A GLOBAL SURVEY Authors:

Transcription

1 SAP SECURITY IN FIGURES: A GLOBAL SURVEY Authors: Alexander Polyakov Alexey Tyurin Other contributors: Kirill Nikitenkov Evgeny Neyolov Alina Oprisko Dmitry Shimansky

2 A GLOBAL SURVEY Content Content Content... 1 Disclaimer Intro Corporate security changes Brief results Vulnerability statistics Number of SAP Security Notes SAP Security Notes sorted by criticality SAP Security Notes sorted by type Number of acknowledgements to external researchers Amount of publicly available information Top 5 most valuable vulnerabilities in Growing interest Number of security reports in technical conferences SAP on the Internet Google search results by country Shodan search results by country Internet Census scan PortScan search result by country SAP versions ABAP engine versions J2EE engine versions OS popularity for SAP RDBMS popularity for SAP Backend Critical services on the Internet SAProuter WebRFC service as part of NetWeaver ABAP CTC service as part of NetWeaver J2EE SAP Message Server HTTP SAP Management Console SAP Host Control SAP Dispatcher service Future predictions and trends Internal threats External threats

3 SAP Security in Figures SAP forensics What can happen? Autocad virus Internet-Trading virus News resources hacking (Sabotage) Conclusion About ERPScan About OWASP-EAS (EAS-SEC) Open Security Project Project mission Links and future reading Our contacts

4 A GLOBAL SURVEY Disclaimer Disclaimer The partnership agreement and relationship between ERPScan and SAP prevents us from publishing the detailed information about vulnerabilities before SAP releases a patch. This whitepaper will only include the details of those vulnerabilities that we have the right to publish as of the release date. However, additional examples of exploitation that prove the existence of the vulnerabilities are available in conference demos as well as at ERPScan.com [1]. Our SAP security surveys and research in other areas of SAP security do not end with this whitepaper. You can find the latest updates about the statistics of SAP services found on the Internet and other endeavors of the EAS-SEC project [2] at SAPScan.com [3]. The survey was conducted by ERPScan as part of contribution to the EAS-SEC non-profit organization, which is focused on Enterprise Application Security awareness. This document or any part of it cannot be reproduced in whole or in part without prior written permission of ERPScan. SAP AG is neither the author nor the publisher of this whitepaper and is not responsible for its content. ERPScan is not responsible for any damage that can be incurred by attempting to test the vulnerabilities described here. This publication contains references to SAP AG products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany

5 SAP Security in Figures Intro ERP system is the heart of any large company. It enables all the critical business processes, from procurement, payment and transport to human resources management, product management and financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can mean enormous losses, potentially leading to termination of business processes. In 2006 through 2010, according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 7% of yearly revenue on average. Global fraud loss is estimated at more than $3.5 trillion for [5]. Thus, a typical entity loses 5% of annual revenue to fraud. The average value for 4 years is 6%. That is why we decided to increase awareness in this area. Losses to internal fraud constituted 6% of yearly revenue on average The wide-spread myth that ERP security is limited to SoD matrix has been dispelled lately and seems more like an ancient legend now. Within the last 7 years, SAP security experts have spoken a great deal about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI client workstations [6]. Interest in the topic has been growing exponentially: in 2006, there was 1 report [7]on SAP at a technical conference dedicated to hacking and security, whereas in 2011 there were more than 20 of them already. In 2012, the popularity of the topic inspired more than to 30 various reports, and by the middle of 2013, about 20 reports had been issued in only half a year. A variety of hack tools has been released that prove the possibility of SAP attacks [8], [9], [10]. According to the statistics of vulnerabilities found in business applications, there were more than 100 vulnerabilities patched in SAP products in 2009, while it grew to more than 500 in By the August of 2013, there are more than 2700 SAP Security notes about vulnerabilities in various SAP components. Most of SAP vulnerabilities allow an unauthorized user to gain access to all critical business data, so it is necessary to consider the main attack vectors and the ways to secure those highly critical systems 1.1. Corporate security changes The development of corporate infrastructure tends to move from a decentralized model towards integration of business processes into united systems. Not long ago, there would be several servers in a company, including mail server, file server, domain controller, etc. However, these functions have been integrating into a united business application, resulting in more convenient access but also in a united failure point. Business applications and ERP systems store all of the critical corporate data, from financial reports and personal information to lists of contractors and corporate secrets. Such a system would be the main target of an insider or an external attacker, and their ultimate aim is nowhere near administrative access to the domain controller. 4

6 A GLOBAL SURVEY Intro Nevertheless, many information security officers are, unfortunately, scarcely informed about the security of business applications like SAP. Another problem is that the function of providing security lies on the system owner rather than the CISO, and owners only respond to themselves. In the end, nobody is responsible for the security of the most critical system elements. Less global problems are, for example: Lack of qualified specialists SAP specialists in most companies see SAP security as the SoD matrix only, whereas CISOs hardly understand SAP threats, not to mention advanced tweaks. Great range of advanced configuration There are more than 1000 parameters in the standard system configuration, plus a great range of advanced options, not to mention segregation of access rights to various objects like transactions, tables, RFC procedures etc. For example, web interfaces to access the system alone can amount to several thousands. Securing a configuration of this scale can be hard even for a single system. Customizable configuration There are no two similar SAP systems because most parameters are customized for every client in one way or the other. Furthermore, custom programs are developed and their security is to be accounted for, too, in a complex assessment. The purpose of this report is to provide a high-level overview of SAP security in figures so that the area is not just theoretically comprehensible but based on actual numbers and metrics from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan [3]

