Scores of Vulnerable SAP Deployments Uncovered

← Back to Stories (view on slashdot.org)

Scores of Vulnerable SAP Deployments Uncovered

Posted by Unknown on Monday June 17, 2013 @02:02PM from the double-your-paycheck dept.

mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."

31 of 118 comments (clear)

Min score:

Reason:

Sort:

I can explain by slashmydots · 2013-06-17 14:06 · Score: 5, Insightful

As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!
1. Re:I can explain by Scutter · 2013-06-17 14:31 · Score: 4, Insightful
  
  When it's all overhead, maintenance fees are a very attractive number for the budget-cut knife.
  
  --
  
  "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
2. Re:I can explain by sjwt · 2013-06-17 14:36 · Score: 4, Interesting
  
  I can also explain, having gone through a SAP implementation 2 years ago, we were still plagued with bugs that had fixes issued over 4 years ago..
  Seems they somehow didn't install fully patched updated modules, and with a yearly renewal.upgrade cost it all makes sense now.
  
  --
  You have 5 Moderator Points!
  Which Helpless Linux zealot/MS basher do you want to mod down today?
3. Re:I can explain by Flere+Imsaho · 2013-06-17 15:01 · Score: 5, Funny
  
  SAP - Send Another Payment, or, Sucks All Profit
  
  --
  It gripped her hand gently. 'Regret is for humans,' it said.
4. Re:I can explain by Anonymous Coward · 2013-06-17 15:12 · Score: 5, Funny
  
  Chuckle. I used to work at a place that gave all their database stuff to a SAP outside vendor, all their letters and form documents.
  One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change.
  The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.
  (My coworker printed that page, got a hilighter, hilighted the text, scanned it, and emailed that image thereafter.)
5. Re:I can explain by skovnymfe · 2013-06-17 20:01 · Score: 2
  
  When IT doesn't buy software, IT doesn't get to make sure it is bought correctly. And it's usually not IT that buys "business critical" applications like these. It's accountants and receptionists and such types that get hoodwinked, and then proceed to supersede any IT decision by going directly to the CFO, who uses his political pull to force IT to install the application and then fuhgeddaboudit.
6. Re:I can explain by Rich0 · 2013-06-17 22:47 · Score: 2
  
  One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change...The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.
  That seems awfully cheap, frankly. Maybe it was just the incremental cost to add it to an already-planned release.
  When you're messing with software at this scale 95% of the effort goes into making sure that you don't break it, and documentation. Changing the report file probably takes 5 minutes, and then the rest of the time is writing the requirements, reviewing the prototype, having a PM check that it was done on time, writing up the system/acceptance tests, testing that all the other 47 requirements for that report are still met, writing up the install script and updating the install package, scheduling the downtime for the upgrade, updating the servers (likely on a weekend - oh and don't forget you have to do it once for your test instance as well), etc.
  On large transactional systems I support we typically queue up requests for trivial changes like these until the report needs some major functional change, and then overhaul the report all at once. Otherwise you end up spending 98% of your money on overhead. There is no such thing as a simple change on a big system.
7. Re:I can explain by DarkOx · 2013-06-18 00:04 · Score: 2
  
  True but IT isn't usually able to evaluate the business requirements of something like an ERP package. You need a team with all the stake holds and they all need to be equal partners.
  What you usually happens though is IT gets invited to the meetings, usually isn't allowed to ask to many questions and is told to by some currently political powerful middle manager to just be quiet when the lowest bid contractors proposes some infrastructure build out missing all the really expensive but show stopping parts like SAN switches.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
8. Re: I can explain by Anonymous Coward · 2013-06-18 01:38 · Score: 2, Interesting
  
  No, he's correct. My last position involved a few cases of "just diddling the format" (literally changing a configuration variable in code I had already written and formally tested - including third-party validation). This particular report was glanced at by the head of a commission, then placed on the Governor's desk. Needless to say, 6 hours would be very short for a formatting change - 40 hours (in house, with an additional 4-8 third party billable) would be much more realistic.
  Again, this is all for a "formatting" change. And required by state law.
Color me surprised... by Anonymous Coward · 2013-06-17 14:13 · Score: 4, Funny

I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.
1. Re:Color me surprised... by phantomfive · 2013-06-17 15:57 · Score: 3, Funny
  
  I'm more interested by the fact that you think using angry words at an AC will accomplish anything......
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:Color me surprised... by cusco · 2013-06-17 16:42 · Score: 4, Insightful
  
  If you ever have to deal with their software you'll eventually realize that they don't understand it either.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
3. Re:Color me surprised... by Rich0 · 2013-06-17 22:53 · Score: 3, Insightful
  
  I think they're some sort of brokerage house that manages and markets buzzwords.
  ++
  They don't sell software - they sell a vision for your business. They don't sell it to anybody but the CEO.
  They're also a classical example of how the usual RFP process fails. If you give me a list of 500 arbitrary requirements and ask "can SAP do this?" the answer is almost certainly yes. Go ahead and put landing a man on the moon on that list of requirements and the answer still is yes. The problem is that in order to do even the most trivial functions your employees will be exposed to something that almost outdoes the airline industry in terms of arcanity. For various reasons you're not allowed to put on the RFP the question "can your system be operated by anybody other than an SAP developer without first training them to be an SAP developer?"
  This is a common failing in large systems. The only metric is checking all the boxes, so all the boxes get checked, and we don't even bother to deliver usability let alone try to measure it.
No problem. .. by jd2112 · 2013-06-17 14:16 · Score: 4, Insightful

Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.

