot News
2. Correction with high priority
3. Correction with medium priority
4. Correction with low priority
5. Recommendations/additional info
Figure 3.2–1 Number of Sap Security Notes, sorted by criticality level, compared: 2011 – light, 2013 – dark
70
6254
29
0
10
20
30
40
50
60
70
80
2010 2011 2012 2013
163
1355
371
74
58
178
1896
507
79
58
0 200 400 600 800 1000 1200 1400 1600 1800 2000
1 - HotNews
2 - Correction with high priority
3 - Correction with medium priority
4 - Correction with low priority
6 - Recommendations/additional info
Most of the issues (69%) have high priority, which means that about 2/3 of the
published vulnerabilities must be corrected quickly
SAP Security in Figures. 2007–2013
10
Figure 3.2–2 Percentage of High priority vulnerabilities per year
Figure 3.2–3 Percentage of Low priority vulnerabilities per year
As you can see, the overall number of security vulnerabilities found in SAP is getting lower, but
researchers have started to focus on critical vulnerabilities.
3.3. SAP Security Notes sorted by type
All published SAP Security Notes were analyzed by their popularity. The most popular types of issues are
presented below.
32,86
69,99
77,70 80,34
59,57
0
10
20
30
40
50
60
70
80
90
2009 2010 2011 2012 2013
9,54
4,08
1,09 1,400,43
0
2
4
6
8
10
12
2009 2010 2011 2012 2013
A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics
www.erpscan.com•www.eas-sec.org 11
Figure 3.3–1 SAP Security Notes, sorted by type
About 20% of found vulnerabilities are not included in the top 10 because a lot of unique issues exist in
SAP systems. Some of them are available in our presentation called “Top 10 most interesting SAP
vulnerabilities and attacks”[11].
In addition, we compared the SAP vulnerability lists for 2012 and 2013 and the OWASP Top10 to see if
there are any differences between web-based issues and business application issues and if there are any
changes.
Vulnerability type Popularity in SAP till mid 2013
Popularity in SAP till mid 2012
Popularity in SAP till mid 2011
Growth by percent
Popularity in CWE
Place in OWASP TOP 10
1 - XSS 1 3 (+2) 2(+1) 0.53 2 1
2 - Missing authorization check
2 2 1(-1) 0.28 3 2
3 - Directory traversal 3 1(-2) 3 0.10 10 3
4 - SQL Injection 4 4 4 0.05 4 4
5 - Information disclosure 5 5 6(+1) 0.36 8 5
6 - Code injection 6 8(+2) 8(+2) 0.57 7 6
7 - Authentication bypass 7 6(-1) 5(-2) 0.18 3 7
8 - Hardcoded credentials 8 7(-1) 7(-1) 0.17 N/A 8
9 - Remote code execution 9 9 9 0.13 1 9
10 - Verb tampering 10 10 N/A 0.11 N/A 10
25%
22%
20%
9%
7%
5%
4%4%
3%
1%
Top 10 types of vulnerabilities
1 - XSS
2 - Missing authorisation check
3 - Directory traversal
4 - SQL Injection
5 - Information disclosure
6 - Code injection
7 - Authentication bypass
8 - Hardcoded credentials
9 - Remore code execution
10 - Verb tampering
3 most common vulnerabilities cover 42% (was 41 %) of all found issues.
Top 10 issues cover 63% (was the same) of all issues.
SAP Security in Figures. 2007–2013
12
As you can see, the situation has changed slightly. We can only guess the core reason for those changes
because many different factors can lead to them and the numbers may not be very representative. But
here are some ideas.
The main factors which can influence those numbers are:
Growing number of web-based applications and thus growing number of web vulnerabilities.
Enhancements in Static Code Analysis software which shows us that the number of issues which
can be easily found using simple regular expressions is getting low. On the other hand, the
number of issues that require more accurate static code analysis including data flow is getting
high.
So, taking into account those things, we can conclude that:
Growing number of XSS vulnerabilities is predictable due to the popularity of web-based
applications, especially in J2EE stack, and also due to the improvement of static code analysis.
Falling number of directory traversal issues is predictable due to the fact that they are easy to
find and most of them have already been found before. Also, SAP has added some
improvements and additional authorization checks for directory traversal issues in new releases.
Growing number of code injection vulnerabilities is due to the high criticality and the fact that
any injection flaws will be easier to find with more advanced static code analysis tools.
On the other hand, such issues as hardcoded credentials will be harder to find with every year
precisely because they are very easy to find (i. e., most of them have already been found by
simple regular expressions).
There are some areas which are different for WEB and ERP programming vulnerabilities. This situation is
another proof that business applications need a different approach and different priorities when we talk
about SDLC processes.
3.4. Number of acknowledgements to external researchers
In 2010, SAP decided to give acknowledgements to external security researchers for the vulnerabilities
found in their products [12]. In the figure, you can see the number of vulnerabilities that were found by
external researchers since 2010.
A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics
www.erpscan.com•www.eas-sec.org 13
Figure 3.4–1 Number of vulnerabilities found by external researchers per year
In 2010, there were just 16 companies that had acknowledgements from SAP, but by the middle of
2013, we have counted 46 different companies and 3 researchers, which is almost 3 times more.
Figure 3.4–2 Number of companies acknowledged by SAP per year
External companies and researchers were acknowledged by SAP for helping to close 353 vulnerabilities
in SAP products. Most companies were acknowledged just for one vulnerability while ERPScan has
almost a quarter of all acknowledgements with 83 acknowledgements in total (much more than any
other contributor).
57
102
81
113
2010 2011 2012 2013
0
20
40
60
80
100
120
16
29
34
46
0
5
10
15
20
25
30
35
40
45
50
2010 2011 2012 2013
The 80/20 rule works almost perfectly: 80 % of vulnerabilities were found by 17.5% of
companies
SAP Security in Figures. 2007–2013
14
Figure 3.4–3 Percentage of acknowledgements vs. number of companies
The ratio of vulnerabilities found by external researchers versus vulnerabilities found by SAP internally is
growing, as does the number of external researchers.
Figure 3.4–4 Percentage of acknowledgements to external researchers per year
What else can be archived from the relationship of SAP with external researchers? Recently, we have
been receiving more and more responses from SAP PSRT to our reports about vulnerabilities, saying that
they have already been patched before. This can be due to two reasons, and each of them is good news
for SAP users. Firstly, SAP AG itself has significantly improved their internal SDLC and vulnerability
research, so some issues were already found by SAP. Secondly, two different researchers sometimes get
credits for the same issue, which means that the number of researchers is going to increase.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0 5 10 15 20 25 30 35 40 45 50
6,84
13,95 12,64
49,13
0
10
20
30
40
50
60
2010 2011 2012 2013
A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics
www.erpscan.com•www.eas-sec.org 15
Figure 3.4–5 Number of duplicated issues sent by ERPScan researchers per year
3.5. Amount of publicly available information
The most critical threat is connected to the vulnerabilities which contain information about the methods
of exploitation (detailed advisories, POC codes and working exploits) publicly available. Information was
gathered from three most popular sources:
Security Focus [13] – Detailed advisories, sometimes with POC code, can usually be found here. All the
vulnerabilities published here have high probability of exploitation. 149 vulnerability advisories (5.5% of
all vulnerabilities) were found here (as of September 1).
