Many vulnerable SAP systems exposed to the internet
Russian company ERPScan, which specialises in the security analysis of SAP systems, has published a report which shows that many organisations using those systems have vulnerable services exposed to the internet. Depending on the service in use, 5 to 25% of companies have vulnerable services exposed to the public. The security firm compiled the data by using a combination of Google searches and TCP port scans of more than a thousand companies from around the world. ERPScan says that "one of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network".
Insecure installations included those companies which exposed the vulnerable SAP Dispatcher service directly to the internet. In testing, ERPScan found that SAP Dispatcher could be accessed by logging in with default credentials. The service also suffers from multiple buffer overflows and a flaw which could lead to remote code execution. ERPScan recommend that it not be accessible from an external network, especially as exploit code was published on 9 May.
Of the scanned companies, 9% also exposed the SAP Management Console to external networks; the console has vulnerabilities which can allow attackers to gather system parameters remotely. Other companies were using public WebRFC logins for the NetWeaver ABAP platform that were still configured with default credentials.
In one case, 61% of companies were exposing CTC, a configuration tool installed by default on J2EE-based SAP systems, to the internet. This service has a vulnerability, discovered by ERPScan, that allows attackers to bypass authentication completely. The company estimates that around 50% of those systems will still be unpatched and exploitable giving attackers potential access to business critical data.
The full report is available from ERPScan's web site and includes a detailed breakdown of the found vulnerabilities.