Security Experts:

Online SAP Deployments Widely Susceptible to Attack

During his talk earlier this month at RSA Conference Asia Pacific 2013, Alexander Polyakov, CTO of ERPScan, disclosed that there are thousands of unpatched and thus insecure SAP deployments online today, all over the world.

SAP Security Vulnerabilities

According to the slides (PDF) from Polyakov’s talk, available here, nearly 60 percent of the known SAP vulnerabilities discovered this year were found by outside researchers, proving that there is a growing interest from the security community – due largely to the value of SAP deployments themselves.

As part of his research, Polyakov found 4,000 servers hosting public facing SAP applications. The servers were discovered by using simple keyword searches on Google and Shodan. Thirty-five percent of the servers discovered were deployed to the Web running NetWeaver version 7 EHP 0. This is a problem because the last time NetWeaver was patched against anything was in 2005.

Further, there were systems on the Web running NetWeaver that haven’t seen an update since April 2010, and more still that haven’t been patched since October 2008.

When it came to instances of SAP NetWeaver J2EE, Polyakov said he discovered similar numbers of vulnerable deployments including some with flaws that would enable an attacker to create user accounts, assign roles, execute commands, and more.

SAP security is extremely important, Polyakov noted, due to several types of risks, including a growing rate of interest from those in the exploit marketplace, anonymous attacks from criminals in remote locations, and insider attacks.

SAP software is used by 74% of the Fortune 500, often to manage highly valuable and extremely sensitive corporate data, including HR data and sales data. Some even have direct access to SCADA systems.

“You need to do your HR and financials with SAP,” Polyakov said during his presentation.

So if the SAP system is compromised he noted, “It is kind of the end of the business. If someone gets access to the SAP they can steal HR data, financial data or corporate secrets.”

A video of his presentation, available on YouTube, is embedded below.

Related Reading: Vulnerable SAP Deployments Make Prime Attack Targets

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.