SAP security in figures

1. Invest in security to secure investments SAP Security in ﬁgures 2013 Alexander Polyakov CTO ERPScan

2. About ERPScan •  The only 360-‐degree SAP Security solu=on -‐ ERPScan Security Monitoring Suite for SAP •  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presentaEons key security conferences worldwide •  25 Awards and nominaEons •  Research team -‐ 20 experts with experience in diﬀerent areas of security •  Headquarters in Palo Alto (US) and Amsterdam (EU) 2

3. Agenda •  SAP: Intro •  SAP: vulnerabili=es •  SAP: threats from the Internet •  Cri=cal SAP services •  Known incidents •  Future trends and predic=ons •  Conclusions 3

4. SAP •  The most popular business applica=on •  More than 240000 customers worldwide •  86% of Forbes 500 run SAP 4

5. Why SAP security? •  Espionage –  Stealing financial informa=on –  Stealing corporate secrets –  Stealing supplier and customer lists –  Stealing HR data •  Sabotage –  Denial of service –  Modifica=on of financial reports –  Access to technology network (SCADA) by trust rela=ons •  Fraud –  False transac=ons –  Modifica=on of master data 5

6. SAP Security SAP Vulnerabili=es 6

7. Security notes by year 0 100 200 300 400 500 600 700 800 900 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 More than 2600 in total 7

8. Security notes by criEcality 0 20 40 60 80 100 2012 2011 2010 2009 High priority vulnerabiliEes 0 2 4 6 8 10 12 2012 2011 2010 2009 Low priority vulnerabiliEes 0 200 400 600 800 1000 1200 1400 1600 1800 2000 1 -‐ HotNews 2 -‐ Correc=on with high priority 3 -‐ Correc=on with medium priority 4 -‐ Correc=on with low priority 6 -‐ Recommenda=ons/addi=onal info By the end of April 2013 8

9. Security notes by type 25% 22% 20% 9% 7% 5% 4% 4% 3% 1% Top 10 vulnerabiliEes by type 1 -‐ XSS 2 -‐ Missing authorisa=on check 3 -‐ Directory traversal 4 -‐ SQL Injec=on 5 -‐ Informa=on disclosure 6 -‐ Code injec=on 7 -‐ Unauthen=ca=on bypass 8 -‐ Hardcoded creden=als 9 -‐ Remore code execu=on 10 -‐ Verb tampering 9

10. Acknowledgments Number of vulnerabili=es found by external researchers: •  2010 -‐ 58 •  2011 -‐ 107 •  2012 -‐ 89 •  2013 -‐ 52 The record of vulnerabili1es found by external researchers was cracked in January 2013: 76% 0 10 20 30 40 50 60 70 2010 2011 2012 2013 Percentage of vulnerabiliEes found by external researchers: 10

11. Acknowledgments •  More interest from other companies * Number of vulnerabili1es that were sent to SAP but were rejected because they were already found before by other company of SAP internal code review. 0 1 2 3 4 5 6 7 2010 2011 2012 Number of already patched issues per year 11

12. SAP security talks at conferences 0 5 10 15 20 25 30 35 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 12

13. Talks about: •  Common: SAP Backdoors, SAP Rootkits, SAP Forensics •  Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI, SAP Portal, SAP Solu=on Manager, SAP TMS, SAP Management Console, SAP ICM/ITS •  Protocols: DIAG, RFC, SOAP (MMC), Message Server, P4 •  Languages: ABAP Buﬀer Overﬂow, ABAP SQL Injec=on, J2EE Verb Tampering, J2EE Invoker Servlet •  Overview: SAP Cyber-‐aiacks, Top 10 Interes=ng Issues, Myths about ERP Almost all every part of SAP was hacked 13

14. Top 5 SAP vulnerabiliEes 2012 1.  SAP NetWeaver DilbertMsg servlet SSRF (June) 2.  SAP HostControl command injec=on (May) 3.  SAP SDM Agent command injec=on (November) 4.  SAP Message Server buffer overflow (February) 5.  SAP DIAG buffer overflow (May) 14