2
4
6
5
0
2
4
6
8
10
12
2009 2010 2011 2012 2013
The record of bugs found by external researchers was cracked in January 2013: 76%
SAP Security in Figures. 2007–2013
16
Figure3.5–1 Advisories per year from SecurityFocus
Exploit-DB [16]– Usually, exploit codes that can be 100% used without any modification and additional
knowledge of exploiting systems can be found here. All the vulnerabilities published here have critical
probability of exploitation. A total of 49 exploits (1.8% of all vulnerabilities) were found here (as of
September 1).
Figure 3.5–2 Exploits per year from Exploit-DB
In the figure below, you can find vulnerabilities categorized by probability and ease of exploitation
according to the amount of information available to hackers at public sources, as opposed to classified
information from SAP Security Notes.
12 3
10
18
8
22
30
25
12
18
0
5
10
15
20
25
30
35
40
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
1
45
34
3
5
11
4 45
0
2
4
6
8
10
12
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics
www.erpscan.com•www.eas-sec.org 17
Figure 3.5–3 SAP vulnerabilities by probability and ease of exploitation, as of September 1, 2013
3.6. Top 5 most valuable vulnerabilities in 2012
Out of the many published vulnerabilities, we have chosen the top 5 with the most significant threats
published in 2012:
• SAP NetWeaver J2EE – DilbertMSG SSRF [17]
• SAP Host Control – Command Injection [18]
• SAP NetWeaver J2EE – File Read/Write[19]
• SAP Message Server – Buffer Overflow[20]
• SAP Dispatcher – DIAGprotocol Buffer Overflow[21]
We chose 2 main factors among others to understand the most valuable issues disclosed in 2012:
• Accessibility – It is a major factor. Means whether it is possible to exploit a vulnerability from the
Internet without user authorizations.
• Criticality – How critical the harm to the system will be.
1. SAP NetWeaver J2EE – DilbertMSG SSRF
The vulnerability was found in the XML parser of SAP NetWeaverJ2EE engine. Actually, it is several
vulnerabilities that lead to SSRF (Server Side Request Forgery) attack, allowing an anonymous attacker
from the Internet to send any TCP packet to any internal network and many other things like reading of
OS files, bypassing Message Server security, Denial of Service attacks and so on. This type of attack may
not be as critical as others, which will be presented below, but it opens a new type of issues, and similar
problems can appear in future.
2718
353 149 490
500
1000
1500
2000
2500
3000
SAP Security noteavailable (100%)
Some informationavailable (13%)
Advisory or POC available(5,5%)
Exploit available (1,8%)
SAP Security in Figures. 2007–2013
18
Espionage: Critical
Sabotage: Critical
Fraud: Medium
Availability: Anonymously through the Internet
Ease of exploitation: Medium
Future impact: High (New type of attack)
CVSSv2: 7.3
Advisory: http://erpscan.com/advisories/dsecrg-12-036-sap-xi-authentication-bypass/
Patch: SAPNote1707494
Author: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan)
2. SAP Host Control – Code Injection
The vulnerability was found in the SAP Host Control service of SAP NetWeaver ABAP engine, which
listens to the TCP port 1128 by default. This vulnerability allows an anonymous attacker to execute any
OS command by injecting it into SOAP packet. However, this vulnerability only works when SAP is
installed on top of MaxDB Database. This issue took second place due to three factors: ease of
exploitation, availability of exploit on the Internet, huge amount of exposed SAP Host Control services
on the internet.
Espionage: Critical
Sabotage: Critical
Fraud: Critical
Availability: Anonymously through the Internet
Ease of exploitation: Easy (Metasploit module exist)
Future impact: Low (Single issue)
CVSSv2: 10
Advisory: http://www.contextis.com/research/blog/sap-parameter-injection-no-space-arguments/
Patch: SAP note 1341333
Author: Contextis
A GLOBAL SURVEY 2007–2013 3. Vulnerability statistics
www.erpscan.com•www.eas-sec.org 19
3. SAP NetWeaver J2EE – File Read/Write
This vulnerability was found in SAP NetWeaver J2EE stack and allow anonymous attacker to obtain read
and write access to any file on operation system. Criticality of that issue is 10 by CVSS. The only two
facts which put this issue only on third place is that vulnerable service available internally and secondly
there is no public information about details of exploiting this issue.
4. SAP Message Server – Buffer Overflow
Remote buffer overflow vulnerability with ability to execute any code on OS level with the rights of
<SID> adm user was found in SAP Message Server service. Vulnerability was sold to ZDI and criticality of
this issue was marked as 10 by CVSS which is the highest point. Another critical thing is that this service
can be also exposed to the internet which will be detailed later.
Espionage: Critical
Sabotage: Critical
Fraud: Critical
Availability: Anonymous
Ease of exploitation: Medium. Good knowledge of exploit writing for multiple platforms is necessary
CVSSv2: 10.0
Advisory: http://www.zerodayinitiative.com/advisories/ZDI-12-112/
Patch: SAP note 1649840 and 1649838
Author: Martin Gallo
Espionage: Critical
Sabotage: Critical
Fraud: Critical
Availability: Anonymously
Ease of exploitation: Medium
Future impact: Low
CVSSv2: 10
Advisory: https://service.sap.com/sap/support/notes/1682613
Patch: 1682613
Author: Juan Pablo
SAP Security in Figures. 2007–2013
20
5. SAP Dispatcher – DIAG protocol buffer overflow
SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP
NetWeaver using the SAP GUI application through DIAG protocol. Martin Gallo from Core Security found
multiple buffer overflow vulnerabilities that can lead to the denial of service attack and one of them also
allows code execution [22].
The exploit code was published on May 9 and an unauthorized cybercriminal can exploit it without any
rights. The good news is that this vulnerability only works when DIAG trace is set to level 2 or 3 which is
not a default value but a possible one anyway.
Espionage: Critical
Sabotage: Critical
Fraud: Critical
Availability: Low. Trace must be on
Ease of exploitation: Medium
CVSSv2: 9.3
Advisory: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
Patch: 1687910
Author: Martin Gallo
A GLOBAL SURVEY 2007–2013 4. Growing interest
www.erpscan.com•www.eas-sec.org 21
4. Growing interest
While most of the security trends and possible threats are focused on mobile, cloud, social networks
and critical infrastructure which will potentially have threats in near future, there is a topic called ERP
security and threats to those systems exist now. That’s why the number of companies which are focused
on ERP security and which sell software for its assessment is growing. So the number of security
consulting companies that try to sell special consulting services for ERP security is growing as well.
4.1. Number of security reports in technical conferences
Since 2006, SAP security begins to receive a lot of attention in technical security conferences like
CanSecWest, BlackHat, HITB and others. There were also some talks that have SAP-related research in
2004 such as from Phonoelit. Since 2010, this trend expands to other conferences; more and more
companies and researchers begin to publish their research in the field of SAP security. In 2006–2009,
talks were mostly focused on showing typical information security threats in SAP landscapes such as SAP
web application security, SAP client-side security, SAP backdoors and Trojans. The last year discussions
were focused on retrospective and defense areas like SAP Forensics.
