• Goa'18
  • Common vulnerabilities in SAP and why it needs to be a bigger concern

Common vulnerabilities in SAP and why it needs to be a bigger concern

cybersecurity image

SAP enterprise applications are the core of any large scale company. ERP and other business critical applications based on SAP are being used in innumerable organizations around the globe.

It enables all the critical business processes, from procurement, payment, and transport to human resources management, product management, and financial planning. All data stored in ERP systems have a great importance and any illegal action could result in enormous losses and even termination of business processes. Despite its importance, SAP’s criticality has not been discussed as much as other platforms like android.

These business applications store critical corporate data which if gets leaked or manipulated, could prove to be a disaster for any company. Such systems are specifically targeted by hackers or competitor companies to leak trade secrets and financial data.

According to SAP cyber threat report by erpscan, there are many such common problems when it comes to SAP security.

  • Lack of qualified specialists - SAP specialists in most companies still consider SAP security as a SoD matrix only, whereas security officers hardly understand SAP threats, not to mention methods and approaches of preventing them.
  • Wide range of advanced configurations - There are more than 1000 parameters in a standard system configuration, plus a great range of advanced options, not speaking about segregation of access rights to various objects like transactions, tables, RFC procedures, etc. For instance, just web interfaces to access the system can amount to several thousand. Securing a configuration on this scale can be hard even for a single system.
  • Customizable configuration - You can hardly find two identical SAP systems because most parameters are customized for every client. Furthermore, most companies develop custom programs, which security also is to be accounted for in a complex assessment.

Since it’s inception more than 3500 SAP security notes have been released and now because of cloud and mobile technologies, these vulnerabilities can affect thousands of companies which are running vulnerable services of SAP. Just to remind you, we are talking about SAP here, a system that more than 80% of the fortune 500 companies use in one or other way.

There have been many major attacks in the recent past on SAP based systems. Some got the media attention but almost 90% of the data breaches go unnoticed in SAP environment because the employees or security officer (CISO) are not aware of different techniques used to exploit and gain access to a SAP system or database since it is different from the traditional attack process on web applications.

In 2012, the Greek ministry of finance was attacked by the Anonymous group. Anonymous said they had accessed IBM servers and that they obtained a SAP zero-day exploit. The Anonymous group claimed to have stolen Greek Ministry of Finance confidential documents and credentials.

In 2013, the world witnessed the first malware which targeted SAP and also banking applications. Nvidia customer service website was also attacked due to a vulnerability in SAP application which Nvidia didn't patch even after years. Since then, hundreds of other SAP portals and applications have been hacked mostly due to technical inefficiency when it comes to understanding security risks in SAP environment.

SAP applications exposed to the Internet can easily be found out using Google dorks and even Shodan.

Application server type Search String
SAP NetWeaver ABAP inurl:/SAP/BC/BSP
SAP NetWeaver J2EE inurl:/irj/portal
SAP Business Objects inurl:infoviewap

These dorks can be used along with a particular company name to search for exposed SAP applications on the internet. A single Google search can reveal thousands of such web portals out of which many are still vulnerable.

Vulnerabilities that are found commonly on SAP applications

Directory Traversal - This is one of the most common and easy to exploit vulnerability I have found during my experience. Though, generally it's trivial but in SAP applications it can reveal secret business financial data, confidential documents and trade secrets

Default accounts - Many a times developers do not disable the default account which comes with default installation. I have seen custom built CRM shipped with these accounts enabled. Many of these accounts are configured with high privileged profiles (SAP*, DDIC, TMSADM).

Missing Auth check - By default, ICF services are not assigned an Authorization value. This means that the attacker only needs a user account in the system, and he will be able to execute many functionalities. This could even lead to command injection on the underlying server.

SOAP RFC service - The RFC protocol is used to call ABAP Function Modules in remote SAP servers. This protocol is usually not accessible from the Internet. If this service is enabled, an attacker can perform RFC calls to the SAP Web Application Server, just as he was sitting in the local network!

Information disclosure - A lot of sensitive information can be obtained easily on SAP applications through forced browsing or viewing the source code and HTTP traffic. This includes the version number of all the components used, the database in use and a lot of other details which can help an attacker.

A lot of researchers have worked on SAP security and have published tools and whitepapers regarding this in different conferences but what concerns me, is that, it still has not got the focus and importance that it should be getting in the security community.

A large number of penetration testers lack required knowledge for assessing SAP web applications. It requires deep understanding of the SAP architecture and its components before starting to test the security of the SAP applications. Traditional tools like Nessus or most of the web vulnerability scanners are not made to work for SAP applications. It requires different toolset and a different approach to start assessing SAP applications.

It's high time for people associated with information security to realise the importance of SAP security and spread awareness about it.

By Rashid Feroze

About author: Rashid Feroze is a security consultant and pentester at Payatu
Technologies. He can be reached on Twitter @rashid_feroze

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved