SAP Cyber Security in Figures

Global Threat Report

www.erpscan.com

SAP Cyber Security in Figures

2 SAP Cyber Security in Figures 2016

DisclaimerAccording to the partnership agreement between ERPScan and SAP, our company is not entitled to publish any specific and detailed information about detected vulnerabilities before SAP releases an appropriate patch. This whitepaper will only include the details of those vulnerabilities that we have the right to publish as of the release date. However, you can seew additional examples of exploitation, which prove the existence of the vulnerabilities by following us during the conferences as well as at ERPScan.com [1].

The research was conducted by ERPScan as a part of contribution to the EAS-SEC non-profit organiza-tion that is focused on Enterprise Application Security awareness.

This document or any of its fragments cannot be reproduced in whole or partially without prior written consent of EAS-SEC. SAP SE is neither the author nor the publisher of this whitepaper and is not responsible for its content. EAS-SEC and ERPScan are not responsible for any damage that can be incurred by attempting to test the vulnerabilities described in this document. This publication con-tains references to SAP SE products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP SE in Germany.

Our SAP security surveys of other areas of SAP cybersecurity go beyond this whitepaper. You can find the latest statistics reports related to SAP services on the Internet and other endeavors of the ERPScan Research on ERPScan’s blog [2] and on EAS-SEC project’s website [3].

3SAP Cyber Security in Figures 2016

CONTENTSIntro .............................................................................................................. 4

Executive summary ................................................................................. 6SAP Product Security ....................................................................... 6SAP Implementation Security ...................................................... 10SAP Security Awareness ................................................................ 13

Predictions from 2013 ......................................................................... 16

SAP Product security: Vulnerability statistics ............................... 18The total number of SAP Security Notes .................................... 18Comparison to other vendors ....................................................... 19SAP Security Notes sorted by criticality ...................................... 19SAP Security Notes sorted by type ............................................... 20Security vulnerabilities by Applications ..................................... 30Security vulnerabilities by Industries .......................................... 30

SAP Cybersecurity threat landscape: Implementation security ..................................................................... 32

SAP versions ..................................................................................... 32Legitimate SAP Applications exposed to the Internet.............. 36Non-legitimate SAP services exposed to the Internet .............. 38

SAP Security Awareness ....................................................................... 42Top SAP Cybersecurity Incidents (2013-2016) ........................... 42SAP Cyber Security talks at technical conferences ................... 44

Solutions ................................................................................................... 48What can happen ............................................................................ 48How to secure your critical assets ............................................... 49

Conclusion ................................................................................................ 50Authors .............................................................................................. 50

About ERPScan ....................................................................................... 51

About EAS-SEC ........................................................................................ 52

Links and further reading .................................................................... 53 Questions? Comments? Brilliant ideas?

We want to hear them. Drop us a line at [email protected], find us on LinkedIn, or tweet @erpscan

mailto:[email protected]

https://www.linkedin.com/company/erpscan

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwja9OGB7ZXOAhVH8ywKHfCZDT4QFgghMAA&url=https%3A%2F%2Ftwitter.com%2Ferpscan&usg=AFQjCNHxb594jyx3wBm6RZtX82XcV7chCw&sig2=1CDgRwz6ctwoU50OACSEjQ


INTROERP and other mission-critical business applications are the heart of any large-scale company. It enables all the critical business processes, from procurement, payment, and transport to human resources management, product management, and financial planning. All data stored in ERP systems have a great importance and any illegal action can result in enormous losses and even termination of business processes.

Interest to SAP cybersecurity is growing. Within the last 10 years, experts in this topic delivered a lot of talks on SAP cybersecurity. They covered a wide range of subjects, from various attacks on ERP systems, SAP HANA, SAP Mobile solutions to specific issues related to Oil and Gas or Manufacturing industries. SAP Cybersecurity studies were featured in the top international media such as Forbes, The Guardian, Wired, Financial Times, The Register, and PC World. All these warnings were not in vain as within the last 5 years there occurred 5 highly significant incidents relating to the SAP cybersecurity. The last ones were USIS hacking via a vulnerability in SAP (2015) and the warning from US-CERT about possible attacks on SAP systems of world major companies by Chinese hackers (2016).

All reputable analyst firms agreed on the importance of SAP Cyber Security:

In-depth assessments of databases and applications such as ERP systems (for exam-ple SAP or Oracle), especially, are not widely supported in traditional VA solutions, which focus on devices”.

Gartner’s Market Guide for Vulnerability Assessment 2014

Traditionally SAP systems are major targets for internal and external auditors. And usually they are especially vulnerable to attackers from both inside and outside the organization due to the high level of complexity and individual configurations”.

- Matthias Reinwarth, Senior Analyst, KuppingerCole

Because over 75% of all transactions occur on business-critical applications, data from these systems is endlessly valuable to attackers”.

Christian Christiansen, VP for Security Products & Services, IDC

Enterprises need to shed outmoded concepts of SAP and Oracle enterprise appli-cation security in light of attackers that have become increasingly adept at finding high-value targets. A systematic approach to enterprise application vulnerability and security risk management is needed not only to assure that these high-value assets get the protection they require, but also to handle them with the care that their business-critical status typically demands”.

Scott Crawford, Research Director, 451 Research


As it was mentioned before, business applications store all critical corporate data (e.g., financial reports, personal information, trade secrets). Such a system would be the main target for internal or external attackers, and their ultimate aim is nowhere near administrative access to the domain controller.Nonetheless, security officers are, unfortunately, scarcely informed about the security of business applications. Another difficulty is that system owners (rather than CISOs) are responsible for providing security, and they only respond to themselves. Eventually, nobody is in charge of the securi-ty of the most critical system elements.

There are also such common problems:

• Lack of qualified specialists – SAP specialists in most companies still consider SAP security as a SoD matrix only, whereas security officers hardly understand SAP threats, not to mention methods and approaches of preventing them.

• Wide range of advanced configurations – There are more than 1000 parameters in a standard system configuration, plus a great range of advanced options, not speaking about segregation of access rights to various objects like transactions, tables, RFC procedures, etc. For instance, just web interfaces to access the system can amount to several thousand. Securing a configuration on this scale can be hard even for a single system.

• Customizable configuration – You can hardly find two identical SAP systems because most param-eters are customized for every client. Furthermore, most companies develop custom programs, which security also is to be accounted for in a complex assessment.

The aim of this report is to provide a high-level overview of SAP security in figures from different angles so that the area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of discovered issues and their prevalence to the number of vulnerable systems, all acquired as a result of a global scan. This research was also con-ducted to find out how the awareness affects the state of critical business application security on the global scale and SAP implementations security in different regions.


EXECUTIVE SUMMARYSAP Product Security

However, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one. The new approach simplifies patching process since system administrators need to implement fewer number of updates. However, it compli-cates analysis and correlation with CVE, as SAP doesn’t provide any public information about how many vulnerabilities every patch fixes.

The average number of security patches for SAP products per year has slightly decreased.

1 1 13 10 10 27 1478

131

834

731

641

363 384302

134

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Figure 1. Number of SAP Security Notes per year

Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals ( just remember that 90% of the Fortune 2000 companies use SAP). If any of these vulnerabilities is exploited by a hacker, the world’s economy will face dreadful consequences. For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affects 6000+ SAP HANA users. Because of this fact, dangerous SAP HANA and SAP Mobile vulner-abilities discovered in 2015 were covered in Wired, PC World, and other top international media.

The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA.


http://www.wired.com/2015/09/hack-brief-popular-mobile-phone-manager-open-lock-wipe-hacks/

http://www.theregister.co.uk/2015/06/19/sap_hana_vulns/


Without a doubt, cybersecurity level varies from module to mod-ule. According to our study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps. The traditional SAP modules like ones mentioned before were introduced about two dozens of years ago, but the first vulnerabilities were discovered just several years ago, i.e. SAP HANA and SAP Mobile apps attract-ed researchers’ (and, unfortunately, hackers’) attention quicker than the traditional ones.

There are vulnerabilities in almost every SAP module: CRM takes the leading position among them.

http://searchsap.techtarget.com/tip/Fight-SAP-cybersecurity-risks-with-patches-research

http://www.securityweek.com/serious-vulnerabilities-patched-sap-products


The number of vulnerabilities in industry-specific solutions has grown significantly.

SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in the Industry solutions. The most susceptible types of industry solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.

http://www.cso.com.au/article/583315/car-recalls-sabotage-attacks-against-mes-systems/

http://resources.infosecinstitute.com/mes-security-what-can-we-learn-from-the-volkswagen-recalls/


SAP Implementation Security

Almost 36000 SAP Systems were identified including different services vulnerable to cyberattacks. Most of those services (69%) should not be available directly via the Internet. Worldwide threat

landscape grew up to more than 36000 systems

1965

1900

1127

720

560

505

447

437

308

292

USA

India

China

Germany

Brasil

Mexico

Ilaly

Spain

RepublicofKorea

Turkey

Figure 2. SAP application servers by country


Consequences of the incidents are becoming more and more dra-matic. We stated in 2013 that the interest in SAP platform security was growing exponentially. We predicted that SAP systems could become a target both for direct attacks (e. g. APT) and for mass exploitation because a range of simply exploitable and widely installed services are accessible from the Internet. Since 2013, we have witnessed 4 major cyber incidents related to SAP Security.

Consequences of the incidents are becoming more dramatic.

https://erpscan.com/wp-content/uploads/publications/Chinese-attack-on-USIS-using-SAP-vulnerability-Detailed-review-and-comments.pdf

http://news.softpedia.com/news/five-year-old-sap-vulnerability-affects-over-500-companies-not-36-504043.shtml#ixzz48isIBoKK


SAP does not only manage enterprise resources but also acts as a mediator between IT and OT systems. Thus, insecure SAP configu-rations can be used to exploit critical infrastructure. Critical Infrastructures and

IoT devices are at risk


Almost half of unnecessarily exposed services is located in 3 countries

SAP Security Awareness

Numerous unnecessarily exposed services are implemented in countries where wide adoption of new technologies takes place (such as USA, India, and China).

Figure 3. Services unnecessarily exposed to the internet


The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (Comparing to the total number of implemented systems).

Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERP-Scan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.

0% 20% 40% 60% 80% 100%

Venezuela

Pakistan

SaudiArabia

Ireland

Thailand

India

Russia

Mexico

China

Taiwan

Colombia

RepublicofKorea

Spain

SouthAfrica

France

Nethrlands

Singapore

USA

Germany

GreatBritain

LegitimateSAPservices Unnesessary services

Figure 4. Ratio between necessary SAP systems accessible through the Internet and the number of SAP systems, which are accessible via the Internet as a result of misconfigurations, negligence or

unawareness.


Our reports help in decreasing the number of SAP systems exposed to cyber threats. While the number of publicly available SAP Services is growing, the number of systems with high-critical vulnerabilities in easily accessible services presented in the previous report has decreased, we hope, thanks to our previous SAP Security in Figures research released in 2013. However, new issues with equal criticality were described in this report.


PREDICTIONS FROM 2013 In our previous research of the series, we made some predictions. Most of them proved to be correct.

Prediction 1: A lot of SAP Cybersecurity areas, especially those related to industry solutions, are still unexplored.Some of the previously unstudied SAP Security areas were finally examined. It resulted in nu-merous talks and presentations. There were at least two reasons for these areas having been uncovered. Firstly, the solutions in question were new for the market and became widespread only in 3 recent years (like SAP HANA and SAP Mobile). Secondly, because some application (e.g. industry-specific ones) have distinct features and architecture, researchers should know the way they operate.

From our point of view, this prediction is still relevant because many types of SAP applications have not been analyzed in detail in terms of cybersecurity yet.

Prediction 2: SAP forensics can be a promising research area because it is not easy to find evidence now, even if it exists.Attacks on SAP systems happen from time to time, but they are still too rare to consider SAP Forensics as a separate segment. However, the need for identifying potential attacks and unusu-al behavior is growing, especially in companies experienced in SAP Cybersecurity. That is why ERPScan team was invited to assist with some investigation initiatives last years. In our opinion, this prediction came true with a small correction. Not only Forensics as a single service but mostly a detection of potential attacks almost in real time and their prevention is paramount for companies that have already taken the first step in SAP Cybersecurity, namely, have implemented a process of detecting and closing vulnerabilities.

Prediction 3: New types of cyber-weapons which target ERP systems can appear shortly.An attack on USIS (potentially sponsored by the Chinese government) via an SAP vulnerability happened in 2013 and was publicly disclosed in 2015. It was the first example of cyber-attack on SAP that led to huge monetary losses for the targeted company and a bankruptcy of the federal government sub-contractor.

Earlier this year, there was an alert from US-CERT [4] which states that more than 30 multinationals were targets for cyberattacks because of an SAP vulnerability in their system. Later, additional news was published stated that the number of potentially affected systems amounted to 500+.

Prediction 4: Attacks on critical infrastructure using vulnerabilities in SAP Systems is more than possible. The number of attacks on critical infrastructure such as Energy and Utilities skyrocketed within the last 3 years, especially in 2015. “Utilities reported 300 attacks on the grid resulting in power disruptions between 2011 and 2014”, Forbes states.

SAP is a widely-used software for such types of companies. We have recently demonstrated how close are connections between SAP systems and Manufacturing, Oil and Gas, and other critical fa-cilities. Currently, insecurity of critical infrastruc-ture allows hackers to attack the infrastructure directly without inventing alternative ways, but in the near future, when ICS systems will become more secure, the only possible way to penetrate into the critical infrastructure will be via ERP system such as SAP.

14Communication

7CommercialFacilities

3%

4Chemical

2%

6Unknown

2%

14Water6%

12Transportation

5%

6Nuclear

2%

5InformationTechnology

2%

15Healthcare

6%

13GovernmentFacilities

5%

3Finance

1%

2FoodandAgricultire

1%

65CriticalManufacturing

27%

79Energy32%


Figure 5. FY 2014 incidents reported by sector (245 total) [5]

14Communication

7CommercialFacilities

3%

4Chemical

2%

6Unknown

2%

14Water6%

12Transportation

5%

6Nuclear

2%

5InformationTechnology

2%

15Healthcare

6%

13GovernmentFacilities

5%

3Finance

1%

2FoodandAgricultire

1%

65CriticalManufacturing

27%

79Energy32%


This chapter provides information about vulnerabilities in SAP sorted by their popu-larity, criticality, and type of affected systems and modules.

The total number of SAP Security NotesEvery month on SAP Critical Patch Day (every second Tuesday), SAP releases several internal advisories called SAP Security Notes to fix security issues, which are often reported by external researchers. There are so-called Support Package Implementa-tion Notes to fix issues of minor impact. Such an advisory usually provides a patch to one or more vulnerabilities or misconfigurations in SAP products, which pose a risk to SAP systems.

The first SAP Security Note was published in 2001. In 2006, the number of published notes began to grow exponentially.