During almost 10 years of research almost every part of SAP were somehow breached and almost every
area was discussed in terms of security
► Common: SAP Backdoors, SAP Rootkits, SAP Forensics
► Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI, SAP Portal, SAP Solution
Manager, SAP TMS, SAP Management Console [23], SAP ICM/ITS
► Protocols: DIAG[24], RFC, SOAP (MMC), Message Server, P4[25]
► Languages: ABAP Buffer Overflow [26], ABAP SQL Injection [27], J2EE Verb Tampering [28], J2EE
Invoker Servlet [25] [29] [30]
► Overview: SAP Cyber-attacks, Top 10 Interesting Issues, Myths about ERP
Since 2003, almost every part of SAP was somehow breached and almost every area was
discussed on technical security conferences
SAP Security in Figures. 2007–2013
22
Figure 4.1–1 Number of SAP security talks presented at different conferences by year *
Number of SAP security talks presented in different conferences every year is shown in the slides. For
2013, an approximate number is estimated based on the first 4 months.
*Data was collected from different conference websites as of August 15, 2013
1 1 1 1 1 24
12
25
32
17
0
5
10
15
20
25
30
35
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
A GLOBAL SURVEY 2007–2013 5. SAP on the Internet
www.erpscan.com•www.eas-sec.org 23
5. SAP on the Internet
Among many people who work with SAP, a popular myth is that SAP systems are inaccessible from the
Internet, so all SAP vulnerabilities can only be exploited by an insider.
Business applications are not only accessible internally; this myth comes from 10 years ago when
mainframes were prevalent. Business is changing and companies want to have their applications
connected. They need to connect to departments worldwide, share data with clients via web portals,
SRM and CRM systems and get access from any place with mobile solutions.
► Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible
► Companies connect different offices (by SAP XI)
► Companies are connected to SAP (through SAProuter)
► SAP GUI users are connected to the Internet
► Administrators open management interfaces to the Internet for remote control
This part of the report is destined to destroy the myth by showing how many companies make which
services available for remote access, and how those services are vulnerable to the latest threats.
5.1. Google search results by country
These statistics were collected using the well-known Google search requests [31].
Application server type Search string
SAP NetWeaver ABAP Inurl:/SAP/BC/BSP
SAP NetWeaver J2EE Inurl:/irj/portal
SAP Business Objects inurl:infoviewap
As a result of the scan, 695 (was 610) unique servers with different SAP web applications were found. It
is 14 % more than in 2011 including that fact that 22 % of services that were found in 2011 now are not
available but 35 % of new services appear. The J2EE server seems to be the most popular platform.
Unfortunately, this server is more vulnerable than the ABAP engine, having at least 3 different
vulnerabilities that can be executed anonymously and give full access to the system. On the other hand,
the ABAP engine has numerous default users [32] that can be used by attackers. SAP BusinessObjects
server has both problems.
Almost all business applications have web access now
SAP Security in Figures. 2007–2013
24
Figure 5.1–1 SAP application servers by type
Figure 5.1–2 SAP application servers by country (by Google search)
SAP web servers
SAP NetWeaver J2EE - 44%
SAP Web Application Server (ICM) - 27%
SAP BusinessObjects - 16%
SAP NetWeaver ABAP - 11%
Application server Number %
SAP NetWeaver J2EE 268 44 %
SAP Web Application Server 163 27 %
SAP BusinessObjects 106 17 %
SAP NetWeaver ABAP 73 12 %
A GLOBAL SURVEY 2007–2013 5. SAP on the Internet
www.erpscan.com•www.eas-sec.org 25
Figure 5.1–3 Overall number of SAP application servers found in Google, sorted by country (top 20)
Figure 5.1-4 Overall number of SAP NetWeaver J2EE servers found in Google, sorted by country (top 10)
5666681010121212141518212223
3294
225
FINLAND
RUSSIA
AUSTRIA
DENMARK
MEXICO
SPAIN
KOREA
NORWAY
BELGIUM
FRANCE
CANADA
BRAZIL
SWITZERLAND
ITALY
NETHERLANDS
CHINA
UNITED KINGDOM
INDIA
GERMANY
UNITED STATES
0 50 100 150 200 250
SAP web applications by country (Google)
578
99
111313
22
2793
0 20 40 60 80 100
CANADA
ITALY
NETHERLANDS
BRAZIL
FRANCE
SWITZERLAND
UNITED KINGDOM
CHINA
INDIA
GERMANY
UNITED STATES
SAP NetWeaver J2EE by country (Google)
SAP Security in Figures. 2007–2013
26
Figure 5.1–5 Overall number of SAP NetWeaver ABAP servers found in Google, sorted by country (top 10)
Figure 5.1–6 Overall number of SAP WebAS servers found in Google, sorted by country (top 10)
5.2. Shodan search results by country
Another source which can help to find SAP web interfaces available on the Internet is called
www.shodanhq.com. The difference is that this service not only finds those applications which were
“crawled” by web spiders but it scans the whole Internet for the 80th port (others, too) and can be used
for finding more SAP systems.
1
1
2
2
2
2
3
4
21
26
0 5 10 15 20 25 30
UNITED KINGDOM
CHINA
CANADA
SPAIN
AUSTRIA
HUNGARY
DENMARK
INDIA
GERMANY
UNITED STATES
SAP NetWeaver ABAP by country (Google)
244
555
67
943
44
0 10 20 30 40 50
FRANCE
UNITED KINGDOM
NORWAY
INDIA
CHINA
KOREA
ITALY
BELGIUM
NETHERLANDS
GERMANY
UNITED STATES
SAP Web Application Servers by country (Google)
A total of 3741 (was 2677) servers with different SAP web applications were found
A GLOBAL SURVEY 2007–2013 5. SAP on the Internet
www.erpscan.com•www.eas-sec.org 27
Figure 5.2–1 SAP application servers by type
SAP NetWeaver J2EE platform is the most popular on the Internet and it is still growing a lot. Comparing
with previous year by ShodanHQ statistics, the number of Internet-located SAP Portals doubled during
the previous year!
Figure 5.2–2 Growth by application server
41%
34%
20%6%
SAP Application servers by type
SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web Application Server
Other (BusinessObjects,SAP Hosting,etc)
94%
72%
30%
-20%
-55%
-80%
-60%
-40%
-20%
0%
20%
40%
60%
80%
100%
120%
SAP Security in Figures. 2007–2013
28
Figure 5.1–3 SAP application servers by country (by ShodanHQ search)
Figure 5.2–4 Overall number of SAP application servers found in ShodanHQ, sorted by country (top 20)
38
53
55
65
70
84
88
93
105
109
110
118
119
123
124
131
180
232
840
1080
0 200 400 600 800 1000 1200
AUSTRALIA
TAIWAN
CHILE
MEXICO
DENMARK
NETHERLANDS
TURKEY
CANADA
SWITZERLAND
UNITED KINGDOM
KOREA
CHINA
FRANCE
BELGIUM
BRAZIL
SPAIN
INDIA
ITALY
GERMANY
UNITED STATES
SAP web servers by country (Top 20)
A GLOBAL SURVEY 2007–2013 5. SAP on the Internet
www.erpscan.com•www.eas-sec.org 29
Statistics that were gathered by country are very interesting especially if we compare it with the
previous year. It will show us where there is a growth of SAP market: in Latam and Asia.
