What CISOs should know about SAP security

Invest
in
security

to
secure
investments

What
CISO’s
should
know

about
SAP
Security

Alexander
Polyakov

CTO
ERPScan

Agenda

•  SAP:
Intro

•  SAP
security
vulnerabiliAes

•  SAP
security
myths

•  Demo

•  Problem

•  SoluAon

•  Sap
security
in
ﬁgures
report

•  Future
trends
and
predicAons

•  Conclusions

2

Business
applica0on
security

All
business
processes
are
generally
contained
in
ERP
systems.

Any
informaAon
an
aJacker,
be
it
a
cybercriminal,
industrial
spy

or
compeAtor,
might
want
is
stored
in
the
company’s
ERP.

This
informaAon
can
include
financial,
customer
or
public

relaAons,
intellectual
property,
personally
idenAfiable
informaAon

and
more.
Industrial
espionage,
sabotage
and
fraud
or
insider

embezzlement
may
be
very
effecAve
if
targeted
at
the
vicAm’s
ERP

system
and
cause
significant
damage
to
the
business.

3

SAP

•  The
most
popular
business
applicaAon

•  More
than
248000
customers
worldwide

•  86%
of
Forbes
500
run
SAP

4

Business
applica0on
security

•  Complexity

Complexity
kills
security.
Many
diﬀerent
vulnerabiliAes
in
all

levels,
from
network
to
applicaAon

•  Customiza0on

Cannot
be
installed
out
of
the
box.
They
have
many
(up
to
50%)

custom
codes
and
business
logic

•  Risky

Rarely
updated
because
administrators
are
scared
they
can
be

broken
during
updates;
also,
it
is
downAme

•  Unknown

Mostly
available
inside
the
company
(closed
world)

hJp://erpscan.com/wp-‐content/uploads/pres/ForgoJen%20World%20-‐%20Corporate%20Business%20ApplicaAon%20Systems%20Whitepaper.pdf

5

Why
security?

•  Espionage

–  Stealing
financial
informaAon

–  Stealing
corporate
secrets

–  Stealing
supplier
and
customer
lists

–  Stealing
HR
data

•  Sabotage

–  Denial
of
service

–  ModificaAon
of
financial
reports

–  Access
to
technology
network
(SCADA)
by
trust
relaAons

•  Fraud

–  False
transacAons

–  ModificaAon
of
master
data

6

SAP
Security
Problems

7

Myth
1:
Business

applicaAons
are
only

available
internally

what
means
no
threat

from
the
Internet

Myth
2:
ERP
security
is
a

vendor’s
problem

Myth
3:
Business

applicaAon
internals
are

very
speciﬁc
and
are

not
known
for
hackers

Myth
4
ERP
security
is

all
about
SOD

Myth
1

Current
point
of
view

This
myth
is
popular
for
internal
corporate
systems
and
people
think
that
these

systems
are
only
available
internally

Real
life

Yes
maybe
at
the
mainframe
era
you
can
use
SAP
only
internally
but
not

now
in
the
era
of
global
communicaAons.
You
need
connecAon
with

•  Another
oﬃces

•  Customers
and
suppliers

•  For
SAP
systems
you
need
connecAon
with
SAP
network

8

Even
if
you
do
not
have
direct
connec8on
there
are
user

worksta8ons
connected
to
the
internet

Myth
2

10

Vendor
is
NOT
responsible
for
any
damage
within
the

vulnerabili8es
in
their
products

Myth
2

•  Vendor
problems

–  Program
errors

–  Architecture
errors

•  User
problems

–  ImplementaAon
architecture
errors

–  Defaults
and
misconﬁguraAons

–  Human
factor

–  Patch
management

–  Policies
and
procedures

11

Even
if
so>ware
is
secure
it
should
be
securely
implemented

Myth
3

Current
point
of
view

Business
applica8on
internals
are
very
speciﬁc
and
are
not
known
for
hackers

Real
life:

•  Popular
products
“reviewed”
by
hackers,
and
thus
more
secure

•  Business
applicaAons
became
more
and
more
popular
on
the

Internet

•  And
also
popular
for
hackers
and
researchers

•  Unfortunately,
their
security
level
is
sAll
like
3-‐5
years
ago

•  Now
they
look
as
a
defenseless
child
in
a
big
city

12

Myth
4

Current
point
of
view:

Many
people
especially
ERP
people
think
that
security
is
all
about
SOD

Real
life:

•  Making
AD
access
control
don't
give
you
secure
infrastructure

•  Buying
new
engine
for
car
every
year
will
not
help
you
if
you

simply

puncture
a
wheel

•  And
also
remind
Sachar
Paulus
interview
that
says:
“other

threat
comes
from
people
connec6ng
their
ERP
systems
to
the

Internet”

13

Myth
4

14

ERP
system
with
secure
SOD
and
nothing
else
it
is
much
of

spending
all
money
on
video
systems,
biometric
access
control

and
leaving
the
back
door
open
for
housekeepers

SAP
Security

15

DEMO
1

SAP
Security

16

Problem

•  How
to
protect
ourselves
from
fraud
and
cyber-‐acAviAes?

•  How
to
automate
security
checks
for
big
landscapes?

•  How
to
decrease
costs?

•  How
to
prioriAze
updates?

SAP
Security
Problems

17

18

0

5

10

15

20

25

30

35

2006
2007
2008
2009
2010
2011
2012

Most
popular:

•  BlackHat

•  HITB

•  Troopers

•  RSA

•  Source

•  DeepSec

•  etc.

SAP
Security
talks

2007
–
Architecture
vulnerabiliAes
in
RFC
protocol

2008
–
AJacks
via
SAPGUI

2009
–
SAP
backdoors

2010
–
AJacks
via
SAP
WEB
applicaAons

2010
–
Stuxnet
for
SAP

2011
–
Architecture
and
program
vulnerabiliAes
in
ABAP
and
J2EE

2012
–
VulnerabiliAes
in
SAP
soluAons
(SolMan
,Portal,
XI),
Services

(Dispatcher,
Message
Server
)
and
Protocols
(XML
,
DIAG)

2013
–
SAP
Forensics
and
AnA-‐forensics

19

How
to
get
this
informa0on?

ISACA
Assurance
(ITAFF)

20

0

100

200

300

400

500

600

700

800

900

2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012

By
January,
2013,
a
total
of
2520
notes

Only
one
vulnerability
is
enough

to
get
access
to
ALL
business-‐cri8cal
DATA

SAP
Security
notes

21

Disclosed
vulnerabili0es

22

Now,
it
adds,
“We
gained
full
access
to
the
Greek
Ministry
of

Finance.
Those
funky
IBM
servers
don't
look
so
safe
now,
do

they...”
Anonymous
claims
to
have
a
“sweet
0day
SAP

exploit”,
and
the
group
intends
to
“sploit
the
hell
out
of
it.”

•  *
This
aJack
has
not
been
conﬁrmed
by
the
customer
nor
by
the
police

authoriAes
in
Greece
invesAgaAng
the
case.
SAP
does
not
have
any
indicaAon

that
it
happened.

And…

SAP
Security

23

Solu8ons

24

• Business
logic
security
(SOD)

Prevents
aKacks

or
mistakes
made
by
insiders

• SoluAon:
GRC
2002

• ABAP
Code
security

Prevents
aKacks
or
mistakes
made
by
developers

SoluAon:
Code
audit
2008

• Applica6on
pla=orm
security

• Prevents
unauthorized
access
both
within
corporate
network
and

from
remote
aKackers

• Solu6on?

2010

• Forensics

• What
if
missed
something
on
listed
areas?
2013

First
of
all
chose
one
that
you
want

•  EAS-‐SEC

•  SAP
NetWeaver
ABAP
Security
conﬁguraAon

•  ISACA
(ITAF)

•  DSAG

25

Compliance

•  Guidelines
made
by
SAP

•  First
official
SAP
guide
for
technical
security
od
ABAP
stack

•  Secure
ConfiguraAon
of
SAP
NetWeaver®
ApplicaAon
Server

Using
ABAP

•  First
version
-‐

2010
year,
version
1.2

–
2012
year

•  For
rapid
assessment
of
most
common
technical

misconfiguraAons
in
plarorm

•  Consists
of
9
areas
and
82
checks

•  Ideas
as
a
second
step
and
give
more
details
to
some
of
EAS-‐SEC

standard
areas

26

SAP
Security
Guidelines

•  Network
access
control

•  WorkstaAon
security

•  Password
apolicies

•  Network
security

•  HTTP
security

•  Unnecessary
web-‐applicaAons

•  RFC-‐connecAons

•  SAP
Gateway
security

•  SAP
Message
Server
security

27

SAP
Security
Guidelines

•  Guidelines
made
by
ISACA

•  Checks
cover
conﬁguraAon
and
access
control
areas

•  First
most
full
compliance

•  There
were
3
versions
published
in
2002
2006
2009
(some
areas

are
outdated
)