1 1 13 10 10 27 1478

131

834

731

641

363 384302

134

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Figure 5. Number of SAP Security Notes per year

In 2011, the approximate number of monthly SAP Security Notes was equal to 61. In 2012, it decreased to 53 notes, and in 2013 it amounted to 30 notes a month. The average number remained almost the same in 2014 (32) and fell slightly in 2015 (25) and in 2016 (22). However as it was mentioned before, one SAP Security Note now can address several vulnerabilities, so the number of released security notes does not precisely correspond to the real number of closed issues. Nevertheless, the number of patches is still quite high (amounts to approximately a vulnerability per day).

SAP PRODUCT SECURITY: VULNERABILITY STATISTICS

As of June 12, 2016, 3662 SAP Security Notes and Support Package Implementation Notes have been published


SAP jumped from 37th to 26th place by the number of CVEs for reported issues.

Comparison to other vendorsWe gathered information related to published vulnerabilities sorted by vendors from the CVEdetails report. Only 294 SAP vulnerabilities have (CVE 160 in June 2014). Thus, SAP is rated 26th in the list of top vendor [5] by the number of security issues (last year it took 37th place). However, if we take into account the total number of closed vulner-abilities (3600+ SAP Security Notes), SAP will follow the leader – Microsoft.

Why is there so huge gap between the number of CVEs and released patches? The reasons are simple enough:

1. Not all SAP vulnerabilities are open to public (on such resources as CVE), as approximately 85% of them are usually closed internally, and information about them and patch itself are available to customers and partners only.

2. Moreover, not all of those remaining 15% of vulnerabilities discovered by external researchers are assigned to CVE. Usually, vendors coordinate with CVE and assign vulnerabilities, like Microsoft or Oracle do, however, SAP does not. Most of the researchers do not do it either because it takes lots of time but don’t give any visible benefits.

SAP Security Notes sorted by criticalitySAP has 4 different levels of criticality for the published notes:

1. Hot News2. Correction with high priority3. Correction with medium priority4. Correction with low priority

Until November 2013, there also was the 5th level of criticality named “Additional information”. “High priority” and “Hot News” vulnerabilities still form the largest part of the overall number.

212

2383

798

145

HotNews

Correctionwithhighpriority

Correctionwithmediumpriority

Correctionwithlowpriority

Figure 6. Number of SAP Security Notes by criticality level


SAP Security Notes sorted by typeAll released SAP Security Notes were analyzed by the vulnerability types. The most common ones are presented below.

Cross-sitescripting20,47%

Missingauthorization20,45%

Directorytraversal11,96%

Configurationissues10,52%

SQL-injection7,64%

Informationdisclosure7,33%

Cross-siterequestforgery6,57%

Codeinjection3,78%

Hardcodedcredentials2,99%

Denialofservice4,68%

Other3,61%

Figure 7. SAP Security Notes by type

In addition, we have compared the SAP vulnerability lists for 2012, 2013, 2014, 2016, and the OWASP Top 10 to see if there are any differences between web-based issues and business application issues and if there are any changes.

Vulnerability type

Popularity in SAP in mid 2016


Popularity in SAP till mid 2013


Popularity in CWE

Place in OWASP TOP 10

1 - XSS 1 1 1 3 2 3

2 - Missing authorization check

2 2 2 2 3 7

3 - Directory traversal

3 3 3 1 10 4

4 - Configuration issues

4 4 - - N/A 5

5 – SQL Injections

5 5 4 4 4 1

Most of the issues (73%) were rated high priority and hot news, which means that about 2/3 of the published issues must be corrected as soon as possible

52%

93%

3 most common vulnerabilities cover 52% (42 % previously) of all found issues.

Top 10 issues cover 93% (previously 63%) of all issues.


Vulnerability type





Popularity in CWE

Place in OWASP TOP 10

6 – Information disclosure

6 7 - - 12 8

7 – Cross-site request forgery

7 6 5 5 8 6

8 –Overflows (DoS, RCE)

8 10 - - 24 -

9 – Code injection

9 8 6 8 7 1

10 – Hardcoded credentials

10 9 8 7 7 2

Table 1. Comparison of SAP vulnerability lists for 2012, 2013, 2014, 2016, and the OWASP Top 10

Vulnerability type Place in world statistics (CVE)

CWE-ID Place in SANS 25 Place in OWASP TOP 10

1 - XSS 2 CWE-79 2 3

2 - Missing authorization checks

5 CWE-862 3 7

3 - Directory traversal

6 CWE-22 10 4

4 - Configuration issues

N/A N/A 5

5 – SQL Injections 4 CWE-89 4 1

6 – Information disclosure

3 CWE-200 12 8

7 – Cross-site request forgery

7 CWE-352 8 6

8 – Overflows (DoS, RCE)

1 CWE-120 ? N/A

9 – Code injection CWE-94 7 1

10 – Hardcoded credentials

N/A CWE-308 7 2

Table 2. Comparison of Top 10 SAP Vulnerabilities, World statistic, SANS 25, and OWASP TOP 10

XSS, Missing autho-rization check, and Directory traversal remain the most widespread vulnerability types, as it was in 2012.


Vulnerability Type

Absolute number of Security Notes (2015)

Absolute Growth

Percent of total number (2015)

XSS 726 (+90) 20 (-1)

Missing authorization

725 (+153) 20 (+1)

Directory traversal

424 (+27) 12 (-1)

Configuration issues

373 (+59) 10 (-1)

SQL injection 271 (+36) 8 (-)

Information disclosure

260 (+78) 7 (+1)

Cross-site request forgery

233 (+15) 7 (-)

Code injection 134 (+25) 4 (-)

Hardcoded credentials

106 (+6) 3 (-)

Overflows (DOS, RCE)

166 n/a n/a

Other 233 (+78) 7 (+2)

Table 3. Comparison of SAP Vulnerabilities lists 2014 and 2015

As you can see, the situation has changed slightly. The list of 10 most common issues in SAP appli-cations remains the same. The only difference is that CSRF and Information disclosure issues have changed their places. The number of Information disclosure vulnerabilities grew, in comparison with the report of 2014. The number of missing authorization check vulnerabilities grew higher than the other types and almost reached the first place.

The major factors that may affected the statistics as follows:

• Growing number of web-based applications results in the rising number of such web vulnerabili-ties as information disclosure.

• Increasing complexity of software and, as a consequence, growing number of configurations issues.

• Enhancements in Web application security against XSS and CSRF attacks.

There are some areas which are different for Web- and ERP-programming vulnerabilities. That is another proof that business applications require special approach and priorities when it comes to SDLC processes.


Vulnerabilities by Platforms

SAP systems can be based on several platforms.

• NetWeaver ABAP engine • NetWeaver J2EE engine• SAP HANA• SAP Business Object• SAP Mobile Platform• Other

ABAP72,98%

JAVA15,47%

HANA0,85%

BusinessObject2,48%

Mobile1,21%

Other7,00%

Figure 8. SAP Security Notes by platforms

It is worth be mentioned that some of the notes are double stack. They fix vulnerabilities (or contain recommendations) for two components (e.g., JAVA and ABAP). Sometimes it is not 100% clear which component is affected, so results may vary in about 1%.


NetWeaver ABAP engineThis part describes vulnerabilities in all products based on the SAP NetWeaver ABAP engine like SAP ECC, HR, PLM, SRM, most of the Industry Solutions as well as stand-alone applications like SAProuter, SAP Web Dispatcher, SAP Enqueue server, SAP ITS, SAP IGS, and some others.

Other4,19%

Denialofservice1,16% Hardcodedcredentials

3,79%


Code injection4,56%



SQL-injection9,25%

Directory traversal15,01%


MissingAuthorization24,87%

Figure 9. SAP Security Notes by type in SAP NetWeaver ABAP engine

176

721

570

453

243 259

163

2001- 2009:7%

2010:29% 2011:23% 2012:18% 2013:10% 2014:10% 2015:4%

Figure 11. SAP Security Notes by years in SAP NetWeaver ABAP engine

Missing authoriza-tion check is the most common vulnerability type in SAP NetWeaver AS ABAP totaling almost 25%.