Figure 5.2–5 Growth of SAP web servers (Top 5)
5.3. Internet Census scan
This year, one interesting project was presented. It was done by an anonymous researcher using not so
legal techniques such as exploiting devices and making worldwide scan from them on popular ports. It
would have been great if this list had contained all ports but, unfortunately for us, it is useful only for
the 80th port. 3326 IP addresses with SAP web applications were found, which is close to the number
that we got from Shodan. This data also gives us information about SSL usage. It turned out that almost
one third of Internet-facing SAP applications don’t use SSL, which is extremely bad statistics.
Figure 5.3–1 Usage of SSL by SAP applications
562%
280%
119% 111% 96%0%
100%
200%
300%
400%
500%
600%
MEXICO CHILE INDIA CHINA TAIWAN
Growth of SAP web servers (Top 5)
NO SSL32%
SSL68%
Usage of SSL by SAP applications
SAP Security in Figures. 2007–2013
30
5.4. PortScan search result by country
The most interesting and complex research was performed by scanning the Internet not only for web
services but also for services which shouldn't be accessible from the Internet.
At first stage, it has been performed with a simple algorithm which only scans subnets of the servers
that were found during Google and ShodanHQ scan (about 1000 subnets in total). Many ports were
found which are listened by SAP Applications such as Message Server HTTP, SAP Gateway, and
SAPHostControl. During the scan, information about publicly available SAP services such as SAP Host
Control, SAP Dispatcher, SAP Message Server, SAP Management Console was collected.
Figure 5.4–1 SAP application servers by country (by PortScan (Nmap) search)
In the picture, you will find the percentage of German companies that expose their unnecessary SAP
services to the Internet. The number of open ports will be updated online at sapscan.com [3] – the
official site of this project.
10 % of companies that use SAP expose critical services like Gateway or Dispatcher
directly to the Internet bypassing SAProuter security
A GLOBAL SURVEY 2007–2013 5. SAP on the Internet
www.erpscan.com•www.eas-sec.org 31
Figure 5.4–2 Percent of companies that expose critical SAP services to the Internet
4,72
1,73 2,36
0,63 0,792,36
9,92
0
5
10
15
20
25
SAPDispatcher
SAP MMC SAP MessageServer
SAPHostControl
SAP ITS Agate SAP MessageServer httpd
SAP Router
Exposed critical SAP services
Exposed services 2013
Exposed services 2011
SAP Security in Figures. 2007–2013
32
6. SAP versions
We have checked the major versions of the ABAP and J2EE engines which were found on the Internet to
understand the lifecycle of released products and to know which version is the most popular now. We
have also checked the popularity of OS and RDBMS which are used with SAP.
6.1. ABAP engine versions
ABAP versions were collected by connecting to the root of an application server and parsing the HTTP
response methods. We also used an information disclosure vulnerability. Information about SAP
NetWeaver version can easily be found if the application is configured insecurely so that it allows an
attacker to get information from the /sap/public/info URL. We were happy to note that, comparing with
previous year, the number of Internet-facing systems with information disclosure vulnerabilities highly
decreased.
Release version is vital for security. For example, the most powerful security options, like disabling
access to all BSP, are installed by default in EHP 2, and EHP 2 is only installed on 23 % (was 11) of all
servers. This means that even if SAP cares about the security of their systems, the best part of securing
SAP systems lies on administrators.
Figure 6.1–1 NetWeaverABAP versions by popularity
35%
23%
19%
11%6% 5%
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
After scanning all the available SAP NetWeaver ABAP servers, it was found that 6%
(previously 59 %) of them are vulnerable to information disclosure
The most popular release (35 %, previously 45 %) is NetWeaver 7.0, released in 2005!
A GLOBAL SURVEY 2007–2013 6. SAP versions
www.erpscan.com•www.eas-sec.org 33
If we compare those results with previous year we will see good changes such as extremely high growth
in percent of 7.3 and 7.2 releases, well, the absolute growth of cause is quite small comparing with
overall.
7.3 growth by 250%
7.2 growth by 70%
7.0 loss by 22%
6.4 loss by 45%
6.2. J2EE engine versions
The information about the version of the J2EE engine can be easily found by reading an HTTP response.
However, detailed info about the patch level can be obtained if the application server is not securely
configured and allows an attacker to get information from some pages. As an example, there are at least
3 pages that disclose information about the J2EE engine:
/rep/build_info.jsp[33] 26% (61% last year)
/bcb/bcbadmSystemInfo.jsp[34] 1.5% (17% last year)
/AdapterFramework/version/version.jsp[35] 2.7% (a new issue)
The detailed information about the major versions is presented below.
Figure 6.2–1 Percentage of NetWeaver JAVA versions by popularity
If we compare those results with previous year, we will see good changes. New versions such as 7.31
and 7.3 appear with total 12 % of all servers. Detailed changes are here:
7.31 growth from 0 to 3 %
7.30 growth from 0 to 9 %
44%
25%
10%
9%9%
3%
NetWeaver JAVA versions by popularity
NetWeaver 7.00
NetWeaver 7.01
NetWeaver 7.02
NetWeaver 7.30
NetWeaver 6.40
NetWeaver 7.31
SAP Security in Figures. 2007–2013
34
7.02 growth by 67 %
7.0 loss by 23 %
6.4 loss by 40 %
6.3. OS popularity for SAP
Using the /sap/public/info URL, it is possible to obtain information about OS versions for ABAP
implementations. While analyzing the results that were gathered from Internet facing SAP systems, we
found that the most popular OS is Windows NT (28%) and AIX (25%). According to our statistics from
internal SAP assessments, *.NIX systems are more popular in general, while Windows is more popular
for Internet facing SAP systems.
Figure 6.3–1 Percent of OS popularity for SAP
Windows NT - 28%
AIX - 25%
Linux - 19%
SunOS - 13%
HP-UX - 11%
OS/400 - 4%
The most popular OS for SAP are Windows NT (28 %) and AIX (25 %)
A GLOBAL SURVEY 2007–2013 7. Critical services on the Internet
www.erpscan.com•www.eas-sec.org 35
6.4. RDBMS popularity for SAP Backend
The most popular RDBMS used as a backend for SAP is still Oracle – 59%. Other RDBMS systems are
listed below.
Figure 6.3–2 Percent of RDBMS popularity for SAP Backend
It should be mentioned that Oracle RDBMS installed with SAP is vulnerable to a very dangerous attack,
where authentication is bypassed and an unauthorized attacker obtains direct access to the database
system without any authorizations because of the improper use of REMOTE_OS_AUTHENT parameter. It
is a very old bug first published in 2002 but still active [36].
7. Critical services on the Internet
Apart from the web interfaces that should be enabled on the Internet because of various business
needs, such as SAP Portal, SAP SRM or SAP CRM solutions, there are some services that should not be
available externally at all. Not only do they bring a potential risk but they have real vulnerabilities and
misconfigurations which are well-known and well-described in public resources. Of course it is not the
full list of critical SAP services, just the most popular ones. The scan was performed across 1000
subnetworks of companies that use SAP worldwide
7.1. SAProuter
SAProuter is a special service which was made by SAP for a number of purposes such as:
Transfers requests from Internet to SAP (and not only)
Connect SAP systems between each other in many locations
Connect systems of different companies such as customers and partners
Oracle - 59%
DB2 - 19%
MsSQL - 17%
MaxDB - 5%
Services like SAP Dispatcher, SAP Message server, SAP Host Control and more, presented
on slides, should not be open for connecting through the Internet
SAP Security in Figures. 2007–2013
36
The main mission of this service is to get updates from SAP and remotely install them on SAP systems. It
also provides access to Earlywatch services thus every company which uses SAP should install
SAProuter. There is a number of ways how to implement it either by configuring VPN access to SAP or by
remotely exposing SAP Router service to the Internet port which is by default 3299 and known for
everybody. More details can be found at Easy Service Marketplace [37].