•  Technical
part
covered
less
than
access
control
and
miss
criAcal

areas

•  Most
advantage
is
a
big
database
of
access
control
checks

•  Consists
of
4
parts
and
about
160
checks

•  Ideal
as
a
third
step
and
detailed
coverage
of
access
control

28

ISACA
Assurance
(ITAFF)

•  Set
of
recommendaAons
from
Deutsche
SAP
Uses
Group

•  Checks
cover
all
security
areas
from
technical
configuraAon
and

source
code
to
access
control
and
management
procedures

•  Currently
biggest
guideline
about
SAP
Security

•  Last
version
in
Jan
2011

•  Consists
of
8
areas
and
200+
checks

•  Ideal
as
a
final
step
for
securing
SAP
but
consists
of
many
checks

which
neds
addiAonal
decision
making
which
is
highly
depends

on
installaAon.

hJp://www.dsag.de/fileadmin/media/Leiraeden/110818_Leiraden_Datenschutz_Englisch_final.pdf

29

DSAG

Enterprise
Applica8on
Systems
Applica8on
Implementa8on
–

NetWeaver
ABAP

•  Developed
by
ERPScan:
First
standard
of
series
EAS-‐SEC

•  Will
be
published
in
September

•  Rapid
assessment
of
SAP
security
in
9
areas

•  Contains
33
most
criAcal
checks

•  Ideal
as
a
ﬁrst
step

•  Also
contain
informaAon
for
next
steps

•  Categorized
by
priority
and
criAcality

30

EAS-‐SEC
for
NetWeaver
(EASAI-‐NA)

31

EASAI-‐NA

Access
CriAcality

Easy
to

exploit

%
of

vulnerable

systems

1.
Lack
of
patch
management
Anonymous
High
High
99%

2.
Default
Passwords
for
applicaAon
access
Anonymous
High
High
95%

3.
Unnecessary
enabled
funcAonality
Anonymous
High
High
90%

4.

Open
remote
management
interfaces
Anonymous
High
Medium
90%

5.

Insecure
conﬁguraAon
Anonymous
Medium
Medium
90%

6.
Unencrypted
communicaAon

Anonymous
Medium
Medium
80%

7.
Access
control
and
SOD
User
High
Medium
99%

8.
Insecure
trust
relaAons
User
High
Medium
80%

9.
Logging
and
Monitoring
Administrator
High
Medium
98%

EASAI-‐NA-‐2013

SAP
Security

32

SAP
Security
in
Figures
2013

Security
notes
by
year

33

0

100

200

300

400

500

600

700

800

900

2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013

More
than
2600
in
total

Security
notes
by
cri0cality

34

0

20

40

60

80

100

2012
2011
2010
2009

High
priority
vulnerabili0es

0

2

4

6

8

10

12

2012
2011
2010
2009

Low
priority
vulnerabili0es

0
200
400
600
800
1000
1200
1400
1600
1800
2000

1
-‐
HotNews

2
-‐
CorrecAon
with
high
priority

3
-‐
CorrecAon
with
medium
priority

4
-‐
CorrecAon
with
low
priority

6
-‐
RecommendaAons/addiAonal
info

By
the
end
of
April
2013

Security
notes
by
type

35

25%

22%

20%

9%

7%

5%

4%

4%

3%
1%

Top
10
vulnerabili0es
by
type

1
-‐
XSS

2
-‐
Missing

authorisaAon
check

3
-‐
Directory
traversal

4
-‐
SQL
InjecAon

5
-‐
InformaAon

disclosure

Acknowledgments

Number
of
vulnerabiliAes

found
by
external
researchers:

• 
2010
-‐
58

• 
2011
-‐
107

• 
2012
-‐
89

• 
2013
-‐
52

The
record
of
vulnerabili8es
found
by
external
researchers
was

cracked
in
January
2013:
76%

36

0

10

20

30

40

50

60

70

2010
2011
2012
2013

Percentage
of
vulnerabili0es
found
by

external
researchers:

Acknowledgments

•  More
interest
from
other
companies

*
Number
of
vulnerabili8es
that
were
sent
to
SAP
but
were

rejected
because
they
were
already
found
before
by
other

company
of
SAP
internal
code
review.

