An Enterprise Resource System (ERP) is often the information backbone of a modern organization -- a point of control for the organization’s financial reporting, human resources, inventory, production costs, sales and procurement. Those systems are so complicated and vast that they may be considered as “information systems within information systems.” Often they have proprietary programming, support, and extensive vendor participation. To complicate things, their penetration of the OSI stack and horizontal organization is not fully understood. This complexity adds another dimension to ERP security and raises risk rating of this crucial system type.
Systems, Applications & Products in Data Processing (SAP) is one of the most popular and ubiquitous ERP systems in the world serving 282,000 customers in 190 countries, according to their 2014 report. SAP security “holes” have been known and reported ever since the first versions of the system. It is also well known that applications are a main vector of attacks these days. Given ERPs cross boundaries between applications, networks, and even hardware, it is not surprising that more and more hackers choose to either attack them directly or use them as a penetration and pivoting point for further ill-intended presence. According to a May 2015 study, over 95% of SAP systems worldwide had critical vulnerabilities, and the average period between patches was over 18 months. Security specialists may limit their tests of SAP security to the segregation of duties, as they are either inexperienced or uncomfortable delving into the technical threats surrounding the platform.
There is no doubt that hackers possess the same or better information about SAP vulnerabilities as we do. The number of relevant exploits is growing, often followed by significant breaches and disruptions.
Attackers usually choose the path of the least resistance. Those who possess enough knowledge of SAP proprietary code may try to attack directly; web-facing customer and vendor portals are another favorite. Most often these attackers try to move between SAP components, escalating privileges to get to the valuable information.
There are quite a few vulnerabilities and attacks specific to SAP. MITRE lists over 160 CVEs related to various versions of the system. The following table lists the most popular classes of attack against SAP installations, coupled with various indications that such an attack might be in progress. Such indications are useful information to ESM (enterprise security management) systems that collect, aggregate, and correlate them into a cohesive security picture.
SAP password cracking
USR02 table is retrieved with transaction SE16 by users who wouldn’t normally need it.
User logs in from unusual location or at unusual time
User performs actions she does not need or does not normally do
Profile parameter login/password_downwards_compatibility is set to 1
BCODE field stores the user password using CODVN B.
BCODE field stores the user password truncated at 8 characters.
BCODE field stores the user password converted to uppercase.
PASSCODE field contains the complete password, hashed with CODVN F.
BCODE field stores the user password using CODVN I
SAP password is shorter than 8 characters
Initial password is a dictionary word
User has access to USR02
SAP servers are not deployed in internal DMZ
Direct connections to the SAP databases are allowed
Tables USR02, USH02 and USRPWDHISTORY can be directly accessed through table maintenance tools (transactions SE16, SE17, SE11 etc.)
Authorization object S_TABU_DIS is not used
Same passwords are used for critical users (SAP*, DDIC, administration users, etc.) in all systems and clients.
login/min_password_lng is less or equal 8
login/min_password_lowercase is less or equal 0
USR40 table configured to allow dictionary-based passwords
Insecure default configuration of SAP Knowledge Management
User is a part of the “Everyone” group
User has the “Full Control” permissions
Phishing scams and Web 2.0 attacks against the employees
Modification and/or deletion of sensitive business information occurred
Two or more user groups have identical access
User is a Guest of SAP Enterprise Portal
"Everyone" group has Full Control in at least one KM folder
Transaction SE03 is performed
A new user, with the SAP_ALL Profile is created
login/password_downwards_compatibility profile parameter is set to 3 or 4
Password is checked against the “weak” hash value
USR02 Table is modified
Hardcoded user names
SAP Security Notes contain hard coded name notifications
Transaction SCI or report RS_ABAP_SOURCE_SCAN have not been used or reviewed I a while.
Malicious code in ABAP programs
No code reviews of custom ABAP code for security are performed
Database REPOSRC not secured
Table REPOSRC was modified
SET DATA was changed In table REPOSRC
PROGNAME was changed In table REPOSRC
DELETE FROM SAPSR3.REPOLOAD was executed
Transactions like FK01 (Create Vendor), ME21 (Create Purchase Order), PA30 (Maintain HR Master Data), FI12 (Change House Banks/Bank Accounts) were modified.
Vendor bank account information is changed
Customer's information is sent from the SAP system to a Web Server in the Internet
SAP platform is connected with a SCADA system
ABAP programs that receive the SCADA signal information were modified
Exploits in authenticated mode
SAPMSYST was modified
Transaction SE38 is executed
Invoker Servlet bypass
Call to any servlet class located in the WEB-INF\classes, WEB-INF\lib and WEB-INF\additionallib
Any servlet is called through its fully-qualified class name via URL, e.g. http://sap-server/appname/servlet/com.company.privateServlet1Interface
“EnableInvokerServletGlobally” property of servlet_jsp on the server nodes is “True”
Web access abuse
The ICM returns the following Server headers:
server: SAP Web Application Server (1.0;<VERSION>)
server: SAP NetWeaver Application Server (1.0;<VERSION>)
server: SAP NetWeaver Application Server / ABAP <VERSION>
server: SAP NetWeaver Application Server <VERSION> / ICM <VERSION>
The J2EE Engine returns the following Server headers:
Server: SAP J2EE Engine/<VERSION>
Server: SAP NetWeaver Application Server <VERSION> / AS Java <VERSION>
ICM Server header is default
J2EE Engine banner is default (property UseServerHeader)
Erroneous service request (such as /scripts/wgate/inexistent/!) triggers a default error message (e.g . 403 or 404)
J2EE Engine SAP Enterprise Portal shows the default path for the application (/irj/portal).
SAP EP provides version information in the source code of the generated pages.
Unrestricted Access to ICF Services
ICF service is enabled and public
Standard users SAP*, DDIC, EARLYWATCH, SAPCPIC and TMSADM, have publicly known default passwords
Info Service is enabled
Info Service was accessed through the /sap/public/info URL without business need
SOAP RFC Service is activated
WEBGUI service was accessed through the /sap/bc/gui/sap/its/webgui URL without business need
Web Dispatcher administration interface (default path is /sap/wdisp/admin) is accessible from untrusted networks.
Web Dispatcher administration interface (default path is /sap/wdisp/admin) password for the administrator user is weak.
SAP J2EE Engine application wsnavigator is enabled.
SAP J2EE Server allows direct connections.
HTTP request is sent directly to the SAP server:
GET /irj/portal HTTP/1.1
AUTH_HEADER is from the spoofed third-party authentication solution.