Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerable SAP Deployments Make Prime Attack Targets

Posted by timothy on from the don't-be-such-a-sap dept.

wiredmikey writes "Using a combination of TCP scans and Google, security researchers found that nearly a quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet. This discovery, researchers from ERPScan say, dispels the myth that SAP systems are only available from the internal network, leading to the misconception that they are protected by design. By March 2012, there were more than 2,000 security advisories published by SAP. Of those, about 7% (124) have publicly available PoC (proof-of-concept) exploit code available to the public. Many of the issues discovered are related to poor configuration or poor deployment planning. For example, 212 SAP Routers were found in Germany, which were created mainly to route access to internal SAP systems. Another issue with the vulnerable and exposed SAP installations is that many of them run on Windows NT, creating a twin set of risks for the organization, as they have to contend with a bad SAP deployment and unsupported OS that is full of security issues all by itself."

6 of 72 comments (clear)

  1. Re:Bad by drinkypoo · · Score: 4, Funny

    I have no idea what the hell SAP is, but it sounds really dangerous.

    Not even SAP knows what SAP is, but if you have one of their salesdroids on site, they'll tell you it can do anything you ask them about...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. Re:where can i download a trial version of SAP? by fuzzyfuzzyfungus · · Score: 4, Funny

    I cant find it anywhere on the SAP site!

    If you think that a 'demo' is an executable you download, rather than something delivered by a besuited sales team, you might not be a potential customer...

  3. Re:Bad by Amouth · · Score: 4, Funny

    It's easy

    S = Send
    A = Another
    P = Payment

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  4. Re:Windows NT?? Really? It's 2012! by Guy+Harris · · Score: 4, Insightful

    Having only grazed over the article, Windows NT is Microsoft's current flagship operating system. Windows NT 6.1 being their latest "stable" release marketed under the names Windows 7 and Windows Server 2008 R2

    But if they really meant "Windows NT" as in Windows NT 4.0, then I agree, that is pretty darn bad

    Given that the paper from ERPScan lists the OSes atop which SAP runs as "Windows NT", "AIX", "Linux", "SunOS", "HP-UX", and "OS/400", I suspect that when they say "Windows NT" they mean, as you suggest, "Windows NT the family of operating systems, older ones of which were sold under the name "Windows NT" and newer versions of which aren't", not "Windows NT 3.x and 4.0", i.e. Windows Server 20xx (and Windows 2000/XP/Vista/7, if anybody's running it on their desktop) are lumped under "Windows NT" (and Solaris N is lumped under "SunOS").

  5. Re:Bad by MtHuurne · · Score: 5, Insightful

    Indeed, it's one of those systems that is so expensive that its deployment has to be declared a success or the person who authorized it will be in trouble.

  6. SAP is horrible by Mabhatter · · Score: 4, Informative

    All the pieces and parts are hard enough to keep running on a good day. Thing takes weekly downtime just to cycle modules....even simple patches shut your business users out for hours. Upgrading your version and OS shuts your business down for a week just to properly test. Sure you can use Dev boxes an HA, but you have to have ALL the users PROVE IT WORKS. So you waste terrible amounts of their TIME the could be selling stuff!!

    And of course, SAP doesn't INSTALL anything THEMSELVES. You have to use some fly-by-night third party. So just like Microsoft, it's YOUR fault when you didn't include hiring an extra $1m per year in employees to run the thing and use all the "secret settings" after they all leave you.