A report called “SAP Security in figures - a global survey 2007-2011” has been published - the first public survey on SAP security vulnerabilities, metrics and threats.
The survey involved a TCP port scan made across the Internet which showed various critical services exposed by 5%-25% of companies (depending on the service) that run SAP. Their subnetworks were scanned in the framework of the survey.
One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network.
While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet.
In some cases, lack of knowledge is the reason, and sometimes companies want easy remote control, which is insecure.
For example, 212 SAP Routers were found in Germany which were created mainly to route access to internal SAP systems. SAP Routers themselves can have security misconfigurations but the real problem is that 8% of the companies also expose, for example, SAP Dispatcher services directly to the Internet, circumventing the SAP Router.
This service can be easily exploited by logging in with default credentials, or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012 .
Also, 9% of the researched sample (which included 1000 companies that use SAP all over the world) expose the SAP Management console, which is vulnerable to unauthorized gathering of system parameters remotely from the Internet. Most of them are located in China (55%) and India (20%).
The report contains 40 pages of different metrics, as well as other findings such as:
- As of April 26, 2012, more than 2000 SAP Security notes have been published
- Most of the issues (69%) have high priority, which means that about 2/3 of the published vulnerabilities must be corrected quickly
- A total of 2677 unique servers with different SAP web applications was found on the Internet using Shodan Search
- 59% of them are vulnerable to information disclosure.
The original report containing detailed information, called “SAP Security in Figures - A Global Survey 2007-2011”, can be found here.