37

0

1

2

3

4

5

6

7

2010
2011
2012

Number
of
already
patched
issues
per
year

SAP
security
talks
at
conferences

38

0

5

10

15

20

25

30

35

2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013

Talks
about:

•  Common:
SAP
Backdoors,
SAP
Rootkits,
SAP
Forensics

•  Services:
SAP
Gateway,
SAP
Router,
SAP
NetWeaver,
SAP
GUI,

SAP
Portal,
SAP
SoluAon
Manager,
SAP
TMS,
SAP
Management

Console,
SAP
ICM/ITS

•  Protocols:
DIAG,
RFC,
SOAP
(MMC),
Message
Server,
P4

•  Languages:
ABAP
Buﬀer
Overﬂow,
ABAP
SQL
InjecAon,
J2EE

Verb
Tampering,
J2EE
Invoker
Servlet

•  Overview:
SAP
Cyber-‐aJacks,
Top
10
InteresAng
Issues,
Myths

about
ERP

39

Almost
all
every
part
of
SAP
was
hacked

Top
5
SAP
vulnerabili0es
2012

1.  SAP
NetWeaver
DilbertMsg
servlet

SSRF

(June)

2.  SAP
HostControl
command
injecAon

(May)

3.  SAP
SDM
Agent
command
injecAon

(November)

4.  SAP
Message
Server
buffer
overflow

(February)

5.  SAP
DIAG
buffer
overflow

(May)

40

SAP
NetWeaver
DilbertMsg
servlet

SSRF

41

Espionage:
Cri0cal

Sabotage:
CriAcal

Fraud:
Medium

Availability:
Anonymously
through
the
Internet

Ease
of
exploitaAon:
Medium

Future
impact:

High
(New
type
of
aJack)

CVSSv2:
7.3

Advisory:
hJp://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐
authenAcaAon-‐bypass/

Patch:
Sap
Note
1707494

Authors:
Alexander
Polyakov,
Alexey
Tyurin,
Alexander
Minozhenko

(ERPScan)

SAP
HostControl
command
injec0on

42

Espionage:
Cri0cal

Sabotage:
CriAcal

Fraud:
CriAcal

Availability:
Anonymously
through
the
Internet

Ease
of
exploitaAon:
Easy
(a
Metasploit
module
exists)

Future
impact:

Low
(Single
issue)

CVSSv2:
10

Advisory:
hJp://www.contexAs.com/research/blog/sap-‐parameter-‐
injecAon-‐no-‐space-‐arguments/

Patch:
SAP
note
1341333

Author:
ContexAs

SAP
J2EE
ﬁle
read/write

43

Espionage:
Cri0cal

Sabotage:
CriAcal

Fraud:
CriAcal

Availability:
Anonymously

Ease
of
exploitaAon:
Medium

Future
impact:
Low

CVSSv2:
10

Advisory:
hJps://service.sap.com/sap/support/notes/1682613

Patch:
SAP
Note
1682613

Author:
Juan
Pablo

SAP
Message
Server
buﬀer
overﬂow

44

Espionage:
Cri0cal

Sabotage:
CriAcal

Fraud:
CriAcal

Availability:
Anonymous

Ease
of
exploitaAon:
Medium.
Good
knowledge
of
exploit
wriAng
for
mulAple

plarorms
is
necessary

CVSSv2:
10.0

Advisory:
hJp://www.zerodayiniAaAve.com/advisories/ZDI-‐12-‐112/

Patch:
SAP
Notes
1649840
and
1649838

Author:
MarAn
Gallo

SAP
DIAG
Buﬀer
overﬂow

45

Espionage:
Cri0cal

Sabotage:
CriAcal

Fraud:
CriAcal

Availability:
Low.
Trace
must
be
on

Ease
of
exploitaAon:
Medium

CVSSv2:
9.3

Advisory:
hJp://www.coresecurity.com/content/sap-‐netweaver-‐
dispatcher-‐mulAple-‐vulnerabiliAes