7 SAP Security in Figures Brief results Vulnerabilities Old issues are being patched, but a lot of new systems have vulnerabilities. SAP acquires new companies and invents new technologies faster than researchers analyze them. Number of vulnerabilities per year is going down compared to 2010, but they have become more critical. 69% of issues closed by SAP are marked as critical. Top 5 issues are more critical now than they were last year. Almost all of them have CVSS 10 (the highest rate). Interest Number of companies which find issues in SAP is growing (2 times comparing to previous year), and the percentage of issues found with the help of external researchers is getting higher and higher. The interest in SAP platform security has been growing exponentially, and not only among whitehats. SAP systems can become a target both for direct attacks (e. g. APT) and for mass exploitation because a range of simply exploitable and widely installed services is accessible from the Internet. Internet Almost 5000 SAP Routers were found and 85% of them vulnerable to remote code execution Almost 30% growth of web-based SAP solutions (90% growth of SAP Portal). Giant growth of Latin American and Asian segment of web-based SAP systems. Most popular release (35%) is still NetWeaver 7.0, and it was released in One third of Internet-facing SAP web services does not use SSL at all. Number of internet-exposed services is 3-5 times lower (depends on the service) but still relevant. Internal Number of internally exposed critical services and vulnerabilities is extremely big (30 95% depending on the service). Only 10% of systems have security audit log enabled. Internal fraud and ABAP-specific backdoors are more likely now. Defense SAP security in default configuration is getting much better. [+] SAP invests money and resources in security, provides guidelines, and arranges conferences. [-] Unfortunately, SAP users still pay little attention to SAP security. 6

8 A GLOBAL SURVEY Brief results Predictions Still a lot of uncovered areas in SAP security. SAP forensics can be a new research area because it is not easy to find evidence now, even if it exists. New types of cyber-weapons which target ERP systems can appear shortly

9 SAP Security in Figures Vulnerability statistics The information about vulnerabilities in SAP sorted by their popularity, criticality and the affected systems is given here. The top 5 most valuable publicly known vulnerabilities are presented as well Number of SAP Security Notes Every month on SAP Critical Patch Day (every second Tuesday), SAP releases one or more internal advisories called SAP Security Notes. Such an advisory usually stores information about one or more vulnerabilities found in SAP products or misconfigurations that bear some risk to SAP systems. The first SAP Security Note was published in In 2007, the number of published notes began to grow exponentially. As of September 1, 2013, 2718 SAP Security Notes have been published Figure Number of Sap Security Notes per year (The data was collected on September 1, 2013, when a total of 2718 notes had been published) During 2011, the approximate number of SAP Security Notes published every month on the Critical Patch Day was about 61. In 2012, this number increased to 54 notes, and by the middle of 2013, it equaled to 29 notes a month on average. In comparison to other software vendors, this is more than in Microsoft, Oracle, or Cisco. Needless to say, just 4 years ago (2009) this number was much lower (approximately 6 times). 8

10 A GLOBAL SURVEY Vulnerability statistics Figure Average number of the Notes which are released every month per year From the two previous figures, you can draw a conclusion that the number of security notes has been going down a little since the peak in However, the number is still huge, and, as you will see in the following figures, the percentage of highly critical vulnerabilities is getting higher SAP Security Notes sorted by criticality SAP has 5 different levels of criticality for published notes: 1. Hot News 2. Correction with high priority 3. Correction with medium priority 4. Correction with low priority 5. Recommendations/additional info Most of the issues (69%) have high priority, which means that about 2/3 of the published vulnerabilities must be corrected quickly 6 - Recommendations/additional info 4 - Correction with low priority Correction with medium priority Correction with high priority HotNews Figure Number of Sap Security Notes, sorted by criticality level, compared: 2011 light, 2013 dark 9

11 SAP Security in Figures ,99 77,70 80,34 59, , Figure Percentage of High priority vulnerabilities per year , ,08 2 0,43 1,09 1, Figure Percentage of Low priority vulnerabilities per year As you can see, the overall number of security vulnerabilities found in SAP is getting lower, but researchers have started to focus on critical vulnerabilities SAP Security Notes sorted by type All published SAP Security Notes were analyzed by their popularity. The most popular types of issues are presented below. 10