--
Any insufficiently advanced magic is indistinguishable from technology.
Security and Market Dominance by Obscurity by Anonymous Coward · 2013-06-17 14:20 · Score: 3, Interesting

This might seem off topic, but SAP is perhaps unique among the major enterprise software vendors in making it intentionally difficult for someone to self-educate in their products without being a paying customer, and of course being a customer requires serious bucks. There's no "mySAP Express Edition" that I'm aware of, and I've actually bought a couple books on SAP (this was years ago) so I could at least get a grasp on what their software does, besides being "what large corporations run their businesses on". I threw them both out pretty quickly because they were useless.
So it could be that SAP was also banking on this tactic to stay below the radar of hackers. Well, as the slides point out, some of the bad guys are insiders and contractors who know all about SAP.
Contrast that with the products of Microsoft, Oracle, IBM, Red Hat, where there's lots of tutorials and express editions available for free, and 800-page books written by serious engineers available for reasonable prices.
1. Re:Security and Market Dominance by Obscurity by ToadProphet · 2013-06-17 15:00 · Score: 2
  
  Contrast that with the products of Microsoft, Oracle
  Apples to apples, I don't believe either of those companies provide an 'Express' version of the ERP software (Oracle/JDE/PeopleSoft/Dynamics AX/NAV). As an independent, it's always been frustrating to try to evaluate new releases from those vendors.
  
  --
  It's on America's tortured brow, That Mickey Mouse has grown up a cow
2. Re: Security and Market Dominance by Obscurity by Anonymous Coward · 2013-06-17 15:01 · Score: 2, Insightful
  
  I have worked for SAP as a senior software engineer for 7 years now, though well outside of our main product line. I don't even know what it is the company software actually does after doing a bit of searching. Whenever someone starts asking me what the company does I just give a vague "business logistics software" and leave it at that.
3. Re:Security and Market Dominance by Obscurity by atom1c · 2013-06-17 15:25 · Score: 2
  
  I don't believe either of those companies provide an 'Express' version of the ERP software...
  Tharr shur is. The entire Oracle stack is available in Developer and Trial forms; they only require 3x 6.8GB downloads but it's all there (see http://www.oracle.com/technetwork/indexes/downloads/index.html). The Microsoft Dynamics are available as part of TechNet and MSDN subscriptions -- if professional enough -- for trial purposes.
  The use-restricted versions (i.e. Express-equivalent) are very limited, however... but as an ISV or consultant, there's enough developer access to learn their wares if you gave it a solid 6+ months.
4. Re:Security and Market Dominance by Obscurity by Rob_Bryerton · 2013-06-17 16:54 · Score: 3, Informative
  
  ERP = Enterprise Resource Planning, a bad name for a general class of business software that does just about anything, from billing to shipping & receiving, warehouse automation, reporting, etc, etc. Basically a somewhat integrated suite of applications that tie all (or many) aspects of a business together, implementing business processes in software.
  
  Implementations typically run in timescales of years and millions of dollars, with teams of developers, DBAs, etc. The software suite is a canned solution that you then slightly (or vastly) modify to tailor to your business needs. ( My job as a systems & storage administrator at a major US-based snack food company has me managing the ~30 Linux servers that run our Oracle databases on the DB tier and Oracle EBusiness suite at the application tier, backed by all manner of storage arrays, NAS devices, FC SANs, load balancers, etc, etc. Fun stuff! )
  
  Think of it as Quicken, but on a very large scale.
5. Re:Security and Market Dominance by Obscurity by Nefarious+Wheel · 2013-06-17 17:28 · Score: 2
  
  Contrast that with the products of Microsoft, Oracle
  As an independent, it's always been frustrating to try to evaluate new releases from those vendors.
  I think that's also by design, to keep C-level business decisions from being influenced by criticism from the technically-astute tier. After all, these deals are often brokered at the golf course, where one's handicap is more relevant than platform or infrastructure culture.
  