NetWeaver J2EE engineThis part describes the state of security of all products based on the SAP NetWeaver J2EE engine. Business applications like SAP Portal, SAP NetWeaver Developer Studio, SAP PI, Parts of SAP Solution Manager, and other J2EE based components and products.

Other9,36%

Denialofservice2,55% XMLexternalentity

2,36%

SQL-injection2,36%

Verbtampering4,00%







Figure 10. SAP Security Notes sorted by type in NetWeaver J2EE engine

5865

109

148

80

4050

2001- 2009:11%

2010:12% 2011:21% 2012:28% 2013:15% 2014:8% 2015:5%

Figure 12. SAP Security Notes sorted by years in NetWeaver J2EE engine

XSS is the most common vulnerability type in SAP NetWeaver AS JAVA totaling almost 30%.


SAP HANA Herein, we analyzed SAP Security notes addressing issues in the products based on SAP HANA platform including SAP HANA Database, SAP HANA XS Application server, and some less common components. This platform is the newest one, thus, not so many issues were discovered in it. However, the number of issues is significantly increasing and will increase more rapidly in the future.

Remotecommandexecution8%

Cross-siterequestforgery4%

Authenticationbypass8%


Code injection15%

Cross-sitescripting12%

Configurationissues15%

Bufferoverflow+Memorycorruption

15%

SQL-injection15%

Figure 13. SAP Security Notes sorted by type in SAP HANA

0 0

2 2 2

10

16

2001- 2009:0% 2010:0% 2011:25% 2012:25% 2013:13% 2014:18% 2015:5%

Figure 14. SAP Security Notes sorted by years in SAP HANA

Buffer overflow vulnerability and Configu-ration issues are the most common vulnerabil-ity types in HANA. Both total 15%.


SAP BusinessObjects engineIn this chapter, we provided the statistics related to all products based on the SAP Business Objects engine, namely SAP BI and former Business Objects products, e.g., Business Objects XI, Xcelsius, Data Services, Data Integrator, and Business Objects Edge BI.

XMLexternalentity1,14%

Bufferoverflow+Memorycorruption2,27% Cross-siterequestforgery

2,27%


Openredirect3,41%


Denialofservice6,82%

SQL-injection5,68%


Remotecommandexecution7,95%



Figure 15. SAP Security Notes by types in SAP BusinessObjects

0

9

18

11 11

1920

2001- 2009:0% 2010:11% 2011:23% 2012:14% 2013:14% 2014:28% 2015:11%

Figure 16. SAP Security Notes by years in SAP BusinessObjects

XSS is the most common vulnerability type in Busi-ness Objects, totaling to 35%.


Other platformsThis chapter describes the state of security of all client-side products including SAP Frontend (SAP GUI), JAVA GUI, SAP NetWeaver Business Client (NWBC), client-side issues, and others.

The provided statistics demonstrates that frontend applications differ from server-side in terms of the most common vulnerabilities. More than 50% of vulnerabilities belong to memory corruption and buffer overflow types of issues. The trend shows that the number of vulnerabilities is falling dramati-cally in comparison to their peak in 2009-2010, and in the last 2 years no new issues were discovered.

Configurationissues31%

XSS15%

Information disclosure13%

MissingAuthorizationcheck8%

RCE9%

Buffer Overflow+Memorycorruption

10%

DoS4%

SQLinjection3%

Authenticationbypass3%

DirectoryTraversal2% Cross-siterequestforgery

2%

Figure 17. SAP Security Notes in other platforms

47

37

3129 28

35

41

2001-2009 2010 2011 2012 2013 2014 2015

Figure 18. SAP Security Notes by years in other platforms


Thus, when we collected information on all these engines we can see the following table:

Vulnerability type Total SAP NW ABAP

SAP NW J2EE

SAP HANA SAP BObj SAP Mobile

Other

Missing authorization 725 643 54 2 4 5 17

XSS 726 495 161 3 31 3 33

Directory traversal 424 388 29 0 2 0 5

Configuration issues 373 206 72 4 7 13 71

SQL injection 271 239 13 4 5 3 7

XSRF 233 183 40 1 2 2 5

Information disclosure 260 106 91 6 18 22 30

Code injection 134 118 8 4 0 0 4

Hardcoded credentials 106 98 6 0 0 0 2

DoS 61 30 14 0 6 2 9

Buffer overflow 57 22 6 4 2 1 22

Remote command execution

48 14 4 2 7 1 20

Verb tampering 24 0 22 0 0 0 2

XML external entity 28 10 13 0 1 4 0

Authentication bypass 27 12 6 2 0 0 7

Open redirect 12 5 2 0 3 0 2

OS command execution 13 5 1 0 0 0 7

Session fixation 8 2 5 0 0 0 1

SMB relay 5 4 1 0 0 0 0

HTTP response splitting 4 2 1 0 0 0 1

Local command execution

5 3 0 0 0 0 2

Clickjacking 2 0 1 0 0 0 1

TOTAL 3546 2585 550 32 88 43 215

Table 4. SAP Security Notes by types in engines


Security vulnerabilities by Applications On the basis of the different platforms, SAP provides numerous applications to accomplish a set of business objectives – from analytics to Financial Management. We classified all the discovered SAP vulnerabilities according to application area they belong to. The result of the given research are presented in the table below:

Place Application Area Number of vulnerabilities

1 CRM (Customer Relationship Management) 346

2 EP (Enterprise Portal) 116

3 SRM (Supplier Relationship Management) 110

4 FS (Financial Services) 105

5 BW (Business Warehouse) 103

6 BI (Business Intelligence) 83

7 SCM (Supply Chain Management) 79

8 SV (Solution Manager) 69

9 FI (Financial Accounting) 63

10 PA (Personnel Management, part of HR) 58

18 SMP SAP Mobile Platform 41

19 SAP HANA 32

Table 5. SAP Vulnerabilities by application area

At first glance, it seems that typical and widely-used modules are the most susceptible to different vul-nerabilities. However, it should be kept in mind that these products were introduced dozens of years ago, so, they have been drawing researchers’ attention for almost all these time, while the new inno-vative solutions from SAP were introduced rather recently. 32 SAP Security Notes address issues in SAP HANA and 41 SAP Security Notes address issues in SAP Mobile applications. Taking into account that they were introduced just a few years ago, the number of released patches is rather impressive. So, we should consider those applications as critical as ones mentioned in the top 10 list.

Security vulnerabilities by Industries SAP provides industry-specific software aimed to address requirements unique for a particular type of business. These areas include 25 different industries from Aerospace and Defense to Public sector. Unfortunately, the industry-specific solutions are vulnerable as well. 160 security issues were discov-ered within these set of products.

Most of the vulnerabilities relate to CRM, Enterprise Portal, and SRM applications. These applications are usually publicly accessible or have very close integration with external services and the Internet.


According to our analysis, the following industry components turned out to be the most vulnerable:

Industry Solution Number of vulnerabilities

Banking 33

Retail 21

Advertising Management (including Classified Advertising Management)

27

Automotive 14

Utilities 14

Healthcare 13

Campus Management 12

Oil and Gas 10

Defense Forces and Public Security 6

Aerospace and Defense 4

Table 6 SAP Vulnerabilities in industry solutions

Each single vulnerability contained by these application is crucial as it potentially puts at risk the largest and most influential companies. For example, 48% of all Oil and Gas companies [6] use SAP solutions, SAP is implemented in about 6300 automotive companies in 101 countries [7].