12 A GLOBAL SURVEY Vulnerability statistics Top 10 types of vulnerabilities 1% 4% 3% 4% 5% 7% 9% 20% 25% 22% 1 - XSS 2 - Missing authorisation check 3 - Directory traversal 4 - SQL Injection 5 - Information disclosure 6 - Code injection 7 - Authentication bypass 8 - Hardcoded credentials 9 - Remore code execution 10 - Verb tampering Figure SAP Security Notes, sorted by type 3 most common vulnerabilities cover 42% (was 41 %) of all found issues. Top 10 issues cover 63% (was the same) of all issues. About 20% of found vulnerabilities are not included in the top 10 because a lot of unique issues exist in SAP systems. Some of them are available in our presentation called Top 10 most interesting SAP vulnerabilities and attacks [11]. In addition, we compared the SAP vulnerability lists for 2012 and 2013 and the OWASP Top10 to see if there are any differences between web-based issues and business application issues and if there are any changes. Vulnerability type Popularity in SAP till mid 2013 Popularity in SAP till mid 2012 Popularity in SAP till mid 2011 Growth by percent Popula rity in CWE 1 - XSS 1 3 (+2) 2(+1) Missing authorization 2 2 1(-1) check 3 - Directory traversal 3 1(-2) SQL Injection Information disclosure 5 5 6(+1) Code injection 6 8(+2) 8(+2) Authentication bypass 7 6(-1) 5(-2) Hardcoded credentials 8 7(-1) 7(-1) 0.17 N/A Remote code execution Verb tampering N/A 0.11 N/A 10 Place in OWASP TOP

13 SAP Security in Figures As you can see, the situation has changed slightly. We can only guess the core reason for those changes because many different factors can lead to them and the numbers may not be very representative. But here are some ideas. The main factors which can influence those numbers are: Growing number of web-based applications and thus growing number of web vulnerabilities. Enhancements in Static Code Analysis software which shows us that the number of issues which can be easily found using simple regular expressions is getting low. On the other hand, the number of issues that require more accurate static code analysis including data flow is getting high. So, taking into account those things, we can conclude that: Growing number of XSS vulnerabilities is predictable due to the popularity of web-based applications, especially in J2EE stack, and also due to the improvement of static code analysis. Falling number of directory traversal issues is predictable due to the fact that they are easy to find and most of them have already been found before. Also, SAP has added some improvements and additional authorization checks for directory traversal issues in new releases. Growing number of code injection vulnerabilities is due to the high criticality and the fact that any injection flaws will be easier to find with more advanced static code analysis tools. On the other hand, such issues as hardcoded credentials will be harder to find with every year precisely because they are very easy to find (i. e., most of them have already been found by simple regular expressions). There are some areas which are different for WEB and ERP programming vulnerabilities. This situation is another proof that business applications need a different approach and different priorities when we talk about SDLC processes Number of acknowledgements to external researchers In 2010, SAP decided to give acknowledgements to external security researchers for the vulnerabilities found in their products [12]. In the figure, you can see the number of vulnerabilities that were found by external researchers since

14 A GLOBAL SURVEY Vulnerability statistics Figure Number of vulnerabilities found by external researchers per year In 2010, there were just 16 companies that had acknowledgements from SAP, but by the middle of 2013, we have counted 46 different companies and 3 researchers, which is almost 3 times more Figure Number of companies acknowledged by SAP per year External companies and researchers were acknowledged by SAP for helping to close 353 vulnerabilities in SAP products. Most companies were acknowledged just for one vulnerability while ERPScan has almost a quarter of all acknowledgements with 83 acknowledgements in total (much more than any other contributor). The 80/20 rule works almost perfectly: 80 % of vulnerabilities were found by 17.5% of companies

15 SAP Security in Figures % 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Figure Percentage of acknowledgements vs. number of companies The ratio of vulnerabilities found by external researchers versus vulnerabilities found by SAP internally is growing, as does the number of external researchers , ,95 12,64 6, Figure Percentage of acknowledgements to external researchers per year What else can be archived from the relationship of SAP with external researchers? Recently, we have been receiving more and more responses from SAP PSRT to our reports about vulnerabilities, saying that they have already been patched before. This can be due to two reasons, and each of them is good news for SAP users. Firstly, SAP AG itself has significantly improved their internal SDLC and vulnerability research, so some issues were already found by SAP. Secondly, two different researchers sometimes get credits for the same issue, which means that the number of researchers is going to increase. 14

16 A GLOBAL SURVEY Vulnerability statistics The record of bugs found by external researchers was cracked in January 2013: 76% Figure Number of duplicated issues sent by ERPScan researchers per year 3.5. Amount of publicly available information The most critical threat is connected to the vulnerabilities which contain information about the methods of exploitation (detailed advisories, POC codes and working exploits) publicly available. Information was gathered from three most popular sources: Security Focus [13] Detailed advisories, sometimes with POC code, can usually be found here. All the vulnerabilities published here have high probability of exploitation. 149 vulnerability advisories (5.5% of all vulnerabilities) were found here (as of September 1)

17 SAP Security in Figures Figure3.5 1 Advisories per year from SecurityFocus Exploit-DB [16] Usually, exploit codes that can be 100% used without any modification and additional knowledge of exploiting systems can be found here. All the vulnerabilities published here have critical probability of exploitation. A total of 49 exploits (1.8% of all vulnerabilities) were found here (as of September 1) Figure Exploits per year from Exploit-DB In the figure below, you can find vulnerabilities categorized by probability and ease of exploitation according to the amount of information available to hackers at public sources, as opposed to classified information from SAP Security Notes. 16