The analysis of all SAProuters that were found remotely enabled in 1000 companies showed that 99
SAProuters were enabled on default port, i. e. approximately 10 % (was 32 %).
This result was not enough for us so we started another project intended to find out how many
SAProuters are on the Internet in total. First of all, we were interested in understanding how many of
them were vulnerable to existing issues as well as to a very critical heap overflow vulnerability that was
found by researchers from ERPScan team. The vulnerability allows getting full control of SAProuter
within one TCP packet and thus obtaining access to the internal corporate network. This issue was
closed in May 2013, and the details can be found in SAP Note 1820666. We decided to calculate the
number of vulnerable SAProuters almost 6 month after the patch was released.
Here are the results of the scan:
There were 4500 SAProuters in the whole Internet in total
15 % of the routers lacked ACL. It can be used to:
o Scan internal network
o If something is found during scan, to proxy any request to any internal address of SAP or
non-SAP system
19 % of routers have an information disclosure vulnerability related to internal systems. It can
be used to:
o Cause denial of service by specifying many connections to any of the listed SAP servers
(There is a limit by default, only 3000 connections is possible)
o Proxy any request to any internal address of SAP or non-SAP system if there is no ACL
5 % of routers have insecure configuration, authentication bypass which can be used to
configure the router without authentication remotely
Finally, 85 % of routers are still vulnerable to the Heap Overflow issue that was closed almost
half a year ago and can be used to break into any internal network of about 4500 different
companies around the world
There is also an additional SAP Note for SAProuter security: 1895350.
85% of almost 5000 SAP Routers on the Internet were found to be vulnerable
A GLOBAL SURVEY 2007–2013 7. Critical services on the Internet
www.erpscan.com•www.eas-sec.org 37
7.2. WebRFC service as part of NetWeaver ABAP
WebRFC is a web service which is available by default in the SAP NetWeaver ABAP platform. It allows
executing dangerous RFC functions using HTTP requests to the NetWeaver ABAP port and URL –
/sap/bs/web/rfc. Among those functions, there are several critical ones, such as:
Read data from SAP tables
Create SAP users
Execute OS commands
Make financial transactions etc.
By default, any user can have access to this interface and execute the RFC_PING command by sending
an XML packet. Other functions require additional authorizations. So there are 2 main risks:
If there is a default username and password in the system, an attacker can execute numerous
dangerous RFC functions because default users have dangerous rights.
If a remote attacker obtains any existing user credentials, he can execute a denial of service
attack on the server by sending the RFC_PING request with malformed XML packet [38][39].
While we did not check if those systems had default passwords, according to different statistics obtained
from our research and the research of our colleagues, about 95 % of systems have at least 1 default user
account.
7.3. CTC service as part of NetWeaver J2EE
CTC is a web service which is installed by default on the NetWeaver J2EE engine. It allows managing the
J2EE engine remotely. This is a web service that can be found by Google and it often exists on SAP
Portals. It is possible to execute such functions as:
Create users
Assign a role to a user
Execute OS commands
Remotely turn J2EE Engine on and off
The researchers from ERPScan have presented a vulnerability [25] in this service which is called Verb
Tampering. It allows bypassing authorization checks for remote access to CTC service. It means that
anybody can remotely obtain full-unauthorized access to all business-critical data located in the J2EE
engine.
It was found that 6 % (was 40 %) of ABAP systems on the Internet have the WebRFC
service enabled
SAP Security in Figures. 2007–2013
38
Unfortunately this year situation has not changed much and we have about half of all J2EE systems with
CTC installed and available from internet which is not good and we still see some services which are
vulnerable.
*While we did not scan those systems to find if they were vulnerable or not but, according to our
statistics from penetration tests, about 50 % of them are still vulnerable.
7.4. SAP Message Server HTTP
SAP Message Server HTTP is an HTTP port of SAP Message Server service which allows balancing the
load on SAP Application Servers. Usually this service is only available inside the company but some
implementations have been found that have external IP addresses, which is typically not needed for
business processes and can lead to critical actions. By default, the server is installed on the 81NN port
where NN is the system number [40]. One of the issues of SAP Message Server HTTP is a possibility to
get the values of the configuration parameters of SAP system remotely without authentication. It can be
used for future attacks.
During a sampling scan of 1000 sub networks which are assigned to companies that use SAP, 29
Message Server HTTP systems were found to be available (last year were 98).
7.5. SAP Management Console
SAP Management Console or SAPControl is a service which allows remote control of SAP systems. The
main functions are remote start and stop and they require the knowledge of username and password.
Apart from the functions which require authentication, there are some functions that can be used
remotely without authentication. Most of them allow reading different logs and traces and sometimes
system parameters. Those issues were well-covered by Chris John Riley, an independent researcher [33].
A more prevalent danger that ERPScan researchers have found is the possibility to find information
about JSESSIONID in the log files [11]. JSESSIONID is an identification by which HTTP sessions are
controlled. One of the possible attacks is to insert this JSESSIONID into a browser cookie and get
unauthorized access to a user’s session.
It was found that 50 % (61 %) of J2EE systems on the Internet have the CTC service
enabled
Approximately 2% (were 11%) companies expose Message Server HTTP to the internet
which is potentially vulnerable to unauthorized gathering of system parameters remotely
A GLOBAL SURVEY 2007–2013 7. Critical services on the Internet
www.erpscan.com•www.eas-sec.org 39
During the same scan as in the previous tests, it was found that 2 % of subnetworks have Management
console services open.
During our internal penetration tests, we see much higher number of vulnerable services.
Approximately 80 % of 250 scanned servers of companies that decided to participate in statistics were
found to be vulnerable to this issue.
7.6. SAP Host Control
SAP Host Control is a service which allows remote control of SAP systems. This service can be installed
manually on any host to remotely collect data from SAP systems. This service is usually works on TCP
port 1128. The main functions require the knowledge of username and password. Apart from the
functions which require authentication, there are some functions that can be used remotely without
authentication. First one is an ability to read developer traces without authentication. Those traces can
store passwords or other interesting data. Second vulnerability is more dangerous and was already
described in a list of top 5 vulnerabilities for 2012. Vulnerability allows remotely injecting OS command
and executing it on a server-side. [41]
During the same scan as in the previous tests, it was found that 0.6 % (while it was 2.6% last year) of
subnetworks have Management console services open. Actually it is quite a small number of systems
because this service is optional and installed manually.
During our internal penetration tests we saw a little bit more vulnerable services. Approximately 30% of
scanned 250 servers of companies which decided to participate in statistics were found to be vulnerable
to this issue.