SAP does not provide any information related to the number of organizations that run its software. However, we can use a third-party statistics just to figure out general tendency how widespread SAP applications are in different industries.

Construction; 3100;8%

Business Services;1800;5%

Finance;3000;8%

Computer&ITServices;2000;5%

Manufacturing;15000;40%

Oil&Gas;900;2%

PropertyServices;1000;3%

Retail;2000;5%

Telecom; 900;2%

Transport&Travel;2200;6%

Utilities;2200;6%

Wholesale;1200;3%

Media;410;1% Pharma;670;2% Hotel&Restaurants;650;2%

PublicSector;150;0%


SAP CYBERSECURITY THREAT LANDSCAPE: IMPLEMENTATION SECURITY

One of the misconceptions widely accepted by many people who work with SAP, is SAP inaccessibility through the Internet, thus all SAP vulnerabilities can only be exploited by an insider.

Nonetheless, it is not completely true. This misbelief dates back to early 2000s when mainframes were prevalent. Business is changing and companies want to have their applications connected. They need to connect departments worldwide, share data with clients via web portals, SRM and CRM systems, and get access to SAP Cloud systems from any place using mobile solutions.

In this chapter, we analyzed how secure SAP Systems are implemented at the global scale. We took into account mostly global risks, such as vulnerabilities which can affect multiple companies simultaneously and ones which can be exploited remote-ly. The security of internal SAP configuration, access control, and code security were not covered in this research.

SAP versionsWe have checked the major versions of the ABAP and J2EE engines which were detected on the Internet to estimate the lifecycle of released products and to learn which version is the most widely used at the moment. We have also checked how widespread OS and RDBMS are which are used along with SAP.

ABAP engine versionsRelease version is vital for security. SAP is constantly developing their systems security, but the major part of securing SAP systems lies on administrators. For example, the most powerful security features, like disabling access to all BSP, are installed by default in EHP 2 and further versions, which makes about 65% (was 23% in 2013) of all servers. As you can see, if it takes 3 years to increase the number of new systems from 23 to 65%, the full cycle will last for at least 5 years.

The nature of ERP Systems and their adop-tion gives hackers a 5-year gap to conduct cyberattacks


Figure 19. NetWeaver ABAP versions

Version Difference between 2011-2013 Difference between 2013-2016

7.3 +250% +400%

7.2 +70% -100%

7.0 -22% -71%

6.4 -45% -100%

Table 7. ABAP Engine versions in 2013 and 2016

J2EE engine versionsBelow is the detailed information on the major versions.

Figure 20. Percentage of NetWeaver JAVA versions

Almost half (42%) of SAP NetWeaver ABAP engine is 7.30 EHP1 version.

Almost half (41%) of SAP NetWeaver JAVA engine is 7.4 version.

7.30EHP142%

7.0EHP222%

7.0EHP119%

7.0EHP014%

7.302%

7.10EHP11% 7.10

0%


OS versions for SAPDuring the analysis of the results that were gathered from Internet-facing SAP systems, we discovered that the most common OS is Windows NT (49%) and Linux (22%). In 2013, most of SAP systems were installed on Windows NT (28%) and AIX (25%) OS. According to our statistics from internal SAP assessments, *.NIX systems are more widespread in general, and Windows is more popular for Internet facing SAP systems.

WindowsNT49%

Linux22%

AIX20%

HP-UX7%

SunOS2%

Figure 21. Percent of OS popularity for SAP

RDBMS for SAP BackendThe most widespread RDBMS used as a backend for SAP is still Oracle – 54% (in 2013 it constituted 59%). Nevertheless, the percentage of SAP Systems based on Oracle and MaxDB is declining while of those based on MsSQL is growing. This year is the first when the number of HANA-backend SAP Systems reached 1% of the total coverage. Other RDBMS systems are shown below.

The most common OS for SAP are Windows NT (49%) and Linux (22 %)

49%Windows

22% Linux


Oracle54%

MSSQL25%

DB29%

ADABASD8%

Sybase3%

HANA1%

Figure 22. Percent of RDBMS for SAP Backend

It is worth to be mentioned that Oracle RDBMS installed with SAP is vulnerable to a very dangerous attack, where authentication can be bypassed and an unauthorized attacker can obtain direct access to the database system without any authorizations because of the improper use of the REMOTE_OS_AUTHENT parameter. It is quite an old bug first published in 2002 but still active.

2013 2015

Oracle 59% 54%

MsSQL 17% 25%

DB2 19% 9%

ADABAS D - 8%

Sybase - 3%

MAXDB 5% -

HANA - 1%

Table 7. RDBMS in 2013 and 2015

Although SAP HANA was officially launched in November 2010, according to our scan, it wasn’t presented as an RDBMS for SAP NetWeaver Application Server. The recent scan has demonstrated that HANA composes only one percent.


Legitimate SAP Applications exposed to the InternetThe number of exposed SAP Systems (web applications) can be gained with well-known Google search requests (see the table below) or Shodan, but this approach gives several false positive re-sults. By using Google Search, one can find out that the relative distribution of the types of systems, vulnerabilities and some other parameters, however, it is difficult to reveal the precise number of a particular type of systems on the Internet

Application server type Search string

SAP NetWeaver ABAP Inurl:/SAP/BC/BSP

SAP NetWeaver J2EE Inurl:/irj/portal

SAP Business Objects inurl:infoviewap

Because of that, we used our own scanning method to gather information about SAP systems. As a result of the scan, more than 11000 unique web application servers with different SAP web servers were identified. The J2EE server still remains the most widespread platform (Google search approach can give only about 4000 results).

Why doing custom scans while several resources on internet provide already that kind of informa-tion?Protocols used to interact with and between SAP servers are more often proprietary and not well-known outside of the SAP IT world. It means that open scan resources like Shodan, Censys, or even ZoomEye don’t include those specific protocols in their scans.

How did you conduct the scans?We use the same technique like nmap ‘service scan’. We built a database of probe requests and then matches probe response to determine the state of the service. We carefully design our probe requests to be as short and efficient as possible and to avoid any useless resource consumption from the server side. When we perform a check for a vulnerability, if there is no friendly payload, we try to fingerprint the version of a remote service to compute potential statistics.

We used open source tools (Zmap/Zgrab) to send requests and the results were visualized via the web front-end part of the IVRE project.

Do you have legal authorization to do that?There is a consensus between the security community and general acceptance for research purpose to conduct Internet-wide scanning without malicious intentions. The censys.io project backed up by Google and the University of Michigan is an example. We want to add the possibility for people who don’t want to be scanned to report their subnet to be excluded from our scans in the future.

As a result of the scan, more than 11000 unique servers with different SAP web servers were identified. The J2EE server still remains the most widespread platform.

https://www.shodan.io/

https://censys.io/

https://www.zoomeye.org/

https://zmap.io/

https://github.com/zmap/zgrab

https://ivre.rocks/

https://censys.io/


Application server Number %

SAP NetWeaver J2EE 5362 48%

SAP Business Objects 492 4%

SAP HANA 500 4%

SAP NetWeaver ABAP 2696 26%

SAP NetWeaver ICM 1974 18%

Table 8 SAP application servers exposed to the internet

SAPNetWeaverJ2EE48%

SAPNetWeaverABAP26%

SAPNetWeaverICM18%

SAPBusinessObjects4%

SAPHANA4%

Figure 23. SAP application servers by type

2332

1003

895

505

420

342

284

277

277

256

USA

India

Germany

China

Brazil

Turkey

Italy

Mexico

Korea

Spain


Most SAP application services exposed to the Internet are located in the USA (2332), India (1003), and Germany (895).