15. SAP NetWeaver DilbertMsg servlet SSRF Espionage: CriEcal Sabotage: Cri=cal Fraud: Medium Availability: Anonymously through the Internet Ease of exploitaEon: Medium Future impact: High (New type of aiack) CVSSv2: 10 Advisory: hip://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐ authen=ca=on-‐bypass/ Patch: Sap Note 1707494 Authors: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan) 15

16. SAP HostControl command injecEon Espionage: CriEcal Sabotage: Cri=cal Fraud: Cri=cal Availability: Anonymously through the Internet Ease of exploitaEon: Easy (a Metasploit module exists) Future impact: Low (Single issue) CVSSv2: 10 Advisory: hip://www.contex=s.com/research/blog/sap-‐parameter-‐ injec=on-‐no-‐space-‐arguments/ Patch: SAP note 1341333 Author: Contex=s 16

17. SAP J2EE ﬁle read/write Espionage: CriEcal Sabotage: Cri=cal Fraud: Cri=cal Availability: Anonymously Ease of exploitaEon: Medium Future impact: Low CVSSv2: 10 Advisory: hips://service.sap.com/sap/support/notes/1682613 Patch: SAP Note 1682613 Author: Juan Pablo 17

18. SAP Message Server buﬀer overﬂow Espionage: CriEcal Sabotage: Cri=cal Fraud: Cri=cal Availability: Anonymous Ease of exploitaEon: Medium. Good knowledge of exploit wri=ng for mul=ple plalorms is necessary CVSSv2: 10.0 Advisory: hip://www.zerodayini=a=ve.com/advisories/ZDI-‐12-‐112/ Patch: SAP Notes 1649840 and 1649838 Author: Mar=n Gallo 18

19. SAP DIAG Buﬀer overﬂow Espionage: CriEcal Sabotage: Cri=cal Fraud: Cri=cal Availability: Low. Trace must be on Ease of exploitaEon: Medium CVSSv2: 9.3 Advisory: hip://www.coresecurity.com/content/sap-‐netweaver-‐ dispatcher-‐mul=ple-‐vulnerabili=es Patch: SAP Note 1687910 Author: Mar=n Gallo 19

20. SAP Security SAP and Internet 20

21. SAP on the Internet •  Among people who work with SAP, a popular myth exists that SAP systems are inaccessible from the Internet, so all SAP vulnerabili=es can only be exploited by an insider. 21

22. SAP on the Internet •  Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible •  Companies connect diﬀerent oﬃces (by SAP XI) •  Companies are connected to SAP (through SAP Router) •  SAP GUI users are connected to the Internet •  Administrators open management interfaces to the Internet for remote control Almost all business applicaEons have web access now 22

23. Google search for web-‐based SAPs •  As a result of the scan, 695 unique servers with diﬀerent SAP web applica=ons were found (14% more than in 2011) •  22% of previously found services were deleted •  35% growth in the number of new services 23

24. Google search by country 24 FINLAND RUSSIA AUSTRIA DENMARK MEXICO SPAIN KOREA NORWAY BELGIUM FRANCE CANADA BRAZIL SWITZERLAND ITALY NETHERLANDS CHINA UNITED KINGDOM INDIA GERMANY UNITED STATES 0 50 100 150 200 250 SAP web servers by country (Top 20)

25. Shodan scan 41% 34% 20% 6% SAP NetWeaver J2EE SAP NetWeaver ABAP SAP Web Applica=on Server Other (BusinessObjects,SAP Hos=ng, etc) 94% 72% 30% -‐20% -‐55% -‐80% -‐60% -‐40% -‐20% 0% 20% 40% 60% 80% 100% 120% Growth by applicaEon server A total of 3741 server with diﬀerent SAP web applicaEons were found 25

