Companies exposed to attack by out-of-date SAP applications

Many organisations do not know that their SAP software is exposed, warns security specialist

Hundreds of organisations are running ageing, unpatched versions of SAP enterprise resource planning software – some with applications exposed to the internet.

That is the conclusion of ERPScan chief technology officer and ZeroNights founder Alexander Polyakov.

The news is all the more disturbing given the increasing number of attacks targetted at SAP systems, which in addition to running mission-critical applications will also contain valuable personal and financial information.

There is also a thriving underground trade in SAP "exploits" – flaws or automated attacks that hackers freely trade in forums.

Polyakov's company has found more thanf 4,000 servers hosting internet-accessible SAP applications simply by searching the web using Google (700 servers) and Shodan, the specialist search engine that "pinpoints shoddy industrial controls". Using Google, Polyakov was able to identify 700 servers, while Shodan uncovered 3,741 vulnerable servers.

Furthermore, in research that will be released next month, Polyakov warned that one-in-three companies had "SAP routers" publicly accessible by a default port.

In the company's research, 35 per cent of SAP systems were found to be running NetWeaver version 7 EHP 0, which was last updated in November 2005. Those users ought to have upgraded since then. Some 19 per cent were running versions of SAP NetWeaver last patched in October 2008, while 23 per cent were running versions of SAP NetWeaver last updated in April 2010.

Polyakov, speaking at the RSA Security Asia/Pacific Conference in Singapore, added that his company found similar flaws in implementations of NetWeaver J2EE, too. He warned that it is a common misconception that SAP systems are not exposed to the internet or remotely accessible and that this was particularly acute in Asia/Pacific.

"You need to do your human resources and financials with SAP, so [if it is hacked] it is the end of the business," Polyakov told the conference. "If someone gets access to the SAP they can steal HR data, financial data or corporate secrets... or get access to a SCADA system."

Frequently exposed SAP systems that should not be publicly exposed include Dispatcher, MMC, Message Server, Hostcontrol, ITS Agate and Message Server httpd, he said.

Furthermore, the number of security advisories surrounding SAP systems has exploded in recent years, according to ERPScan's figures, from fewer than 100 in 2008 to more than 600 in 2012, although that number is expected to decline in 2013.

The most common attack vectors include the old favourite, "cross-site scripting attacks", which comprise 25 per cent of the vulnerabilities, "missing authorisation checks", at 22 per cent, and "directory traversal" at 20 per cent.

Polyakov's presentation to the RSA Security Conference can be accessed here.