Patch:
SAP
Note
1687910

Author:
MarAn
Gallo

SAP
Security

46

SAP

and
Internet

SAP
on
the
Internet

•  Companies
have
SAP
Portals,
SAP
SRMs,
SAP
CRMs
remotely

accessible

•  Companies
connect
diﬀerent
oﬃces
(by
SAP
XI)

•  Companies
are
connected
to
SAP
(through
SAP
Router)

•  SAP
GUI
users
are
connected
to
the
Internet

•  Administrators
open
management
interfaces
to
the
Internet
for

remote
control

47

Almost
all
business
applica8ons
have
web
access
now

Google
search
for
web-‐based
SAPs

•  As
a
result
of
the
scan,
695
unique
servers
with
diﬀerent
SAP

web
applicaAons
were
found
(14%
more
than
in
2011)

•  22%
of
previously
found
services
were
deleted

•  35%
growth
in
the
number
of
new
services

48

Shodan
scan

49

41%

34%

20%

6%

SAP
NetWeaver
J2EE

SAP
NetWeaver
ABAP

SAP
Web
ApplicaAon
Server

Other
(BusinessObjects,SAP
HosAng,
etc)

94%

72%

30%

-‐20%

-‐55%

-‐80%

-‐60%

-‐40%

-‐20%

0%

20%

40%

60%

80%

100%

120%

Growth
by
applica0on
server

A
total
of

3741
server
with
diﬀerent
SAP
web
applica8ons
were

found

Internet
Census
2012
scan

•  Not
so
legal
project
by
Carna
Botnet

•  As
the
result
3326
IP’s
with
SAP
Web
applicaAons

50

NO
SSL

32%

SSL

68%

SAP
NetWeaver
ABAP
-‐

versions

•  7.3
growth
by
250%

•  7.2
growth
by
70%

•  7.0
loss
by
22%

•  6.4
loss
by
45%

51

35%

23%

19%

11%

6%
5%

NetWeaver
ABAP

versions
by

popularity

7.0
EHP
0

(Nov
2005)

7.0
EHP
2

(Apr

2010)

7.0
EHP
1

(Oct
2008)

7.3

(Jun
2011)

6.2

(Dec

2003)

6.4

(Mar
2004)

The
most
popular
release
(35%,
previously
45%)
is
s8ll
NetWeaver

7.0,
and
it
was
released
in
2005!

But
security
is
gecng
beKer.

NetWeaver
ABAP
–
informa0on
disclosure

•  InformaAon
about
the
ABAP
engine
version
can
be
easily
found

by
reading
an
HTTP
response

•  Detailed
info
about
the
patch
level
can
be
obtained
if
the

applicaAon
server
is
not
securely
conﬁgured

•  An
aJacker
can
get
informaAon
from
some
pages
like
/sap/
public/info

52

6%
(was
59%)
of
servers
s8ll
have
this
issue

SAP
NetWeaver
ABAP
–
cri0cal
services

•  Execute
dangerous
RFC
funcAons
using
HTTP
requests

•  NetWeaver
ABAP
URL
–
/sap/bc/soap/rfc

•  There
are
several
criAcal
funcAons,
such
as:

-  Read
data
from
SAP
tables

-  Create
SAP
users

-  Execute
OS
commands,
Make
ﬁnancial
transacAons,
etc.

•  By
default,
any
user
can
have
access
to
this
interface
and
execute
the

RFC_PING
command.
So
there
are
2
main
risks:

•  If
there
is
a
default
username
and
password,
the
aJacker
can
execute
numerous

dangerous
RFC
funcAons

•  If
a
remote
aJacker
obtains
any
exisAng
user
credenAals,
they
can
execute
a
denial
of

service
aJack

with
a
malformed
XML
packet

53

6%
(was
40%)
of
ABAP
systems
on
the
Internet
have
SOAP
RFC

service

Preven0on

54

• 

Install
SAP
note
1394100

• 

Install
SAP
note

931252

• 

Disable
applicaAons
that
are
not
necessary

hJp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/
library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?
overridelayout=true

SAP
NetWeaver
J2EE
-‐
versions

•  7.31
growth
from
0
to
3%

•  7.30
growth
from
0
to
9%

•  7.02
growth
by
67%

•  7.0
loss
by
23%

•  6.4
loss
by
40%

55

44%

25%

10%

9%

9%
3%

NetWeaver
JAVA

versions
by

popularity

NetWeaver
7.00

NetWeaver
7.01

NetWeaver
7.02

NetWeaver
7.30

NetWeaver
6.40

NetWeaver
7.31

The
most
popular
release

(44%,
previously
57%)
is
s8ll

NetWeaver
7.0,
and
it
was
released
in
2005!