26. Shodan scan by country 0% 100% 200% 300% 400% 500% 600% MEXICA CHILE INDIA CHINA TAIWAN Growth of SAP web servers (Top 5) 0 500 1000 1500 AUSTRALIA TAIWAN CHILE MEXICO DENMARK NETHERLANDS TURKEY CANADA SWITZERLAND UNITED KINGDOM KOREA CHINA FRANCE BELGIUM BRAZIL SPAIN INDIA ITALY GERMANY UNITED STATES SAP web servers by country (Top 20) 26

27. Internet Census 2012 scan •  Not so legal project by Carna Botnet •  As the result 3326 IP’s with SAP Web applica=ons NO SSL 32% SSL 68% 27

28. SAP NetWeaver ABAP -‐ versions •  7.3 growth by 250% •  7.2 growth by 70% •  7.0 loss by 22% •  6.4 loss by 45% 35% 23% 19% 11% 6% 5% NetWeaver ABAP versions by popularity 7.0 EHP 0 (Nov 2005) 7.0 EHP 2 (Apr 2010) 7.0 EHP 1 (Oct 2008) 7.3 (Jun 2011) 6.2 (Dec 2003) 6.4 (Mar 2004) The most popular release (35%, previously 45%) is s=ll NetWeaver 7.0, and it was released in 2005! But security is gerng beier. 28

29. NetWeaver ABAP – informaEon disclosure •  Informa=on about the ABAP engine version can be easily found by reading an HTTP response •  Detailed info about the patch level can be obtained if the applica=on server is not securely conﬁgured •  An aiacker can get informa=on from some pages like /sap/ public/info 6% (was 59%) of servers s=ll have this issue 29

30. SAP NetWeaver ABAP – criEcal services •  Execute dangerous RFC func=ons using HTTP requests •  NetWeaver ABAP URL – /sap/bc/soap/rfc •  There are several cri=cal func=ons, such as: -  Read data from SAP tables -  Create SAP users -  Execute OS commands, Make ﬁnancial transac=ons, etc. •  By default, any user can have access to this interface and execute the RFC_PING command. So there are 2 main risks: -  If there is a default username and password, the aiacker can execute numerous dangerous RFC func=ons -  If a remote aiacker obtains any exis=ng user creden=als, they can execute a denial of service aiack with a malformed XML packet 6% (was 40%) of ABAP systems on the Internet have WebRFC service 30

31. SAP NetWeaver J2EE -‐ versions •  7.31 growth from 0 to 3% •  7.30 growth from 0 to 9% •  7.02 growth by 67% •  7.0 loss by 23% •  6.4 loss by 40% 44% 25% 10% 9% 9% 3% NetWeaver JAVA versions by popularity NetWeaver 7.00 NetWeaver 7.01 NetWeaver 7.02 NetWeaver 7.30 NetWeaver 6.40 NetWeaver 7.31 The most popular release (44%, previously 57%) is s=ll NetWeaver 7.0, and it was released in 2005! But security is gerng beier. 31

32. NetWeaver J2EE – informaEon disclosure •  Informa=on about the J2EE engine version can be easily found by reading an HTTP response. •  Detailed info about the patch level can be obtained if the applica=on server is not securely conﬁgured and allows an aiacker to get informa=on from some pages: –  /rep/build_info.jsp 26% (61% last year) –  /bcb/bcbadmSystemInfo.jsp 1.5% (17% last year) –  /AdapterFramework/version/version.jsp 2.7% (a new issue) 32

33. SAP NetWeaver J2EE – criEcal services •  NetWeaver J2EE URL: /ctc/ConﬁgTool (and 30 others) •  Can be exploited without authenEcaEon •  There are several cri=cal func=ons, such as: •  Create users •  Assign a role to a user •  Execute OS commands •  Remotely turn J2EE Engine on and oﬀ •  Was presented by us at BlackHat 2011 . It was found that 50% (was 61%) of J2EE systems on the Internet have the CTC service enabled. 33