18 A GLOBAL SURVEY Vulnerability statistics SAP Security note available (100%) 353 Some information available (13%) 149 Advisory or POC available (5,5%) 49 Exploit available (1,8%) Figure SAP vulnerabilities by probability and ease of exploitation, as of September 1, Top 5 most valuable vulnerabilities in 2012 Out of the many published vulnerabilities, we have chosen the top 5 with the most significant threats published in 2012: SAP NetWeaver J2EE DilbertMSG SSRF [17] SAP Host Control Command Injection [18] SAP NetWeaver J2EE File Read/Write[19] SAP Message Server Buffer Overflow[20] SAP Dispatcher DIAGprotocol Buffer Overflow[21] We chose 2 main factors among others to understand the most valuable issues disclosed in 2012: Accessibility It is a major factor. Means whether it is possible to exploit a vulnerability from the Internet without user authorizations. Criticality How critical the harm to the system will be. 1. SAP NetWeaver J2EE DilbertMSG SSRF The vulnerability was found in the XML parser of SAP NetWeaverJ2EE engine. Actually, it is several vulnerabilities that lead to SSRF (Server Side Request Forgery) attack, allowing an anonymous attacker from the Internet to send any TCP packet to any internal network and many other things like reading of OS files, bypassing Message Server security, Denial of Service attacks and so on. This type of attack may not be as critical as others, which will be presented below, but it opens a new type of issues, and similar problems can appear in future

19 SAP Security in Figures Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Medium Anonymously through the Internet Medium Future impact: CVSSv2: 7.3 High (New type of attack) Advisory: Patch: Author: SAPNote Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan) 2. SAP Host Control Code Injection The vulnerability was found in the SAP Host Control service of SAP NetWeaver ABAP engine, which listens to the TCP port 1128 by default. This vulnerability allows an anonymous attacker to execute any OS command by injecting it into SOAP packet. However, this vulnerability only works when SAP is installed on top of MaxDB Database. This issue took second place due to three factors: ease of exploitation, availability of exploit on the Internet, huge amount of exposed SAP Host Control services on the internet. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Critical Anonymously through the Internet Easy (Metasploit module exist) Future impact: Low (Single issue) CVSSv2: 10 Advisory: Patch: SAP note Author: Contextis 18

20 A GLOBAL SURVEY Vulnerability statistics 3. SAP NetWeaver J2EE File Read/Write This vulnerability was found in SAP NetWeaver J2EE stack and allow anonymous attacker to obtain read and write access to any file on operation system. Criticality of that issue is 10 by CVSS. The only two facts which put this issue only on third place is that vulnerable service available internally and secondly there is no public information about details of exploiting this issue. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Future impact: Critical Critical Critical Anonymously Medium Low CVSSv2: 10 Advisory: Patch: Author: Juan Pablo 4. SAP Message Server Buffer Overflow Remote buffer overflow vulnerability with ability to execute any code on OS level with the rights of <SID> adm user was found in SAP Message Server service. Vulnerability was sold to ZDI and criticality of this issue was marked as 10 by CVSS which is the highest point. Another critical thing is that this service can be also exposed to the internet which will be detailed later. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Critical Anonymous Medium. Good knowledge of exploit writing for multiple platforms is necessary CVSSv2: 10.0 Advisory: Patch: SAP note and Author: Martin Gallo

21 SAP Security in Figures SAP Dispatcher DIAG protocol buffer overflow SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP NetWeaver using the SAP GUI application through DIAG protocol. Martin Gallo from Core Security found multiple buffer overflow vulnerabilities that can lead to the denial of service attack and one of them also allows code execution [22]. The exploit code was published on May 9 and an unauthorized cybercriminal can exploit it without any rights. The good news is that this vulnerability only works when DIAG trace is set to level 2 or 3 which is not a default value but a possible one anyway. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Critical Low. Trace must be on Medium CVSSv2: 9.3 Advisory: Patch: Author: Martin Gallo 20

22 A GLOBAL SURVEY Growing interest 4. Growing interest While most of the security trends and possible threats are focused on mobile, cloud, social networks and critical infrastructure which will potentially have threats in near future, there is a topic called ERP security and threats to those systems exist now. That s why the number of companies which are focused on ERP security and which sell software for its assessment is growing. So the number of security consulting companies that try to sell special consulting services for ERP security is growing as well Number of security reports in technical conferences Since 2006, SAP security begins to receive a lot of attention in technical security conferences like CanSecWest, BlackHat, HITB and others. There were also some talks that have SAP-related research in 2004 such as from Phonoelit. Since 2010, this trend expands to other conferences; more and more companies and researchers begin to publish their research in the field of SAP security. In , talks were mostly focused on showing typical information security threats in SAP landscapes such as SAP web application security, SAP client-side security, SAP backdoors and Trojans. The last year discussions were focused on retrospective and defense areas like SAP Forensics. During almost 10 years of research almost every part of SAP were somehow breached and almost every area was discussed in terms of security Since 2003, almost every part of SAP was somehow breached and almost every area was discussed on technical security conferences Common: SAP Backdoors, SAP Rootkits, SAP Forensics Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI, SAP Portal, SAP Solution Manager, SAP TMS, SAP Management Console [23], SAP ICM/ITS Protocols: DIAG[24], RFC, SOAP (MMC), Message Server, P4[25] Languages: ABAP Buffer Overflow [26], ABAP SQL Injection [27], J2EE Verb Tampering [28], J2EE Invoker Servlet [25] [29] [30] Overview: SAP Cyber-attacks, Top 10 Interesting Issues, Myths about ERP

