Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerable SAP Deployments Make Prime Attack Targets

Posted by timothy on from the don't-be-such-a-sap dept.

wiredmikey writes "Using a combination of TCP scans and Google, security researchers found that nearly a quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet. This discovery, researchers from ERPScan say, dispels the myth that SAP systems are only available from the internal network, leading to the misconception that they are protected by design. By March 2012, there were more than 2,000 security advisories published by SAP. Of those, about 7% (124) have publicly available PoC (proof-of-concept) exploit code available to the public. Many of the issues discovered are related to poor configuration or poor deployment planning. For example, 212 SAP Routers were found in Germany, which were created mainly to route access to internal SAP systems. Another issue with the vulnerable and exposed SAP installations is that many of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself."

4 of 72 comments (clear)

  1. Re:Bad by drinkypoo · · Score: 4, Funny

    I have no idea what the hell SAP is, but it sounds really dangerous.

    Not even SAP knows what SAP is, but if you have one of their salesdroids on site, they'll tell you it can do anything you ask them about...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:where can i download a trial version of SAP? by fuzzyfuzzyfungus · · Score: 4, Funny

    I cant find it anywhere on the SAP site!

    If you think that a 'demo' is an executable you download, rather than something delivered by a besuited sales team, you might not be a potential customer...

  3. Re:Bad by Amouth · · Score: 4, Funny

    It's easy

    S = Send
    A = Another
    P = Payment

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  4. Answer - SAP wrapped in WCF fronted by SharePoint by axonis · · Score: 3, Funny

    Having pretty good success wrapping Baby SAP, aka SAP Business One in WCF (Windows Communication Foundation) through the SAP B1 DI API then consuming the resulting WCF IIS service through BCS (Business Connectivity Services) in SharePoint 2010, architecturally a very secure solution thats scalable to the cloud ie. SAP B1 on premise and SharePoint Online in cloud , and it just works !, especially when you present the required Business screens via forms server based InfoPath froms and handle the business logic via WF (Workflow Foundation) SharePoint workflow .... actually haven't seen anyone else do this and its very Elegant, I would recommend ... obiously there is Duet Enterprise for the big SAP R3 version and SharePoint, but less common than B1

    --
    bæ8Ã0sÃOE?5r©oÂÃ?âz:ÃÃAÃ?ÃOEÂ6fXÃ?]Â