34. From Internet to Intranet 34 SAP Security

35. * Some numbers are approximate (mostly less than in real world) due to the very high number of resources that needed to fully analyze internet for SAP services with detailed numbers. We use op1mized scan approach which will be described in whitepaper. 35 Disclaimer

36. SAP Router •  Special applica=on proxy •  Transfers requests from Internet to SAP (and not only) •  Can work through VPN or SNC •  Almost every company uses it for connec=ng to SAP to download updates •  Usually listens to port 3299 •  Internet accessible (Approximately 5000 IP’s ) •  hip://www.easymarketplace.de/saprouter.php Almost every third company have SAP router accessible from internet by default port. 36

37. SAP Router: known issues •  Absence of ACL – 15% –  Possible to proxy any request to any internal address •  Informa=on disclosure about internal systems – 19% –  Denial of service by specifying many connec=ons to any of the listed SAP servers –  Proxy requests to internal network if there is absence of ACL •  Insecure conﬁgura=on, authen=ca=on bypass – 5% •  Heap corrup=on vulnerability 37

38. Port scan results •  Are you sure that only the necessary SAP services are exposed to the Internet? •  We were not •  In 2011, we ran a global project to scan all of the Internet for SAP services •  It is not completely ﬁnished yet, but we have the results for the top 1000 companies •  We were shocked when we saw them ﬁrst 38

39. Port scan results 0 5 10 15 20 25 30 35 SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hipd SAP Message Server SAP Router Exposed services 2011 Exposed services 2013 Listed services should not be accessible from the Internet 39

40. •  SAP HostControl is a service which allows remote control of SAP systems •  There are some func=ons that can be used remotely without authen=ca=on •  Issues: –  Read developer traces with passwords –  Remote command injec=on •  About every 120th (was 20th) company is vulnerable REMOTELY •  About 35% assessed systems locally 40 SAP HostControl service

41. •  SAP MMC allows remote control of SAP systems •  There are some func=ons that can be used remotely without authen=ca=on •  Issues: –  Read developer traces with passwords –  Read logs with JsessionIDs –  Read informa=on about parameters •  About every 40th (was 11th) company is vulnerable REMOTELY •  About 80% systems locally 41 SAP Management console

42. SAP Message Server •  SAP Message Server – load balancer for App servers •  Usually, this service is only available inside the company •  By default, the server is installed on the 36NN port •  Issue: –  Memory corrup=on –  Informa=on disclose –  Unauthorized service registra=on (MITM) •  About every 60th (was every 10th) company is vulnerable REMOTELY •  About 50% systems locally 42

43. SAP Message Server HTTP •  HTTP port of SAP Message Server •  Usually, this service is only available inside the company •  By default, the server is installed on the 81NN port •  Issue: unauthorized read of proﬁle parameters •  About every 60th (was every 10th) company is vulnerable REMOTELY •  About 90% systems locally 43

44. •  SAP Dispatcher -‐ client-‐server communica=ons •  It allows connec=ng to SAP NetWeaver using the SAP GUI applica=on through DIAG protocol •  Should not be available from the Internet in any way •  Issues: –  There are a lot of default users that can be used to connect and fully compromise the system remotely –  Also, there are memory corrup=on vulnerabili=es in Dispatcher •  About every 20th (was 6th) company is vulnerable REMOTELY 44 Sap Dispatcher service

45. But who actually tried to exploit it? 45

46. Known internal fraud incidents •  Exploit market interest •  Anonymous aiacks •  Insider aiacks •  Evil subcontractors and ABAP backdoors 46

47. Market Interest •  Whitehat buyers and sellers –  Companies like ZDI buy exploits for SAP –  Only in 2012 ZDI publish 5 cri=cal SAP issues •  Whitehat buyers and diﬀerent sellers –  Companies who trade 0-‐days say that there is interest from both sides •  Black market –  Anonymous aiack? –  Why not? 47

48. Market Interest 48

49. Anonymous ahack Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.” •  This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened. 49