23 SAP Security in Figures Figure Number of SAP security talks presented at different conferences by year * Number of SAP security talks presented in different conferences every year is shown in the slides. For 2013, an approximate number is estimated based on the first 4 months. *Data was collected from different conference websites as of August 15,

24 A GLOBAL SURVEY SAP on the Internet 5. SAP on the Internet Among many people who work with SAP, a popular myth is that SAP systems are inaccessible from the Internet, so all SAP vulnerabilities can only be exploited by an insider. Business applications are not only accessible internally; this myth comes from 10 years ago when mainframes were prevalent. Business is changing and companies want to have their applications connected. They need to connect to departments worldwide, share data with clients via web portals, SRM and CRM systems and get access from any place with mobile solutions. Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible Companies connect different offices (by SAP XI) Companies are connected to SAP (through SAProuter) SAP GUI users are connected to the Internet Administrators open management interfaces to the Internet for remote control Almost all business applications have web access now This part of the report is destined to destroy the myth by showing how many companies make which services available for remote access, and how those services are vulnerable to the latest threats Google search results by country These statistics were collected using the well-known Google search requests [31]. Application server type SAP NetWeaver ABAP SAP NetWeaver J2EE SAP Business Objects Search string Inurl:/SAP/BC/BSP Inurl:/irj/portal inurl:infoviewap As a result of the scan, 695 (was 610) unique servers with different SAP web applications were found. It is 14 % more than in 2011 including that fact that 22 % of services that were found in 2011 now are not available but 35 % of new services appear. The J2EE server seems to be the most popular platform. Unfortunately, this server is more vulnerable than the ABAP engine, having at least 3 different vulnerabilities that can be executed anonymously and give full access to the system. On the other hand, the ABAP engine has numerous default users [32] that can be used by attackers. SAP BusinessObjects server has both problems

25 SAP Security in Figures Application server Number % SAP NetWeaver J2EE % SAP Web Application Server % SAP BusinessObjects % SAP NetWeaver ABAP % SAP web servers SAP NetWeaver J2EE - 44% SAP Web Application Server (ICM) - 27% SAP BusinessObjects - 16% SAP NetWeaver ABAP - 11% Figure SAP application servers by type Figure SAP application servers by country (by Google search) 24

26 A GLOBAL SURVEY SAP on the Internet SAP web applications by country (Google) UNITED STATES GERMANY INDIA UNITED KINGDOM CHINA NETHERLANDS ITALY SWITZERLAND BRAZIL CANADA FRANCE BELGIUM NORWAY KOREA SPAIN MEXICO DENMARK AUSTRIA RUSSIA FINLAND Figure Overall number of SAP application servers found in Google, sorted by country (top 20) UNITED STATES GERMANY INDIA CHINA UNITED KINGDOM SWITZERLAND FRANCE BRAZIL NETHERLANDS ITALY CANADA SAP NetWeaver J2EE by country (Google) Figure Overall number of SAP NetWeaver J2EE servers found in Google, sorted by country (top 10)

27 SAP Security in Figures SAP NetWeaver ABAP by country (Google) UNITED STATES GERMANY INDIA DENMARK HUNGARY AUSTRIA SPAIN CANADA CHINA UNITED KINGDOM Figure Overall number of SAP NetWeaver ABAP servers found in Google, sorted by country (top 10) UNITED STATES GERMANY NETHERLANDS BELGIUM ITALY KOREA CHINA INDIA NORWAY UNITED KINGDOM FRANCE SAP Web Application Servers by country (Google) Figure Overall number of SAP WebAS servers found in Google, sorted by country (top 10) 5.2. Shodan search results by country Another source which can help to find SAP web interfaces available on the Internet is called The difference is that this service not only finds those applications which were crawled by web spiders but it scans the whole Internet for the 80th port (others, too) and can be used for finding more SAP systems. A total of 3741 (was 2677) servers with different SAP web applications were found 26

28 A GLOBAL SURVEY SAP on the Internet SAP Application servers by type 20% 6% 41% SAP NetWeaver J2EE SAP NetWeaver ABAP 34% SAP Web Application Server Other (BusinessObjects,SAP Hosting, etc) Figure SAP application servers by type SAP NetWeaver J2EE platform is the most popular on the Internet and it is still growing a lot. Comparing with previous year by ShodanHQ statistics, the number of Internet-located SAP Portals doubled during the previous year! 120% 100% 80% 60% 40% 94% 72% 20% 30% 0% -20% -40% -20% -55% -60% -80% Figure Growth by application server