7.7. SAP Dispatcher service
SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP
NetWeaver using the SAP GUI application through DIAG protocol. SAP Dispatcher port should not be
available from the Internet directly and even in the internal network only appropriate users or user
networks must have access. Keep in mind that we are talking about Dispatcher not WEB Dispatcher
which of course should be available from the Internet.
Nevertheless, during a brief scan of 1000 subnetworks, that 0.6 % (while it was 15% last year) of
subnetworks have Dispatcher service open.
Approximately 2 % (was 9 %) companies expose SAP MMC service to the internet which
is potentially vulnerable to unauthorized access to log files.
Approximately 1 % (was 2 %) companies expose SAP HostControl service to the internet
which is potentially vulnerable to unauthorized access to log files
SAP Security in Figures. 2007–2013
40
Why it is dangerous?
First of all, this service allows direct connection to a SAP system using SAP GUI where all that an attacker
needs is a valid username and password. There are numerous default passwords in SAP and, according
to our statistics of penetration testing; about 95% of systems have default credentials.
Another problem, which was found by Core Security and described in top 5 SAP vulnerabilities for 2012,
is that the SAP Dispatcher service has multiple buffer overflow vulnerabilities that can lead to the denial
of service attack and one of them also allows code execution[42]. The exploit code was published on
May 9 2012 and an unauthorized cybercriminal can exploit it without any rights. The good news is that
this vulnerability only works when DIAG trace is set to level 2 or 3 which is not a default value but a
possible one anyway. There can be other issues in this service so it must be disabled for external access.
Every 6th company is vulnerable to DOS attacks and unauthorized access with default
passwords in SAP Dispatcher
A GLOBAL SURVEY 2007–2013 8. Future predictions and trends
www.erpscan.com•www.eas-sec.org 41
8. Future predictions and trends
While there are so many issues in SAPб we still don’t see any HOT news about any company which was
breached with a vulnerability in SAP. In November 2012, Infosecurity Magazine published a story about
the Anonymous attack on the Finance Ministry of Greece where an exploit was allegedly used on their
SAP system, which led to a leak of critical inside documents. This information has no solid proof, and
SAP AG has no indication that the attack actually happened, but the publication itself is a sign of interest
in this topic. The reason why we don’t see much public information is that first of all nobody wants to
share information about breach especially internal. External breaches related to ERP systems are mostly
espionage and thus they are not likely to be find and the last one, which I suppose very shocking, is that
only few of companies monitor activity and analyze log files. So how can you be sure that there is no
breach when you can’t see what is happening in your system and if it has already been compromised?
Later we will show more results.
8.1. Internal threats
Internal attacks made by insiders are more likely to happen now and they are happening. According to
an ACFE research, losses to internal fraud constitute 6 % of yearly revenue on average. What is more?
45% of financial organizations have suffered frauds in the last 12 months compared to 30% in other
industries (by recent PWC survey [43]). Cybercrime accounted for 38% of economic crime incidents for
Financial Services organizations and will only grow with growing of IT industry. We personally have seen
a couple of examples of internal issues which can be categorized in 3 different areas: salary
manipulations, material manipulations, mistakes.
8.2. External threats
Not only hacktivists but other large companies, too, can be interested in attacks on ERP, stealing
corporate secrets, or executing DoS attacks on a competitor’s infrastructure.
We spoke to some commercial organizations that sell and buy exploits for private and government
companies (security intelligence services), and we were interested if there is a market for ERP exploits.
They said that there is interest from both sides. Even well-known exploit buying companies like ZDI buy
SAP exploits and vulnerabilities, only in 2012 five exploits for SAP were sold to ZDI and two of them are
so critical that they appear in our list of top 5 critical SAP issues for 2012.
Also, there are forums that sell access to botnets with IP ranges of specific companies. Nowadays, large
companies sometimes have more power than governments, so corporate wars are one of possible
scenarios, and business critical systems can be the most useful targets.
SAP Security in Figures. 2007–2013
42
8.3. SAP forensics
Few examples have been made public yet. In most cases it is because very few organizations use at least
something to monitor malicious activity, so even if their system was compromised, they are not ready
for forensic investigation and cannot expose the fact of compromise. Companies don’t have ability to
identify attack. Based on our assessment of over 250 servers of companies that allowed us to share
results we found quite scary results. It was found that only 10% of systems use security audit at SAP
while 2% of those system logs are regularly analyzed. What is more is that less than 1% of companies do
deep analysis of SAP Security events and correlation. Taking into account those numbers, how most of
them can be sure that there was no compromise of their systems?
More detailed review of different log files which can be enabled give us result listed below.
Figure 8.3–1 Percent of enabled logs
The strange thing related to so big difference between HTTP logs and other logs is explained by the fact
that HTTP logging is enabled by default.
8.4. What can happen?
This report includes not only a review of current state but also predictions, so we decided to look at the
current situation and changes in terms of typical malware tried to understand what can be done in near
future. We have found 3 different examples of recent malicious software and types of attack which can
be a beginning of a new era of targeted attacks on corporations and their business applications.
8.4.1. Autocad virus
This example of industrial espionage is quite interesting. We think it is one of the first
examples of targeted industrial espionage attack focused on particular action. According to
research about this virus – it was made by Chinese to steal secret documents for
manufacturing. If we develop this idea, more target focused viruses can be found which
were made for stealing particular data from competitors. By knowing some SAP or other
70%
10%4% 2% 2%
0%
10%
20%
30%
40%
50%
60%
70%
80%
HTTP log Security audit log Table access log Message Server log SAP Gateway log
A GLOBAL SURVEY 2007–2013 8. Future predictions and trends
www.erpscan.com•www.eas-sec.org 43
business application internals it is not hard to made virus which will, for example, target SAP
PLM system with using specific vulnerability and by knowing where exactly this system
stores relevant data [44].
8.4.2. Internet-Trading virus
Next interesting example is the Ranbys virus and its specific modification for QUICK platform
which is created for stock management. This virus can commit a fraud but scarier is that if
you manage it to automatically do something like buying the same things it will
automatically show stock bears a signal to sell more and finally it can make a collapse. As for
the SAP, we all know that bank account numbers are stored in a specific table and if there is
a worm which will modify this data there is a possibility to combine a power of a computer
worm with a fraud and finally get significant money transfer [45].
8.4.3. News resources hacking (Sabotage)
This example is a quite interesting also and shows us how easy it can be to fool market after
reporting false news. This idea also can be used by breaking organization’s portal based on
SAP and putting wrong information thus leading to stock manipulation [46].
So, you have seen just a couple of scary scenarios which can be done by breaking such critical software
as SAP. You can imagine how dangerous it can be to get control of all SAP systems of one country.
SAP Security in Figures. 2007–2013
44
9. Conclusion
Old issues are being patched but many new systems have vulnerabilities. Number of vulnerabilities per
year going down compared to 2010, but they are more critical. Number of companies who search for
issues in SAP is growing so we can conclude that interest to SAP platform security has been growing
exponentially and there are positive points of that, for example – latest SAP products are more secure
by default. Taking into account the growing number of vulnerabilities and vast availability of SAP
systems on the Internet, we predict that SAP systems can become a target not only for direct attacks
(for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities. And
while so many issues have already been closed there are much more areas which are still not covered by
researchers and where can be lots of vulnerabilities. We are working closely with the SAP Security
Response Team on discovering and patching security issues and also SAP publishing secure
recommendations and guidelines showing administrators how to protect from most popular threats.