Non-legitimate SAP services exposed to the InternetThe most interesting and complex research was performed by scanning the Internet not only for legitimate SAP Systems but also for services which must not be accessible from the Internet and designed only for Internal use or require additional network filtration before directly exposing to the Internet (such as SAProuter). There were found almost 25000 SAP Services which should not be available through the Internet. Most of those services have critical vulnerabilities that can be used for cyberattacks. At the pictures bellow, you will find the number of countries that expose their unneces-sary SAP services to the Internet and different services exposed to the Internet. Detailed information about these services are presented in the next chapters.

2332

1003

895

505

420

342

284

277

277

256

USA

India

Germany

China

Brazil

Turkey

Italy

Mexico

Korea

Spain


3465

1219 968

2599

10421

151

4934

859

SAPMC SAPMessageServer

SAPMessageServerHTTP

SAPHostControl

SAPRouter SAPAfaria SAPGateway P4

Figure 26. Critical SAP Services exposed to the Internet


Apart from the web interfaces that should be enabled on the Internet because of various business requirements (such as SAP Portal, SAP SRM or SAP CRM solutions), there are some services that should not be available externally at all. Not only do they bring a potential risk but they have real vulnerabilities and misconfigurations which are well-known and described in public sources. Of course, it is not the full list of critical SAP services, just the most widespread and crucial ones.

SAProuter

SAProuter is a special service that is intended to perform the following functionality:

• Transfer requests from the Internet to SAP (and not only)• Connect SAP systems between each other in many locations• Connect systems of different companies such as customers and partners

The main aim of this service is to get updates from SAP and remotely install them on an SAP system. It also provides access to Earlywatch services thus every company which uses SAP should install SAProuter. There is a number of ways how to implement it either by configuring VPN access to SAP or by remotely exposing SAProuter service to the Internet port which is 3299 by default and known for everybody. More details can be found at Easy Service Marketplace [37].

Here are the results of the scan:

• There were about 4600 SAProuters in the Internet in total in 2013, now this number equals to 10421 services.

• 0,3% (was 15 %) of the routers lacked ACL. It can be used to: − Scan internal network − If something is found during scan, to proxy any request to any internal address of SAP or non-

SAP system

WebRFC service as part of NetWeaver ABAPWebRFC is a web service which is available by default in the SAP NetWeaver ABAP platform. It allows executing dangerous RFC functions using HTTP requests to the NetWeaver ABAP ports and URLs – /sap/bs/web/rfc and /sap/bc/soap/rfc. Among these functions, there are several critical ones, such as:

• Read data from SAP tables,• Create SAP users,• Execute OS commands,• Make financial transactions, etc.

Services like SAP Gateway, SAP Message server, SAP Host Control, SAP Visual Admin P4, SAPRouter, and others should not be open for connecting using the Internet


By default, any user can have access to this interface and execute the RFC_PING command by sending an XML packet. Other functions require additional authorizations. So there are 2 main risks:

• If there is a default username and password in the system, an attacker can execute numerous dangerous RFC functions because default users have dangerous rights.

• If a remote attacker obtains any existing user credentials, he/she can execute a denial-of-service attack on the server by sending the RFC_PING request with malformed XML packet [8] [9].

Moreover, about 1% of them are open and really accessible. As for others, an attacker can try to use default credentials or perform a brute force attack to exploit the service.

CTC service as part of NetWeaver J2EECTC is a web service which is installed by default on the NetWeaver J2EE engine. It allows managing the J2EE engine remotely. This is a web service that can be found by Google search and it often exists on SAP Portals. It is possible to execute such functions as:

• Create users• Assign a role to a user• Execute OS commands• Remotely turn J2EE Engine on and off

ERPScan researchers presented a vulnerability [10] in this service which is called “Verb Tampering”. It allows bypassing authorization checks for remote access to CTC service. It means that anybody can remotely obtain full-unauthorized access to all business-critical data located in the J2EE engine.

*The non-intrusive scan cannot determine if they were vulnerable or not but, the probability is rather high.

SAP Message Server HTTPSAP Message Server HTTP is an HTTP port of SAP Message Server service which allows balancing the load on SAP Application Servers. This service should only be available inside a company but 1761 SAP Message Servers have external IP addresses, which is typically not needed for business processes and can lead to critical actions. By default, the server is installed on the 81NN port where NN is the system number. One of the issues of SAP Message Server HTTP is a possibility to get the values of the configu-ration parameters of SAP system remotely without authentication. It can be used for future attacks.

It was found that 78 % of ABAP systems (3177 Systems in total) on the Internet have the WebRFC service enabled

It was found out that 10% (533) of J2EE systems on the Internet have the CTC service enabled

1209 Message Servers HTTP are exposed to the internet which is potentially vulnerable to unauthorized gathering of system parameters remotely


SAP Management Console

The SAP Management Console (SAP MC) allows to monitor and perform basic administration tasks on the SAP system centrally. The server-side SOAP component requires an authenticated access for most functions.

Nonetheless, there are some functions, which can be used remotely without authentication. Most of them allow reading different logs and traces and sometimes system parameters. Those issues were well-described by Chris John Riley, an independent researcher.

A more prevalent danger, which ERPScan researchers have found is the possibility to find information about JSESSIONID in the log files [11]. JSESSIONID is an identification by which HTTP sessions are controlled. One of the possible ways to perform an attack is to insert this JSESSIONID into a browser cookie and get unauthorized access to a user session.

The research revealed that 3465 Management console services were exposed to the Internet.

In the scope of internal penetration testing the number of vulnerable services was much larger. Approximately 80 % of scanned servers of companies that decided to participate in statistics were found to be vulnerable to this issue.

SAP Visual Admin P4P4 is one of the ports used for communication with the J2EE Engine. It provides administrative func-tionality to manager SAP J2EE applications remotely.

A vulnerability discovered in the service allows remote attackers to bypass authorization and connect to the service within the Admin role. As a result, they will be able to execute all critical functions such as creating new users in the system, reading information, changing business-critical data, and per-forming DoS attacks.

You can find detailed information about this vulnerability in SAP Security Note 1682613 [12]

859 SAP Visual Admin P4 services are exposed to the Internet

About 3500 companies expose SAP MC Service to the Internet which is potentially vulnerable to unauthorized access to log files.


SAP SECURITY AWARENESSThis part is dedicated to SAP Security awareness. In the last 3 years the SAP Cybersecurity topic became more relevant, especially after the latest data breaches. Only the last year SAP Cybersecurity came into the top media spotlight (The Guardian, Forbes, Vice, Wired) and was regularly featured in The Register, PC World, SC Magazine, Security Week, and other cybersecurity media. All this made SAP Cybersecurity a very important topic and, consequently, in some regions the level of security of SAP systems improved significantly.

In comparison with 2013, the interest of companies to SAP Cyber Security has grown significantly. On the one hand, it was caused by the increasing number of incidents related to SAP security. On the other hand, the number of different reports and training materials on the security released both by the vendor and third-party developers and non-profit organizations has affected the awareness. The number of vendors that are focused on ERP security and sell software for its assessment is growing, as well as the number of security consulting companies that sell special consulting services for ERP security.

Top SAP Cybersecurity Incidents (2013-2016)First SAP MalwareIn 2013, the first example of malware targeting SAP was revealed. A new variant of a Trojan that affected online banking accounts also contained code to search if infected computers had SAP client applications installed, suggesting that attackers might target SAP systems in the future.