29 SAP Security in Figures Figure SAP application servers by country (by ShodanHQ search) SAP web servers by country (Top 20) UNITED STATES GERMANY ITALY INDIA SPAIN BRAZIL BELGIUM FRANCE CHINA KOREA UNITED KINGDOM SWITZERLAND CANADA TURKEY NETHERLANDS DENMARK MEXICO CHILE TAIWAN AUSTRALIA Figure Overall number of SAP application servers found in ShodanHQ, sorted by country (top 20) 28

30 A GLOBAL SURVEY SAP on the Internet Statistics that were gathered by country are very interesting especially if we compare it with the previous year. It will show us where there is a growth of SAP market: in Latam and Asia. 600% Growth of SAP web servers (Top 5) 500% 562% 400% 300% 200% 100% 0% 280% 119% 111% 96% MEXICO CHILE INDIA CHINA TAIWAN Figure Growth of SAP web servers (Top 5) 5.3. Internet Census scan This year, one interesting project was presented. It was done by an anonymous researcher using not so legal techniques such as exploiting devices and making worldwide scan from them on popular ports. It would have been great if this list had contained all ports but, unfortunately for us, it is useful only for the 80th port IP addresses with SAP web applications were found, which is close to the number that we got from Shodan. This data also gives us information about SSL usage. It turned out that almost one third of Internet-facing SAP applications don t use SSL, which is extremely bad statistics. Usage of SSL by SAP applications NO SSL 32% SSL 68% Figure Usage of SSL by SAP applications

31 SAP Security in Figures PortScan search result by country The most interesting and complex research was performed by scanning the Internet not only for web services but also for services which shouldn't be accessible from the Internet. At first stage, it has been performed with a simple algorithm which only scans subnets of the servers that were found during Google and ShodanHQ scan (about 1000 subnets in total). Many ports were found which are listened by SAP Applications such as Message Server HTTP, SAP Gateway, and SAPHostControl. During the scan, information about publicly available SAP services such as SAP Host Control, SAP Dispatcher, SAP Message Server, SAP Management Console was collected. Figure SAP application servers by country (by PortScan (Nmap) search) In the picture, you will find the percentage of German companies that expose their unnecessary SAP services to the Internet. The number of open ports will be updated online at sapscan.com [3] the official site of this project. 10 % of companies that use SAP expose critical services like Gateway or Dispatcher directly to the Internet bypassing SAProuter security 30

32 A GLOBAL SURVEY SAP on the Internet Exposed services 2013 Exposed services 2011 Exposed critical SAP services , ,72 SAP Dispatcher 1,73 SAP MMC 2,36 SAP Message Server 0,63 0,79 SAP HostControl 2,36 SAP ITS Agate SAP Message Server httpd SAP Router Figure Percent of companies that expose critical SAP services to the Internet

33 SAP Security in Figures SAP versions We have checked the major versions of the ABAP and J2EE engines which were found on the Internet to understand the lifecycle of released products and to know which version is the most popular now. We have also checked the popularity of OS and RDBMS which are used with SAP ABAP engine versions ABAP versions were collected by connecting to the root of an application server and parsing the HTTP response methods. We also used an information disclosure vulnerability. Information about SAP NetWeaver version can easily be found if the application is configured insecurely so that it allows an attacker to get information from the /sap/public/info URL. We were happy to note that, comparing with previous year, the number of Internet-facing systems with information disclosure vulnerabilities highly decreased. After scanning all the available SAP NetWeaver ABAP servers, it was found that 6% (previously 59 %) of them are vulnerable to information disclosure Release version is vital for security. For example, the most powerful security options, like disabling access to all BSP, are installed by default in EHP 2, and EHP 2 is only installed on 23 % (was 11) of all servers. This means that even if SAP cares about the security of their systems, the best part of securing SAP systems lies on administrators. The most popular release (35 %, previously 45 %) is NetWeaver 7.0, released in 2005! 11% 19% 6% 5% 35% 7.0 EHP 0 (Nov 2005) 7.0 EHP 2 (Apr 2010) 7.0 EHP 1 (Oct 2008) 23% 7.3 (Jun 2011) 6.2 (Dec 2003) 6.4 (Mar 2004) Figure NetWeaverABAP versions by popularity 32