50. Insider ahacks •  The Associa=on of Cer=ﬁed Fraud Examiners (ACFE) survey showed that U.S. organiza=ons lose an es=mated 7% of annual revenues to fraud. •  Real examples that we met: –  Salary modiﬁca=on –  Material management fraud –  Mistaken transac=ons 50

51. Evil subcontractors and ABAP Backdoors •  They exist! •  Some=mes it is possible to ﬁnd them 51

52. What had happened already? •  Autocad virus (Industrial espionage) –  hip://www.telegraph.co.uk/technology/news/9346734/ Espionage-‐virus-‐sent-‐blueprints-‐to-‐China.html •  Internet-‐Trading virus (Fraud) –  Ranbys modiﬁca=on for QUICK –  hip://www.welivesecurity.com/2012/12/19/win32spy-‐ ranbyus-‐modifying-‐java-‐code-‐in-‐rbs/ •  News resources hacking (Sabotage) –  hip://www.bloomberg.com/news/2013-‐04-‐23/dow-‐jones-‐ drops-‐recovers-‐ayer-‐false-‐report-‐on-‐ap-‐twiier-‐page.html 52

53. What can be Just imagine what could be done by breaking: •  One SAP system •  All SAP Systems of a company •  All SAP Systems on par=cular country •  Everything 53

54. SAP strategy in app security •  Now security is the number 1 priority for SAP •  Implemented own internal security process SDLC •  Security summits for internal teams •  Internal trainings with external researchers •  Strong partnership with research companies •  Investments in the automa=c and manual security assessment of new and old soyware 54

55. Future threads and predicEons •  Old issues are being patched, but a lot of new systems have vulnerabili=es •  Number of vulnerabili=es per year going down compared to 2010, but they are more cri=cal •  Number of companies who ﬁnd issues in SAP is growing •  S=ll there are many uncovered areas in SAP security •  SAP forensics can be a new research area because it is not easy to ﬁnd evidence now, even if it exists 55

56. Forensics as a new trend for 2013 •  If there are no aiacks, it doesn’t mean anything •  Companies don’t like to share informa=on about data compromise •  Companies don’t have ability to iden=fy aiack •  Only 10% of systems use security audit at SAP •  Only 2% of systems analyze them •  Only 1% do correla=on and deep analysis * Based on the assessment of over 250 servers of companies that allowed us to share results 56

57. Forensics as a new trend for 2013 •  ICM log icm/HTTP/logging_0 70% •  Security audit log in ABAP 10% •  Table access logging rec/client 4% •  Message Server log ms/audit 2% •  SAP Gateway access log 2% * Based on the assessment of over 250 servers of companies that allowed us to share results. 57

58. Conclusion •  -‐ The interest in SAP plalorm security has been growing exponen=ally, and not only among whitehats •  + SAP security in default conﬁgura=on is gerng much beier now •  -‐ SAP systems can become a target not only for direct aiacks (for example APT) but also for mass exploita=on •  + SAP invests money and resources in security, provides guidelines, and arranges conferences •  -‐ unfortunately, SAP users s=ll pay liile aien=on to SAP security •  + I hope that this talk and the report that will be published next month will prove useful in this area 58

59. Conclusion Issues are everywhere but the risks and price for mi=ga=on are diﬀerent 59

60. Conclusion I'd like to thank SAP Product Security Response Team for their great coopera1on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the ﬁrst to see new aVacks and demos, follow us at @erpscan and aVend future presenta1ons: End of Оctober – Release of “SAP Security in Figures 2013” 60

61. Conclusion We devote aVen1on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par1cular func1on, you can e-‐mail us or give us a call. We will be glad to consider your sugges1ons for the next releases or monthly updates. web: www.erpscan.com www.dsecrg.com e-‐mail: info@erpscan.com, sales@erpscan.com 61

SAP security in figures

Du liest eine Vorschau.

Hier ansehen

SAP security in figures

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (18)

Ähnlich wie SAP security in figures (20)

Aktuellste (20)

SAP security in figures