To intercept important data, it used a traffic analyzer, a system that monitors web banking activities, and a screengrabber. The main objective of the Trojan was to collect user input from various window forms, to gather certificate files from secure workflow systems, and to send this information to the at-tackers’ server. And in this case, it already had access to the infected workstation and it knew that this workstation had an SAP client, which, in its turn, means that the workstation had access to the SAP server. The Trojan was capable of making screenshots of logons into the SAP system and collecting critical system data. It also had keylogging functionality to steal passwords input during logon. This is enough to perform a lot of malicious actions on an SAP server, so this information could be sold to a third party.

NVidia BreachIn January 2014, NVidia customer service website was likely attacked via a vulnerability in SAP NetWeaver.

The finder of the security hole, who was from China and called himself Finger, claimed he notified NVidia about the vulnerability on November 21, 2013 but did not receive any reply from NVidia, so he decided to attract attention to this problem.

On January 5, 2014, vulnerability details were posted on Chinese vulnerability forum WooYun.org [13] and reposted on FullDisclosure. The status of the bug is “unable to contact the vendor or actively ne-glected by the vendor”. The NetWeaver vulnerability was patched by SAP 3 years before the incident,


but NVidia hadn’t implemented the fix. On January 8, 2014, NVidia took the customer service website offline for two weeks to conduct investigation.

OPM BreachOn May 11, the news about an attack on USIS, a federal contractor that provides background checks for DHS, blew up security media. It was potentially conducted by China-sponsored hackers by exploit-ing a vulnerability in SAP software.

USIS used to be the largest commercial provider of background investigations to the federal govern-ment. It has more than 5,700 employees providing services in all 50 states of the U.S. territories and overseas.

This breach dates back to 2013, when hackers broke into USIS through an exploit in an SAP system managed by a third party. As a result of the breach, more than 27,000 employees may have been compromised. A similar hack also affected servers of the Office of Personnel Management, which holds information on security clearance investigations.

As the result of this breach, USIS lost its main client – OPM, lost $3 billion, cut 2500 jobs (almost half of all the employees). Finally, the owner of USIS filed for bankruptcy.

US-CERT Alert On the 11th of May, US-CERT released an alert that Chinese hackers are exploiting a security vulner-ability in SAP business software that dates back to 2010. It was recommended that SAP users disable vulnerable Invoker Servlet.

This warning was based on the report released by a security provider. Unfortunately, the white paper does not provide the exact source of information. A research issued by ERPScan revealed that it was a forum where Chinese white-hat community shares data on systems they can exploit and notify vendors and victims there were examples of systems which are vulnerable to the issue.

However, it is too early to rejoice. ERPScan researcher Mathieu Geli conducted a non-intrusive net-work scan and obtained data that 533 systems across the globe are potentially susceptible to have the Invoker Servlet vulnerability.

168

54

51

33

16

16

14

13

13

12

USA

India

Germany

Italy

Taiwan

Spain

Mexico

Switzerland

Portugal

China

Figure 27. Invoker servlet exposed to the Internet by countries


SAP Cyber Security talks at technical conferencesSince 2010, SAP security began to attract attention of participants of technical security conferences like BlackHat, RSA, HITB, Troopers, and others. In nearly 10 years of research, almost every part of SAP was somehow examined and almost every area was discussed in terms of security.

1 2 1 1 13 4

14

25

32

2119 20

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Figure 28. Number of SAP security talks presented at different conferences by year*

*Data was collected from top conference websites as of December 2015

29

26

15

8

7

4

4

3

3

2

2

2

2

2

2

1

1

1

1

1

1

1

1

1

USAGermany

NetherlandsArgentina

SouthAfricaBelgium

UKAustriaFranceCanadaChina

HungaryIndia

PolandSingaporeColumbiaFinlandIcelandKuwaitMalasiaPortugal

SpainSweden

Switzerland

Figure 29. The number of SAP Security talks by country


We tried to correlate the number of talks delivered in different countries and the level of SAP Security in them. As an indicator of the level of SAP Security, we have chosen the number of unnecessarily exposed SAP Services. Our research proved that there is a parallel between these two figures. Emerg-ing countries are characterized by wide adoption of new technologies (SAP systems in particular). The countries with the largest number of SAP Installations are the following:

Country Number of SAP Installations

USA 6309

India 4989

China 2362

Germany 1911

Great Britain 1321

Mexico 1274

South Korea 1090

Spain 910

Turkey 891

Italy 838

Table 9. Number of SAP installations available online by countries

Here is the top countries by the number of SAP Systems which should not be exposed to the Internet.

Country Number of SAP Installations

India 3923

USA 3660

China 1800

Mexico 972

Germany 968

Great Britain 870

South Korea 801

Spain 639

Italy 550

Turkey 530

Table 10. Number of SAP installations available online by countries

Of course, we should not draw conclusion which country has better awareness just by the number of exposed services, so we decided to look at the ratio of the relevant SAP systems accessible via the Internet to a number of SAP systems are available via the Internet in total. Thus, we can understand how aware people are about SAP cybersecurity in the country, regardless of how widely SAP in this region are implemented.


0% 20% 40% 60% 80% 100%

Venezuela

Pakistan

SaudiArabia

Ireland

Thailand

India

Russia

Mexico

China

Taiwan

Colombia

RepublicofKorea

Spain

SouthAfrica

France

Nethrlands

Singapore

USA

Germany

GreatBritain

LegitimateSAPservices Unnesessary services

Figure 30. Ratio between necessary SAP systems accessible through the Internet and the number of SAP systems, which are accessible via the Internet as a result of misconfigurations, negligence or

unawareness.

Thus, the countries that lack cybersecurity awareness (including SAP security knowledge) have the highest rating of non-legitimate SAP Systems comparing to Legitimate SAP Systems. These countries are – Venezuela, Pakistan, Saudi Arabia, Ireland, and Thailand, e.g. places where there were no pre-sentations on SAP Security.


On the other hand, the list of countries with the best performance in terms of the secure configured systems to insecure configured systems are the USA, Germany, Singapore, and the Netherlands. So, we can say that awareness brings results and it’s the most significant and pleasant conclusion of this study and our work in general.


SOLUTIONSWhat can happenThe most common threats to an organization which does not have secure SAP systems are the follow-ing:

• Espionage − Theft of financial information − Corporate trade secret / Intellectual property theft − Supplier/ Employee / Customer Data Theft

• Sabotage − Intentional product quality deterioration/ Production spoilage − Equipment corruption − Manipulation with Supply chain − Compliance violations / Tampering with financial reports

• Fraud − Row materials fraud − Finished goods fraud − Financial fraud − HR Fraud

• Terrorism − Explosion/Spoilage − Tracking data (children, money transfer)


How to secure your critical assets There are 3 areas that should be properly secured to protect a company from different attack vectors and malicious actors. In this view there are 3 types of defensive measure, which can be taken as a gradual approach. Depending on the company size and the number of specialists, the steps must be carried out as follows: step 1 within 3-6 months; step 2 within 6-18 months; and step 3 within the next 6-12 months as a supplement to the basic option (the first 2 steps).

Insiders and Improper access control

Software Backdoors and insecure development

Platform vulnerabilities and Misconfigurations

EXAMPLES Users with access to SAP_ALL Profile who can carry out every action in the system or any other user with unnecessary rights

Developers can transfer money to their bank account

1. Basic Access control checks and password policies 2. Segregation of duties checks3. Transaction monitoring and user behavior analytics

1. Dev, test & Prod landscapes separation2. Scanning and fixing code for Vulnerabilities and backdoors 3. Virtual patching and/or auto-correction for code vulnerabilities

1. Vulnerability assessment, Penetration Testing or Security Assessment2. Continuous Monitoring for security issues: In-depth configuration analysis, and

vulnerability management program with risk analysis and remediation 3. Threat detection and event monitoring

EXAMPLES

EXAMPLES

SOLUTION

SOLUTION

SOLUTION

Uninstalled security patches


CONCLUSIONSAP Cybersecurity used to be a perspective research area with a small number of security products which mainly were focused on detecting vulnerabilities. In the last 3 years, it became a rather large market providing solutions designed to resolve a full range of cyberthreats Business Applications may face, from detecting Segregation of Duties issues and security vulnerabilities holes to making a threat map, managing Risks, providing ABAP Code analysis, and attack Threat Detection including transaction monitoring plus virtual patching and remediation. While this market cannot compete with large Cyber Security businesses such as Web Application Security, Endpoint protection, or growing IoT Security, it’s quite important area and analysts from leading companies around the globe agreed on importance of ERP Security.