34 A GLOBAL SURVEY SAP versions If we compare those results with previous year we will see good changes such as extremely high growth in percent of 7.3 and 7.2 releases, well, the absolute growth of cause is quite small comparing with overall. 7.3 growth by 250% 7.2 growth by 70% 7.0 loss by 22% 6.4 loss by 45% 6.2. J2EE engine versions The information about the version of the J2EE engine can be easily found by reading an HTTP response. However, detailed info about the patch level can be obtained if the application server is not securely configured and allows an attacker to get information from some pages. As an example, there are at least 3 pages that disclose information about the J2EE engine: /rep/build_info.jsp[33] /bcb/bcbadmsysteminfo.jsp[34] /AdapterFramework/version/version.jsp[35] 26% (61% last year) 1.5% (17% last year) 2.7% (a new issue) The detailed information about the major versions is presented below. NetWeaver JAVA versions by popularity 3% 9% 10% 9% 44% NetWeaver 7.00 NetWeaver % NetWeaver 7.02 NetWeaver 7.30 NetWeaver 6.40 NetWeaver 7.31 Figure Percentage of NetWeaver JAVA versions by popularity If we compare those results with previous year, we will see good changes. New versions such as 7.31 and 7.3 appear with total 12 % of all servers. Detailed changes are here: 7.31 growth from 0 to 3 % 7.30 growth from 0 to 9 %

35 SAP Security in Figures growth by 67 % 7.0 loss by 23 % 6.4 loss by 40 % 6.3. OS popularity for SAP Using the /sap/public/info URL, it is possible to obtain information about OS versions for ABAP implementations. While analyzing the results that were gathered from Internet facing SAP systems, we found that the most popular OS is Windows NT (28%) and AIX (25%). According to our statistics from internal SAP assessments, *.NIX systems are more popular in general, while Windows is more popular for Internet facing SAP systems. The most popular OS for SAP are Windows NT (28 %) and AIX (25 %) Windows NT - 28% AIX - 25% Linux - 19% SunOS - 13% HP-UX - 11% OS/400-4% Figure Percent of OS popularity for SAP 34

36 A GLOBAL SURVEY Critical services on the Internet 6.4. RDBMS popularity for SAP Backend The most popular RDBMS used as a backend for SAP is still Oracle 59%. Other RDBMS systems are listed below. Oracle - 59% DB2-19% MsSQL - 17% MaxDB - 5% Figure Percent of RDBMS popularity for SAP Backend It should be mentioned that Oracle RDBMS installed with SAP is vulnerable to a very dangerous attack, where authentication is bypassed and an unauthorized attacker obtains direct access to the database system without any authorizations because of the improper use of REMOTE_OS_AUTHENT parameter. It is a very old bug first published in 2002 but still active [36]. 7. Critical services on the Internet Apart from the web interfaces that should be enabled on the Internet because of various business needs, such as SAP Portal, SAP SRM or SAP CRM solutions, there are some services that should not be available externally at all. Not only do they bring a potential risk but they have real vulnerabilities and misconfigurations which are well-known and well-described in public resources. Of course it is not the full list of critical SAP services, just the most popular ones. The scan was performed across 1000 subnetworks of companies that use SAP worldwide Services like SAP Dispatcher, SAP Message server, SAP Host Control and more, presented on slides, should not be open for connecting through the Internet 7.1. SAProuter SAProuter is a special service which was made by SAP for a number of purposes such as: Transfers requests from Internet to SAP (and not only) Connect SAP systems between each other in many locations Connect systems of different companies such as customers and partners

37 SAP Security in Figures The main mission of this service is to get updates from SAP and remotely install them on SAP systems. It also provides access to Earlywatch services thus every company which uses SAP should install SAProuter. There is a number of ways how to implement it either by configuring VPN access to SAP or by remotely exposing SAP Router service to the Internet port which is by default 3299 and known for everybody. More details can be found at Easy Service Marketplace [37]. The analysis of all SAProuters that were found remotely enabled in 1000 companies showed that 99 SAProuters were enabled on default port, i. e. approximately 10 % (was 32 %). This result was not enough for us so we started another project intended to find out how many SAProuters are on the Internet in total. First of all, we were interested in understanding how many of them were vulnerable to existing issues as well as to a very critical heap overflow vulnerability that was found by researchers from ERPScan team. The vulnerability allows getting full control of SAProuter within one TCP packet and thus obtaining access to the internal corporate network. This issue was closed in May 2013, and the details can be found in SAP Note We decided to calculate the number of vulnerable SAProuters almost 6 month after the patch was released. Here are the results of the scan: There were 4500 SAProuters in the whole Internet in total 15 % of the routers lacked ACL. It can be used to: o Scan internal network o If something is found during scan, to proxy any request to any internal address of SAP or non-sap system 19 % of routers have an information disclosure vulnerability related to internal systems. It can be used to: o Cause denial of service by specifying many connections to any of the listed SAP servers (There is a limit by default, only 3000 connections is possible) o Proxy any request to any internal address of SAP or non-sap system if there is no ACL 5 % of routers have insecure configuration, authentication bypass which can be used to configure the router without authentication remotely Finally, 85 % of routers are still vulnerable to the Heap Overflow issue that was closed almost half a year ago and can be used to break into any internal network of about 4500 different companies around the world There is also an additional SAP Note for SAProuter security: % of almost 5000 SAP Routers on the Internet were found to be vulnerable 36