This area has been changed a lot during last year and SAP now investing much more resources and
money for internal SDLC processes and internal Security conferences.
Unfortunately as a year ago, the main mission still lies on administrators who should enforce security of
their SAP systems by using guidelines, secure configuration, patch management, code review and
continuous monitoring. Furthermore, we think that SAP forensics can be a new research area because
while having so complex log system in SAP it is not easy to find evidence now, even if it exists and the
more attacks will be in SAP systems the higher need will be for forensic investigation and continuous
monitoring of SAP security.
A GLOBAL SURVEY 2007–2013 0. About ERPScan
www.erpscan.com•www.eas-sec.org 45
About ERPScan
ERPScan is an award-winning innovative company founded in 2010, honored as the Most innovative
security company by Global Excellence Awards as well as Emerging Vendor by CRN, and the leading SAP
AG partner in discovering and solving security vulnerabilities. ERPScan is engaged in ERP and business
application security, particularly SAP, and the development of SAP system security monitoring,
compliance, and cybercrime prevention software. Besides, the company renders consulting services for
secure configuration, development, and implementation of SAP systems which are used by SAP AG and
Fortune 500 companies, and conducts comprehensive assessments and penetration testing of custom
solutions.
Our flagship product is ERPScan Security Monitoring Suite for SAP: award-winning innovative software
and the only solution on the market to assess and monitor 4 tiers of SAP security: vulnerability
assessment, source code review, SoD conflicts, and SIEM/forensics. The software is successfully used by
the largest companies from industries like oil and gas, nuclear, banking, logistics, and avionics as well as
by consulting companies. ERPScan is a unique product which enables conducting a complex security
assessment and monitoring SAP security afterwards. ERPScan is an easily deployable solution which
scans basic SAP security configuration in 5 minutes and several clicks. ERPScan was designed to work in
enterprise systems and continuously monitor changes for multiple SAP systems. These features enable
central management of SAP system security with minimal time and effort.
The company’s expertise is based on research conducted by the ERPScan research subdivision which is
engaged in vulnerability research and analysis of critical enterprise applications and gain multiple
acknowledgments from biggest software vendors like SAP, Oracle, IBM, VMware, Adobe, HP, Kaspersky,
Apache, and Alcatel for finding 350+ vulnerabilities in their solutions. ERPScan experts are frequent
speakers in 40+ prime international conferences held in USA, Europe, CEMEA, and Asia, such as
BlackHat, RSA, HITB, and Defcon. ERPScan researchers lead project EAS-SEC, which is focused on
enterprise application security. ERPScan experts were interviewed by top media resources and
specialized infosec sources worldwide such as Reuters, Yahoo news, CIO, PCWorld, DarkReading, Heise,
Chinabyte. We have highly qualified experts in staff with experience in many different fields of security,
from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems,
accumulating their experience to conduct research in SAP system security.
SAP Security in Figures. 2007–2013
46
About EAS-SEC
Project
EAS-SEC ( formerly part of the global strategy group OWASP Projects ) [47], a non-profit worldwide
organization focused on improving business application software security.
EAS-SEC is a guide for people involved in the acquisition, design and implementation of large-scale
applications, the so-called Enterprise Applications. Security of Enterprise Applications is one of the most
discussed topics in the general area of Applications security. This is due to the fact that such applications
control the organization resources including funds which may be lost as a result of any breach of
security.
Project mission
The purpose of the EAS-SEC project launched in 2010 is increase of awareness of business application
and enterprise applications security problems for users, administrators and developers and also the
creation of guidelines and tools to assess the safety, security, safe set-up and development of enterprise
applications. The general analysis of the main business applications was carried out and key areas of
safety to which it is necessary to pay attention both when developing and at introduction are collected.
In addition, there were two researches–«SAP Security in figures for 2011» [48]and «The state of SAP
security 2013: Vulnerabilities, threats and trends» [49]. The results of these reports have been
presented at key conferences such as RSA and have been highlighted in the press [50].
The EAS-SEC has a number of the main objectives on the basis of which subprojects are created:
1. Notification of broad masses about vulnerabilities of safety of corporate appendices, on means of
release of annual statistics of vulnerabilities of safety of corporate appendices. Subproject: Enterprise
Business Application Vulnerability Statistics [51];
2. Help to the companies which are engaged in release of the software, increase of safety of their
decisions, providing tools for the Enterprise Business Application Security Vulnerability Testing Guide
[52] subproject;
A GLOBAL SURVEY 2007–2013 0. About EAS-SEC
www.erpscan.com•www.eas-sec.org 47
3. Development of free extended tools for an assessment of safety of corporate appendices, and for the
Enterprise Business Application Security Software [53] subproject;
4. The help to the companies in an assessment of safety of corporate appendices at the initial stages,
providing tools for the Enterprise Business Application Security Implementation Assessment Guide [54]
subproject.
SAP Security in Figures. 2007–2013
48
Links and future reading
[1] «ERPScan – strategic SAP AG partner in security» [Internet]. Available: http://erpscan.com/.
[2] «OWASP-EAS» [Internet]. Available: http://eas-sec.org/.
[3] «Worldwide Public statistics of SAP systems» [Internet]. Available: http://sapscan.com/.
[4] «As economy falters, employee theft on the rise» [Internet]. Available:
http://www.lasvegassun.com/news/2009/nov/06/managing-fraud-lesson-recession/.
[5] «ACFE Report to the Nations» [Internet]. Available:
https://chapters.theiia.org/birmingham/Documents/Fraud___Internal_Audit_IIA_6Sep2012.pdf.
[6] «ERPScan publications: "SAP Security: attacking SAP clients"» [Internet]. Available:
http://erpscan.com/publications/sap-security-attacking-sap-clients/.
[7] «CanSecWest conference report by Steve Lord, Mandalorian» [Internet]. Available:
cansecwest.com/slides06/csw06-lord.ppt.
[8] «ERPScan’s SAP Pentesting Tool» [Internet]. Available: http://erpscan.com/products/erpscan-
pentesting-tool/.
[9] «ERPScan WEBXML Checker» [Internet]. Available: http://erpscan.com/products/erpscan-
webxml-checker/.
[10] «Sapyto – SAP Penetration Testing Framework» [Internet]. Available:
cybsec.com/EN/research/sapyto.php.
[11] «Top 10 most interesting SAP vulnerabilities and attacks» [Internet]. Available:
http://erpscan.com/wp-content/uploads/2012/06/Top-10-most-interesting-vulnerabilities-and-
attacks-in-SAP-2012-InfoSecurity-Kuwait.pdf.
[12] «Acknowledgments to Security Researchers» [Internet]. Available: http://scn.sap.com/docs/DOC-
8218.
[13] «Vulnerability Database Security Focus» [Internet]. Available: securityfocus.com.
[14] «Common Vulnerabilities and Exposures» [Internet]. Available: http://cve.mitre.org.
[15] «US National Vulnerability Database» [Internet]. Available: http://web.nvd.nist.gov/.
[16] «Exploit Database by Offensive Security» [Internet]. Available: http://exploit-db.com.