  --
  Do not mock my vision of impractical footwear
6. Re:Security and Market Dominance by Obscurity by Rich0 · 2013-06-17 23:02 · Score: 2
  
  Who uses it?
  Anybody who hasn't figured out how to avoid it. Unfortunately that usually ends up being most of the company. At my workplace SAP does everything from payroll to expenses to customs.
  SAP's main advantage is in all its integration. That's about its only advantage. Any individual task done by SAP is usually better-done by something else which leads to endless frustration. The advantage it has is that if I want to get reimbursed for a drive to a meeting I can charge the money to a specific subtask of a project which is tied to an investment that was approved which is tied to the general ledger. If I bought an extra bag of pretzels which wasn't opened I could in theory still be reimbursed for it and then put it into inventory and then whatever project takes it out of inventory gets charged for the pretzels. Oh, and if somebody decided to mail that bag of pretzels to mexico the system would know exactly how much was paid for it and fill out the customs declaration appropriately.
  Of course, nobody actually does all of that, but those kinds of features do come in handy in actual manufacturing.
  The big push for ERP solutions came after Sarbanes-Oxley due to the demanded rigor on accounting. Previously it was spreadsheets all the way down and nothing ever added up (you can't keep 47,000 spreadsheets in sync no matter how hard you try).
  Personally, I avoid it like the plague.
So.... by wbr1 · 2013-06-17 14:31 · Score: 4, Funny

Their IT departments are full of saps?
ba-dum-dam
Thanks, I'll be here all night.

--
Silence is a state of mime.
1. Re:So.... by wbr1 · 2013-06-17 23:52 · Score: 2
  
  No, only the clean ones, so you're out.
  
  --
  Silence is a state of mime.
How do you explain by Anonymous Coward · 2013-06-17 14:37 · Score: 4, Insightful

And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.
The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.
SAP - I know what that means by boogahboogah · 2013-06-17 14:58 · Score: 2

It's German for 'Our hands in your wallet'
1. Re:SAP - I know what that means by PolygamousRanchKid+ · 2013-06-17 15:10 · Score: 3, Funny
  
  Scheiß aufs Privatleben!
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
2. Re:SAP - I know what that means by bemymonkey · 2013-06-17 17:02 · Score: 3, Interesting
  
  As a German person, working in a German company that uses SAP... I couldn't agree more. It's a broken POS that has the tendency to break other applications (anything VB related) when installed or updated. Can't wait to be rid of that crap.
Re:Law should require transparency by Charliemopps · 2013-06-17 15:28 · Score: 2

That would violate one of the first fundamental laws of security. Despite what people on slashdot like to rant and rave about, many times being behind on updates has nothing to do with being cheap or lazy. Real networks are complicated... and often you have nested dependencies that force you into situations you'd rather not be in. Load Balancer A has a bug in it's newest OS update, so you can't upgrade to that unless you want to lose access to 4 of your biggest clients. So you have to wait 6 months for the patch to come down, meanwhile their older OS version is not compatible with the latest LDAP implementation so now you're out of date on your... yada yada yada...
Re:Law should require transparency by cusco · 2013-06-17 16:49 · Score: 4, Informative

Or my particular headache, you run a 24x7x365 enterprise app distributed across 18 different countries on every continent but Antarctica. We're two years behind on updates because we can't take the system down for an hour.

--
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Corporate vs. Programmers. by Domini · 2013-06-17 23:36 · Score: 3, Interesting

I would say it is because SAP's programming environment is rife with business people and very few programmers. 95% of programmers I have worked with were B.A. students who heard that programming pays more, and SAP pays a lot more. I've been doing SAP ABAP for about 10 years on and off. I've worked in both services and product development and have worked in many different capacities, companies and countries.
My background is strong C++, having also worked at high frequency traders and other tech companies writing compilers and schedulers and network messaging systems. Never have I encountered anyone in SAP that would care about security... with the exception of a few BASIS consultants. People are so focused on their small part and fear to rock the boat that is causing it to be the monolithic behemoth it has become. ABAP is an awful excuse for a language that pretends to be a cool 4GL, and the SAP system itself is layer upon layer of bugs, unused code and inefficiencies. One can see a hint of a bright SAP developer here and there, but the way it was finished off suggested they cut costs before everything was full completed (WebDynpro, OO ... I'm looking at you.).
I worked as a contractor at a bank about 10 years ago. And highlighted the fact that their vendors being able to upload file all to a common directory as the same normal user and password was a huge security issue as well as a client confidentiality problem (as various clients/vendors could read each other's files)... but if I could wager a guess they did nothing about it at least for the time I was working there.
Then there is SAP's resource site (Sap Developer Network), where they are still trying to figure out how to have host aliases and SSO even work reliably. Every time you connect you get a different load balanced host with new host name. The site is a mess and is still struggling to even resemble Web 1.0.
But all this trouble and incompetence is what makes working in SAP a challenge and earns you the big bucks. Not to mention aggressive and plain rude clients sometimes. I prefer product development instead of contracting, that way I feel I can actually do something concrete to help people.
Re:Law should require transparency by dkf · 2013-06-18 04:34 · Score: 2

client never paid for planning though.
Then they get an unplanned catastrophic failure at some time in the future. Their call. Obviously their data and their service isn't actually very important to them.

--
"Little does he know, but there is no 'I' in 'Idiot'!"