But
security
is
gecng
beKer.

NetWeaver
J2EE
–
informa0on
disclosure

•  InformaAon
about
the
J2EE
engine
version
can
be
easily
found

by
reading
an
HTTP
response.

•  Detailed
info
about
the
patch
level
can
be
obtained
if
the

applicaAon
server
is
not
securely
conﬁgured
and
allows
an

aJacker
to
get
informaAon
from
some
pages:

–  /rep/build_info.jsp

26%

(61%
last
year)

–  /bcb/bcbadmSystemInfo.jsp

1.5%
(17%
last
year)

–  /AdapterFramework/version/version.jsp

2.7%
(a
new
issue)

56

Preven0on

57

• 

Install
SAP
note
1503856

• 

Install
SAP
note
1548548

• 

Install
SAP
note
1679897

hJp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/
library/uuid/f0d2445f-‐509d-‐2d10-‐6fa7-‐9d3608950fee?
overridelayout=true

SAP
NetWeaver
J2EE
–
cri0cal
services

•  NetWeaver
J2EE
URL:
/ctc/ConﬁgTool
(and
30
others)

•  Can
be
exploited
without
authenAcaAon

•  There
are
several
criAcal
funcAons,
such
as:

•  Create
users

•  Assign
a
role
to
a
user

•  Execute
OS
commands

•  Remotely
turn
J2EE
Engine
on
and
oﬀ

•  Was
presented
by
us
at
BlackHat
2011

58

It
was
found
that
50%
(was
61%)
of
J2EE
systems
on
the
Internet

have
the
CTC
service
enabled

Preven0on

59

• 

Install
SAP
note
1589525

60

From
Internet
to
Intranet

SAP
Router

•  Special
applicaAon
proxy

•  Transfers
requests
from
Internet
to
SAP
(and
not
only)

•  Can
work
through
VPN
or
SNC

•  Almost
every
company
uses
it
for
connecAng
to
SAP
to

download
updates

•  Usually
listens
to
port
3299

•  Internet
accessible

(Approximately
5000
IP’s
)

•  hJp://www.easymarketplace.de/saprouter.php

61

Almost
every
third
company
have
SAP
router
accessible
from

internet
by
default
port.

SAP
Router:
known
issues

•  Absence
of
ACL
–
15%

– 
Possible
to
proxy
any
request
to
any
internal
address

•  InformaAon
disclosure
about
internal
systems
–
19%

–  Denial
of
service
by
specifying
many
connecAons
to
any
of
the
listed
SAP

servers

–  Proxy
requests
to
internal
network
if
there
is
absence
of
ACL

•  Insecure
conﬁguraAon,
authenAcaAon
bypass
–
5%

•  Heap
corrupAon
vulnerability

62

Port
scan
results

•  Are
you
sure
that
only
the
necessary
SAP
services
are
exposed

to
the
Internet?

•  We
were
not

•  In
2011,
we
ran
a
global
project
to
scan
all
of
the
Internet
for

SAP
services

•  It
is
not
completely
ﬁnished
yet,
but
we
have
the
results
for
the

top
1000
companies

•  We
were
shocked
when
we
saw
them
ﬁrst

63

Port
scan
results

64

0

5

10

15

20

25

30

35

SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server

hJpd

SAP
Message
Server

SAP
Router

Exposed
services
2011

Exposed
services
2013

Listed services should not be accessible from the Internet

65

0

2

4

6

8

10

12

14

16

18

SAP
Dispatcher
SAP
MMC
SAP
Message
Server

SAP
HostControl
SAP
ITS

Agate
SAP
Message
Server

hJpd

Exposed
cri0cal
SAP
Services

Exposed
services
South

Africa

Ряд2

South
Africa
vs
Average

•  SAP
HostControl
is
a
service
which
allows
remote
control
of
SAP

systems

•  There
are
some
funcAons
that
can
be
used
remotely
without

authenAcaAon

• 
Issues:

–  Read
developer
traces
with
passwords

–  Remote
command
injecAon

•  About
every
120th
(was
20th)
company
is
vulnerable
REMOTELY

•  About
35%
assessed
systems
locally

66

SAP
HostControl
service

Preven0on

67

•  Sap note 927637 - Web service authentication in
sapstartsrv as of Release 7.00
•  Sap note 1439348 - Extended security settings for
sapstartsrv

•  SAP
MMC
allows
remote
control
of
SAP
systems

•  There
are
some
funcAons
that
can
be
used
remotely
without

authenAcaAon

• 
Issues:

–  Read
developer
traces
with
passwords

–  Read
logs
with
JsessionIDs

–  Read
informaAon
about
parameters

•  About
every
40th
(was
11th)
company
is
vulnerable
REMOTELY

•  About
80%
systems
locally

68

SAP
Management
console

SAP
Message
Server

•  SAP
Message
Server
–
load
balancer
for
App
servers

•  Usually,
this
service
is
only
available
inside
the
company

•  By
default,
the
server
is
installed
on
the
36NN
port

•  Issue:

–  Memory
corrupAon

–  InformaAon
disclose

–  Unauthorized
service
registraAon
(MITM)

•  About
every
60th
(was
every
10th)
company
is
vulnerable

REMOTELY

•  About
50%
systems
locally

69

SAP
Message
Server
HTTP

•  HTTP
port
of
SAP
Message
Server

•  Usually,
this
service
is
only
available
inside
the
company

•  By
default,
the
server
is
installed
on
the
81NN
port

•  Issue:
unauthorized
read
of
proﬁle
parameters

•  About
every
60th
(was
every
10th)
company
is
vulnerable

REMOTELY

•  About
90%
systems
locally

70

Preven0on

71

• 

Install
SAP
note
916398

•  SAP
Dispatcher
-‐
client-‐server
communicaAons

•  It
allows
connecAng
to
SAP
NetWeaver
using
the
SAP
GUI

applicaAon
through
DIAG
protocol

•  Should
not
be
available
from
the
Internet
in
any
way

•  Issues:

–  There
are
a
lot
of
default
users
that
can
be
used
to
connect
and
fully

compromise
the
system
remotely

–  Also,
there
are
memory
corrupAon
vulnerabiliAes
in
Dispatcher

•  About
every
20th
(was
6th)
company
is
vulnerable
REMOTELY

72

Sap
Dispatcher
service

Preven0on

73

• 

Install
SAP
note
1741793

But
who
actually
tried
to
exploit
it?

74

Alacks

•  Exploit
market
interest

–  Companies
like
ZDI
buy
exploits
for
SAP

–  Only
in
2012
ZDI
publish
5
criAcal
SAP
issues

–  Companies
who
trade
0-‐days
say
that
there
is
interest
from
both
sides

•  Anonymous
aJacks

•  Insider
aJacks

–  Salary
modiﬁcaAon

–  Material
management
fraud

–  Mistaken
transacAons

•  Evil
subcontractors
and
ABAP
backdoors

75

What
has
happened
already?

•  Autocad
virus

(Industrial
espionage)

–  hJp://www.telegraph.co.uk/technology/news/9346734/Espionage-‐
virus-‐sent-‐blueprints-‐to-‐China.html

•  Internet-‐Trading
virus
(Fraud)

–  Ranbys
modiﬁcaAon
for
QUICK

–  hJp://www.welivesecurity.com/2012/12/19/win32spy-‐ranbyus-‐
modifying-‐java-‐code-‐in-‐rbs/

•  News
resources
hacking
(Sabotage)

–  hJp://www.bloomberg.com/news/2013-‐04-‐23/dow-‐jones-‐drops-‐
recovers-‐a•er-‐false-‐report-‐on-‐ap-‐twiJer-‐page.html

76

What
can
be

Just
imagine
what
could
be
done
by
breaking:

•  One
SAP
system

•  All
SAP
Systems
of
a
company

•  All
SAP
Systems
on
parAcular
country

•  Everything

77

SAP
strategy
in
app
security

•  Now
security
is
the
number
1
priority
for
SAP

•  Implemented
own
internal
security
process
SDLC

•  Security
summits
for
internal
teams

•  Internal
trainings
with
external
researchers

•  Strong
partnership
with
research
companies

•  Investments
in
the
automaAc
and
manual
security
assessment

of
new

and
old
so•ware

78

Future
threads
and
predic0ons

•  Old
issues
are
being
patched,
but
a
lot
of
new
systems
have

vulnerabiliAes

•  Number
of
vulnerabiliAes
per
year
going
down
compared
to

2010,
but
they
are
more
criAcal

•  Number
of
companies
who
ﬁnd
issues
in
SAP
is
growing

•  SAll
there
are
many
uncovered
areas
in
SAP
security

•  SAP
forensics
can
be
a
new
research
area
because
it
is
not
easy

to
ﬁnd
evidence
now,
even
if
it
exists

79

Forensics
as
a
new
trend
for
2013

•  If
there
are
no
aJacks,
it
doesn’t
mean
anything

•  Companies
don’t
like
to
share
informaAon
about
data

compromise

•  Companies
don’t
have
ability
to
idenAfy
aJack

•  Only
10%
of
systems
use
security
audit
at
SAP

•  Only
2%
of
systems
analyze
them

•  Only
1%
do
correlaAon
and
deep
analysis

*
Based
on
the
assessment
of
over
250
servers
of
companies
that

allowed
us
to
share
results

80

Forensics
as
a
new
trend
for
2013

•  ICM
log
icm/HTTP/logging_0

70%

•  Security
audit
log
in
ABAP

10%

•  Table
access
logging
rec/client

4%

•  Message
Server
log
ms/audit

2%

•  SAP
Gateway
access
log

2%

*
Based
on
the
assessment
of
over
250
servers
of
companies
that

allowed
us
to
share
results.

81

SAP
Security
tools

82

*

We
did
not
compare
the
quality
of
the
tools
and
their
coverage.
For
example,
SIEM
capabiliAes
for
SAP
can
be
found

in
many
SIEM
soluAons,
but
they
cover
10%
of
all
log
ﬁle
types.
The
same
applies
to
Vulnerability
assessment:
we

collected
tools
that
have
general
scan
capabiliAes
including
SAP
as
well
as
only
SAP
related.
SAP
checks
in
those
tools

can
amount
to
10
to
7000.

1

SoD

10+

VA
and

conﬁgura0on

monitoring

8

ABAP
code

security

3

SIEM

6

3

2

1
1

2

1

2
1

Conclusion

•  -‐
The
interest
in
SAP
plarorm
security
has
been
growing

exponenAally,
and
not
only
among
whitehats

•  +
SAP
security
in
default
conﬁguraAon
is
ge€ng
much
beJer

now

•  -‐
SAP
systems
can
become
a
target
not
only
for
direct
aJacks

(for
example
APT)
but
also
for
mass
exploitaAon

•  +
SAP
invests
money
and
resources
in
security,
provides

guidelines,
and
arranges
conferences

•  -‐
unfortunately,
SAP
users
sAll
pay
liJle
aJenAon
to
SAP

security

•  +
I
hope
that
this
talk
and
the
report
that
will
be
published
next

month
will
prove
useful
in
this
area

83

Conclusion

Issues
are
everywhere

but
the
risks
and
price

for
miAgaAon
are
diﬀerent

84

Conclusion

It
is
possible
to
protect
yourself
from
these
kinds
of
issues,

and
we
are
working
close
with
SAP
to
keep
customers
secure

SAP
guides

It’s
all
in
your
hands

Regular
security
assessments

ABAP
code
review

Monitoring
technical
security

Segrega0on
of
du0es

85

I'd
like
to
thank
SAP's
Product
Security
Response
Team
for
the

great
coopera8on
to
make
SAP
systems
more
secure.
Research

is
always
ongoing,
and
we
can't
share
all
of
it
today.
If
you

want
to
be
the
ﬁrst
to
see
new
aKacks
and
demos,
follow
us
at

@erpscan
and
aKend
future
presenta8ons:

•  Tomorrow!

•  September
21
HackerHalted
Conference
(Atlanta,
USA)

•  October
7-‐8
HackerHalted
Conference
(Reykjavik,
Iceland)

•  October
30-‐31
RSA
Europe
(Amsterdam,
Netherlands)

•  November
7-‐8
ZeroNights
(Moscow,
Russia)

Future
work

86

What CISOs should know about SAP security

More Related Content

What's hot

Viewers also liked

Similar to What CISOs should know about SAP security

More from ERPScan

Recently uploaded

What CISOs should know about SAP security