We hope that this document will help everybody from security engineers, CISOs, and CIOs to CRO, CFO’s, GRC consultants, SAP Owners, and CEO’s who depend highly on those mission-critical applica-tions to take SAP Security seriously and consider it as a next step of overall cybersecurity initiative.

It does not really matter which time period is a subject of the analysis of a research devoted to SAP security, one point never changes: the main responsibility for securing any application will be on the client side, not the vendor side.

Authors• Mathieu Geli – Director of SAP Threat intelligence• Darya Maenkova - Sr. Analyst, Department of Security Evangelism• Alexander Polyakov – CTO


ABOUT ERPSCANERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company operates globally. Named as an ‘Emerging vendor’ in Security by CRN and distinguished by more than 30 other awards - ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf supporting in improving security of their latest solutions.

ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-attacks as well as internal fraud. Usually our clients are large enterprises, Fortune 2000 companies and managed service providers whose requirements are to actively monitor and manage security of vast SAP landscapes on a global scale.

Our flagship product is ERPScan Security Monitoring Suite for SAP. This multi award-winning innovative software is the only solution in the market certified by SAP SE covering all tiers of SAP security i.e. vulnerability assessment, source code review and Segregation of Duties. The largest companies from across diverse industries like oil and gas, banking, retail, even nuclear power installations as well as consulting companies have successfully deployed the software. ERPScan Monitoring Suite for SAP is specifically designed for enterprise systems to continuously monitor changes in multiple SAP systems. It generates and analyzes trends on user friendly dashboards, manages risks, tasks and can export results to external systems. These features enable central management of SAP system security with minimal time and effort.

We ‘follow the sun’ and function in two hubs, located in the Palo Alto and Amsterdam to provide threat intelligence services, agile support and operate local offices and partner network spanning 20+ countries around the globe.

The company’s expertise is based on the research subdivision of ERPScan, which is engaged in vulnerability research and analysis of critical enterprise applications. It has achieved multiple acknowledgments from the largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for exposing in excess of 400 vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proudly to expose new types of vulnerabilities (TOP 10 Web hacking techniques 2012) and were nominated for best server-side vulnerability in BlackHat 2013.

ERPScan experts have been invited to speak, present and train at 60+ prime international security conferences in 25+ countries across the continents. These include BlackHat, RSA, HITB as well as private trainings for SAP in several Fortune 2000 companies.

ERPScan experts have been interviewed by leading media resources and specialized info-sec publications worldwide, these include Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise and Chinabyte to name a few.

We have highly qualified experts in staff with experience in many different fields of security, from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experience to conduct research in SAP system security.


ABOUT EAS-SECProjectEAS-SEC (formerly part of the global strategy group OWASP Projects), a non-profit worldwide organi-zation focused on improving business application software security.

EAS-SEC is a guide for people involved in the acquisition, design and implementation of large-scale applications, the so-called Enterprise Applications. Security of Enterprise Applications is one of the most discussed topics in the general area of Applications security. This is due to the fact that such applications control the organization resources including funds which may be lost as a result of any breach of security.

Project missionThe purpose of the EAS-SEC project launched in 2010 is increase of awareness of business application and enterprise applications security problems for users, administrators and developers and also the creation of guidelines and tools to assess the safety, security, safe set-up and development of enter-prise applications. The general analysis of the main business applications was carried out and key areas of safety to which it is necessary to pay attention both when developing and at introduction are collected. In addition, there were two researches–«SAP Security in figures for 2011» and «The state of SAP security 2013: Vulnerabilities, threats and trends». The results of these reports have been present-ed at key conferences such as RSA and have been highlighted in the press.

The EAS-SEC has a number of the main objectives on the basis of which subprojects are created:

1. Notification of broad masses about vulnerabilities of safety of corporate appendices, on means of release of annual statistics of vulnerabilities of safety of corporate appendices. Subproject: Enterprise Business Application Vulnerability Statistics;

2. Help to the companies which are engaged in release of the software, increase of safety of their decisions, providing tools for the Enterprise Business Application Security Vulnerability Testing Guide subproject;

3. Development of free extended tools for an assessment of safety of corporate appendices, and for the Enterprise Business Application Security Software subproject;

4. The help to the companies in an assessment of safety of corporate appendices at the initial stages, providing tools for the Enterprise Business Application Security Implementation Assessment Guide subproject.


LINKS AND FURTHER READING

[1] “ERPScan – strategic SAP AG partner in security,” [Online]. Available: http://erpscan.com/.

[2] “ERPScan blog,” [Online]. Available: https://erpscan.com/category/press-center/blog/.

[3] “EAS-SEC Enterprise Application Security Project,” [Online]. Available: http://eas-sec.org/.

[4] “US-CERT alert: Exploitation of SAP Business Applications,” [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA16-132A.

[5] “Incidents reported by sector,” [Online]. Available: https://www.bedrockautomation.com/wp-content/uploads/2015/03/Security.ICS-CERT_Monitor.crop_.jpg.

[6] “CVE Details - Top 50 Vendors By Total Number Of “Distinct” Vulnerabilities,” [Online]. Avail-able: http://www.cvedetails.com/top-50-vendors.php.

[7] “SAP solutions by oil and gas industry segment,” [Online]. Available: http://go.sap.com/solu-tion/industry/oil-gas.html.

[8] “Platform Solutions for Automotive,” [Online]. Available: http://www.sap.com/bin/sapcom/en_us/downloadasset.2014-10-oct-10-15.platform-solutions-for-automotive-the-innovation-driv-en-enterprise-pdf.bypassReg.html.

[9] “SAP NetWeaver SOAP RFC – Denial of Service / Integer overflow,” [Online]. Available: https://erpscan.com/advisories/erpscan-11-029-sap-netweaver-soap-rfc-denial-of-service-integer-overflow/.

[10] “SAP Netweaver XRFC - Stack Overflow,” [Online]. Available: https://erpscan.com/advisories/erpscan-10-005-sap-netweaver-xrfc-stack-overflow/.

[11] “A crushing blow at the heart of SAP J2EE Engine,” [Online]. Available: https://erpscan.com/wp-content/uploads/publications/A-crushing-blow-at-the-heart-SAP-J2EE-engine-whitepaper.pdf.

[12] “Top 10 most interesting SAP vulnerabilities and attacks,” [Online]. Available: http://erpscan.com/wp-content/uploads/2012/06/Top-10-most-interesting-vulnerabilities-and-at-tacks-in-SAP-2012-InfoSecurity-Kuwait.pdf.

[13] “SAP Security Note 1682613 - Missing authorization check in core service,” [Online]. Available: https://service.sap.com/sap/support/notes/1682613.

[14] “wooyun.org,” [Online]. Available: http://en.wooyun.org/bugs/wooyun-2013-041?1687.

Contact usE-mail: [email protected]

PR: [email protected]

Web: www.erpscan.com



http://www.erpscan.com

Documents

SAP Cyber Security in Figures