Latest news
One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network.
While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet.
In some cases, lack of knowledge is the reason and sometimes companies want easy remote control, which is insecure.
For example, 212 SAP Routers were found in Germany which were created mainly to route access to internal SAP systems. SAP Routers themselves can have security misconfigurations but the real problem is that 8% of that companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012 .
Also, 9% of the researched sample (which included 1000 companies that use SAP all over the world) expose SAP Management console, which is vulnerable to unauthorized gathering of system parameters remotely from the Internet. Most of them are located in China (55%) and India (20%).
Key findings:
- Most of the issues (69%) have high priority, which means that about 2/3 of the published vulnerabilities must be corrected quickly.
- A total of 2677 unique servers with different SAP web applications was found on the Internet using Shodan Search.
- 59% of them are vulnerable to information disclosure.
- The most popular OS for SAP are Windows NT (28%) and AIX (25%).
- It was found that 40% of ABAP NetWeaver systems on the Internet have the WebRFC service enabled which allows calling critical business-related and administrative functions. It is secured by usernames and passwords but there is plenty of default credentials that work in most cases.
- It was found that 61% of J2EE systems on the Internet have the CTC service enabled. It is vulnerable to the Verb Tampering vulnerability which allows authentication bypass and is still unpatched in most of the companies.
Spotlight
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