38 A GLOBAL SURVEY Critical services on the Internet 7.2. WebRFC service as part of NetWeaver ABAP WebRFC is a web service which is available by default in the SAP NetWeaver ABAP platform. It allows executing dangerous RFC functions using HTTP requests to the NetWeaver ABAP port and URL /sap/bs/web/rfc. Among those functions, there are several critical ones, such as: Read data from SAP tables Create SAP users Execute OS commands Make financial transactions etc. By default, any user can have access to this interface and execute the RFC_PING command by sending an XML packet. Other functions require additional authorizations. So there are 2 main risks: If there is a default username and password in the system, an attacker can execute numerous dangerous RFC functions because default users have dangerous rights. If a remote attacker obtains any existing user credentials, he can execute a denial of service attack on the server by sending the RFC_PING request with malformed XML packet [38][39]. It was found that 6 % (was 40 %) of ABAP systems on the Internet have the WebRFC service enabled While we did not check if those systems had default passwords, according to different statistics obtained from our research and the research of our colleagues, about 95 % of systems have at least 1 default user account CTC service as part of NetWeaver J2EE CTC is a web service which is installed by default on the NetWeaver J2EE engine. It allows managing the J2EE engine remotely. This is a web service that can be found by Google and it often exists on SAP Portals. It is possible to execute such functions as: Create users Assign a role to a user Execute OS commands Remotely turn J2EE Engine on and off The researchers from ERPScan have presented a vulnerability [25] in this service which is called Verb Tampering. It allows bypassing authorization checks for remote access to CTC service. It means that anybody can remotely obtain full-unauthorized access to all business-critical data located in the J2EE engine

39 SAP Security in Figures It was found that 50 % (61 %) of J2EE systems on the Internet have the CTC service enabled Unfortunately this year situation has not changed much and we have about half of all J2EE systems with CTC installed and available from internet which is not good and we still see some services which are vulnerable. *While we did not scan those systems to find if they were vulnerable or not but, according to our statistics from penetration tests, about 50 % of them are still vulnerable SAP Message Server HTTP SAP Message Server HTTP is an HTTP port of SAP Message Server service which allows balancing the load on SAP Application Servers. Usually this service is only available inside the company but some implementations have been found that have external IP addresses, which is typically not needed for business processes and can lead to critical actions. By default, the server is installed on the 81NN port where NN is the system number [40]. One of the issues of SAP Message Server HTTP is a possibility to get the values of the configuration parameters of SAP system remotely without authentication. It can be used for future attacks. During a sampling scan of 1000 sub networks which are assigned to companies that use SAP, 29 Message Server HTTP systems were found to be available (last year were 98). Approximately 2% (were 11%) companies expose Message Server HTTP to the internet which is potentially vulnerable to unauthorized gathering of system parameters remotely 7.5. SAP Management Console SAP Management Console or SAPControl is a service which allows remote control of SAP systems. The main functions are remote start and stop and they require the knowledge of username and password. Apart from the functions which require authentication, there are some functions that can be used remotely without authentication. Most of them allow reading different logs and traces and sometimes system parameters. Those issues were well-covered by Chris John Riley, an independent researcher [33]. A more prevalent danger that ERPScan researchers have found is the possibility to find information about JSESSIONID in the log files [11]. JSESSIONID is an identification by which HTTP sessions are controlled. One of the possible attacks is to insert this JSESSIONID into a browser cookie and get unauthorized access to a user s session. 38

40 A GLOBAL SURVEY Critical services on the Internet During the same scan as in the previous tests, it was found that 2 % of subnetworks have Management console services open. During our internal penetration tests, we see much higher number of vulnerable services. Approximately 80 % of 250 scanned servers of companies that decided to participate in statistics were found to be vulnerable to this issue. Approximately 2 % (was 9 %) companies expose SAP MMC service to the internet which is potentially vulnerable to unauthorized access to log files SAP Host Control SAP Host Control is a service which allows remote control of SAP systems. This service can be installed manually on any host to remotely collect data from SAP systems. This service is usually works on TCP port The main functions require the knowledge of username and password. Apart from the functions which require authentication, there are some functions that can be used remotely without authentication. First one is an ability to read developer traces without authentication. Those traces can store passwords or other interesting data. Second vulnerability is more dangerous and was already described in a list of top 5 vulnerabilities for Vulnerability allows remotely injecting OS command and executing it on a server-side. [41] During the same scan as in the previous tests, it was found that 0.6 % (while it was 2.6% last year) of subnetworks have Management console services open. Actually it is quite a small number of systems because this service is optional and installed manually. During our internal penetration tests we saw a little bit more vulnerable services. Approximately 30% of scanned 250 servers of companies which decided to participate in statistics were found to be vulnerable to this issue. Approximately 1 % (was 2 %) companies expose SAP HostControl service to the internet which is potentially vulnerable to unauthorized access to log files 7.7. SAP Dispatcher service SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP NetWeaver using the SAP GUI application through DIAG protocol. SAP Dispatcher port should not be available from the Internet directly and even in the internal network only appropriate users or user networks must have access. Keep in mind that we are talking about Dispatcher not WEB Dispatcher which of course should be available from the Internet. Nevertheless, during a brief scan of 1000 subnetworks, that 0.6 % (while it was 15% last year) of subnetworks have Dispatcher service open