[17] «SAP NetWeaver J2EE – DilbertMSG SSRF» [Internet]. Available:
http://erpscan.com/advisories/dsecrg-12-036-sap-xi-authentication-bypass/.
[18] «SAP Host Control – Command injection» [Internet]. Available:
http://contextis.com/research/blog/sap-parameter-injection-no-space-arguments/.
A GLOBAL SURVEY 2007–2013 0. Links and future reading
www.erpscan.com•www.eas-sec.org 49
[19] «SAP NetWeaver J2EE – File Read/Write» [Internet]. Available:
https://service.sap.com/sap/support/notes/1682613.
[20] «SAP Message Server – Buffer Overflow» [Internet]. Available:
http://www.zerodayinitiative.com/advisories/ZDI-12-112/ .
[21] «SAP Dispatcher – Diag protocol Buffer Overflow» [Internet]. Available:
http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities.
[22] «Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol» [Internet]. Available:
corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page
=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol&file=Slides.pdf.
[23] «SAP Management Console Information Disclosure» [Internet]. Available:
http://www.onapsis.com/get.php?resid=adv_onapsis-2011-002.
[24] «Systems Applications Proxy Pwnage» [Internet]. Available:
http://www.sensepost.com/cms/resources/labs/tools/poc/sapcap/44con_2011_release.pdf.
[25] «Architecture and program vulnerabilities in SAP’s J2EE engine» [Internet]. Available:
http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-
engine_whitepaper.pdf.
[26] «The ABAP Underverse» [Internet]. Available:
http://virtualforge.com/tl_files/Theme/whitepapers/BlackHat_EU_2011_Wiegenstein_The_ABAP
_Underverse-WP.pdf.
[27] «SQL Injection with ABAP» [Internet]. Available:
http://virtualforge.com/tl_files/Theme/Presentations/HITB2011.pdf.
[28] «SAP NetWeaver – Authentication bypass (Verb Tampering)» [Internet]. Available:
http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-
tampering/.
[29] «Invoker Servlet» [Internet]. Available:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513597ec/fr
ameset.htm.
[30] «PROTECTING JAVA AND ABAP BASED SAP APPLICATIONS AGAINST COMMON ATTACKS»
[Internet]. Available:
http://virtualforge.com/tl_files/Theme/whitepapers/201106_SAP_Security_Recommendations_Pr
otecting_JAVA_ABAP.pdf.
[31] «SAP Infrastructure security internals: Google and Shodan hacking for SAP» [Internet]. Available:
http://erpscan.com/press-center/blog/sap-infrastructure-security-internals-google-and-shodan-
hacking-for-sap/.
[32] «SAP Application Server Security essentials: default passwords» [Internet]. Available:
http://erpscan.com/press-center/blog/sap-application-server-security-essentials-default-
passwords/.
[33] «SAP NetWeaver SLD – Information Disclosure» [Internet]. Available:
SAP Security in Figures. 2007–2013
50
http://erpscan.com/advisories/dsecrg-11-023-sap-netweaver-sld-information-disclosure/.
[34] «NetWeaver BCB – Missing Authorization / Information disclosure» [Internet]. Available:
http://erpscan.com/advisories/dsecrg-11-027-netweaver-bcb-%E2%80%93-missing-authorization-
information-disclosure/.
[35] «SAP NetWeaver AdapterFramework – information disclosure» [Internet]. Available:
http://erpscan.com/advisories/dsecrg-12-050-sap-netweaver-adapterframework-information-
disclosure/.
[36] «ops$ mechanism» [Internet]. Available:
http://scn.sap.com/community/oracle/blog/2012/10/15/sunset-for-ops-mechanism-no-more-
supported-by-oracle-not-used-by-sap.
[37] «Easy Service Marketplace» [Internet]. Available: http://www.easymarketplace.de/saprouter.php.
[38] «SAP NetWeaver SOAP RFC – Denial of Service / Integer overflow» [Internet]. Available:
http://erpscan.com/advisories/dsecrg-11-029-sap-netweaver-soap-rfc-%E2%80%93-denial-of-
service-integer-overflow/.
[39] «SAP Netweaver XRFC — Stack Overflow» [Internet]. Available:
http://erpscan.com/advisories/dsecrg-10-005-sap-netweaver-xrfc-%E2%80%94-stack-overflow/.
[40] «TCP/IP Ports Used by SAP Applications» [Internet]. Available:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-
9bcc452c280b?QuickLink=index&overridelayout=true&42472931642836.
[41] «Scrubbing SAP clean with SOAP» [Internet]. Available:
http://www.slideshare.net/ChrisJohnRiley/sap-insecurity-scrubbing-sap-clean-with-soap.
[42] «CORE Labs Discovery of Six Vulnerabilities within SAP Netweaver» [Internet]. Available:
http://blog.coresecurity.com/2012/05/09/core-labs-discovery-of-six-vulnerabilities-within-sap-
netweaver/.
[43] «Fighting Economic Crime in the Financial Services sector» [Internet]. Available:
http://docs.media.bitpipe.com/io_10x/io_102267/item_485936/Economic%20crime%20in%20FS
%20sector.pdf.
[44] «Espionage virus sent blueprints to China» [Internet]. Available:
http://www.telegraph.co.uk/technology/news/9346734/Espionage-virus-sent-blueprints-to-
China.html.
[45] «Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems» [Internet]. Available:
http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/.
[46] «Associated Press Twitter Account Hacked in Market-Moving Attack» [Internet]. Available:
http://www.bloomberg.com/news/2013-04-23/dow-jones-drops-recovers-after-false-report-on-
ap-twitter-page.html.
[47] «The Open Web Application Security Project (OWASP)» [Internet]. Available:
https://www.owasp.org/index.php/Main_Page.
A GLOBAL SURVEY 2007–2013 0. Links and future reading
www.erpscan.com•www.eas-sec.org 51
[48] «Безопасность SAP в цифрах. Результаты Digital Security за период 2007–2011» [В Интернете].
Available: http://scn.sap.com/docs/DOC-29427.
[49] «The state of SAP security 2013: Vulnerabilities, threats and trends» [Internet]. Available:
http://www.rsaconference.com/writable/presentations/file_upload/das-t03_final.pdf.
[50] G. Burton, «Companies exposed to attack by out-of-date SAP applications» [Internet]. Available:
http://www.computing.co.uk/ctg/news/2275640/companies-exposed-to-attack-by-outofdate-
sap-applications.
[51] «Enterprise Business Application Vulnerability Statistics» [Internet]. Available:
https://www.owasp.org/index.php/Enterprise_Business_Application_Vulnerability_Statistics.
[52] «Enterprise Business Application Security Vulnerability Testing Guide» [Internet]. Available:
https://www.owasp.org/index.php/Enterprise_Business_Application_Security_Vulnerability_Testi
ng_Guide_v1.
[53] «Enterprise Business Application Security Software» [Internet]. Available:
https://www.owasp.org/index.php/Enterprise_Business_Application_Security_Software.
[54] «Enterprise Business Application Security Implementation Assessment Guide» [Internet].
Available:
https://www.owasp.org/index.php/Enterprise_Business_Application_Security_Implementation_A
ssessment_Guide.
[55] «The ERP Security Challenge» [Internet]. Available:
http://www.cio.com/article/216940/The_ERP_Security_Challenge.