Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scores of Vulnerable SAP Deployments Uncovered

Posted by Unknown on from the double-your-paycheck dept.

mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."

18 of 118 comments (clear)

  1. I can explain by slashmydots · · Score: 5, Insightful

    As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
    When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!

    1. Re:I can explain by Scutter · · Score: 4, Insightful

      When it's all overhead, maintenance fees are a very attractive number for the budget-cut knife.

      --

      "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    2. Re:I can explain by sjwt · · Score: 4, Interesting

      I can also explain, having gone through a SAP implementation 2 years ago, we were still plagued with bugs that had fixes issued over 4 years ago..

      Seems they somehow didn't install fully patched updated modules, and with a yearly renewal.upgrade cost it all makes sense now.

      --
      You have 5 Moderator Points!
      Which Helpless Linux zealot/MS basher do you want to mod down today?
    3. Re:I can explain by Flere+Imsaho · · Score: 5, Funny

      SAP - Send Another Payment, or, Sucks All Profit

      --
      It gripped her hand gently. 'Regret is for humans,' it said.
    4. Re:I can explain by Anonymous Coward · · Score: 5, Funny

      Chuckle. I used to work at a place that gave all their database stuff to a SAP outside vendor, all their letters and form documents.

      One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change.

      The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.

      (My coworker printed that page, got a hilighter, hilighted the text, scanned it, and emailed that image thereafter.)

  2. Color me surprised... by Anonymous Coward · · Score: 4, Funny

    I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.

    1. Re:Color me surprised... by phantomfive · · Score: 3, Funny

      I'm more interested by the fact that you think using angry words at an AC will accomplish anything......

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Color me surprised... by cusco · · Score: 4, Insightful

      If you ever have to deal with their software you'll eventually realize that they don't understand it either.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    3. Re:Color me surprised... by Rich0 · · Score: 3, Insightful

      I think they're some sort of brokerage house that manages and markets buzzwords.

      ++

      They don't sell software - they sell a vision for your business. They don't sell it to anybody but the CEO.

      They're also a classical example of how the usual RFP process fails. If you give me a list of 500 arbitrary requirements and ask "can SAP do this?" the answer is almost certainly yes. Go ahead and put landing a man on the moon on that list of requirements and the answer still is yes. The problem is that in order to do even the most trivial functions your employees will be exposed to something that almost outdoes the airline industry in terms of arcanity. For various reasons you're not allowed to put on the RFP the question "can your system be operated by anybody other than an SAP developer without first training them to be an SAP developer?"

      This is a common failing in large systems. The only metric is checking all the boxes, so all the boxes get checked, and we don't even bother to deliver usability let alone try to measure it.

  3. No problem. .. by jd2112 · · Score: 4, Insightful

    Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.

    --
    Any insufficiently advanced magic is indistinguishable from technology.
  4. Security and Market Dominance by Obscurity by Anonymous Coward · · Score: 3, Interesting

    This might seem off topic, but SAP is perhaps unique among the major enterprise software vendors in making it intentionally difficult for someone to self-educate in their products without being a paying customer, and of course being a customer requires serious bucks. There's no "mySAP Express Edition" that I'm aware of, and I've actually bought a couple books on SAP (this was years ago) so I could at least get a grasp on what their software does, besides being "what large corporations run their businesses on". I threw them both out pretty quickly because they were useless.

    So it could be that SAP was also banking on this tactic to stay below the radar of hackers. Well, as the slides point out, some of the bad guys are insiders and contractors who know all about SAP.

    Contrast that with the products of Microsoft, Oracle, IBM, Red Hat, where there's lots of tutorials and express editions available for free, and 800-page books written by serious engineers available for reasonable prices.

    1. Re:Security and Market Dominance by Obscurity by Rob_Bryerton · · Score: 3, Informative

      ERP = Enterprise Resource Planning, a bad name for a general class of business software that does just about anything, from billing to shipping & receiving, warehouse automation, reporting, etc, etc. Basically a somewhat integrated suite of applications that tie all (or many) aspects of a business together, implementing business processes in software.

      Implementations typically run in timescales of years and millions of dollars, with teams of developers, DBAs, etc. The software suite is a canned solution that you then slightly (or vastly) modify to tailor to your business needs. ( My job as a systems & storage administrator at a major US-based snack food company has me managing the ~30 Linux servers that run our Oracle databases on the DB tier and Oracle EBusiness suite at the application tier, backed by all manner of storage arrays, NAS devices, FC SANs, load balancers, etc, etc. Fun stuff! )

      Think of it as Quicken, but on a very large scale.

  5. So.... by wbr1 · · Score: 4, Funny
    Their IT departments are full of saps?

    ba-dum-dam

    Thanks, I'll be here all night.

    --
    Silence is a state of mime.
  6. How do you explain by Anonymous Coward · · Score: 4, Insightful

    And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.

    The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.

  7. Re:SAP - I know what that means by PolygamousRanchKid+ · · Score: 3, Funny

    Scheiß aufs Privatleben!

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  8. Re:Law should require transparency by cusco · · Score: 4, Informative

    Or my particular headache, you run a 24x7x365 enterprise app distributed across 18 different countries on every continent but Antarctica. We're two years behind on updates because we can't take the system down for an hour.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  9. Re:SAP - I know what that means by bemymonkey · · Score: 3, Interesting

    As a German person, working in a German company that uses SAP... I couldn't agree more. It's a broken POS that has the tendency to break other applications (anything VB related) when installed or updated. Can't wait to be rid of that crap.

  10. Corporate vs. Programmers. by Domini · · Score: 3, Interesting

    I would say it is because SAP's programming environment is rife with business people and very few programmers. 95% of programmers I have worked with were B.A. students who heard that programming pays more, and SAP pays a lot more. I've been doing SAP ABAP for about 10 years on and off. I've worked in both services and product development and have worked in many different capacities, companies and countries.

    My background is strong C++, having also worked at high frequency traders and other tech companies writing compilers and schedulers and network messaging systems. Never have I encountered anyone in SAP that would care about security... with the exception of a few BASIS consultants. People are so focused on their small part and fear to rock the boat that is causing it to be the monolithic behemoth it has become. ABAP is an awful excuse for a language that pretends to be a cool 4GL, and the SAP system itself is layer upon layer of bugs, unused code and inefficiencies. One can see a hint of a bright SAP developer here and there, but the way it was finished off suggested they cut costs before everything was full completed (WebDynpro, OO ... I'm looking at you.).

    I worked as a contractor at a bank about 10 years ago. And highlighted the fact that their vendors being able to upload file all to a common directory as the same normal user and password was a huge security issue as well as a client confidentiality problem (as various clients/vendors could read each other's files)... but if I could wager a guess they did nothing about it at least for the time I was working there.

    Then there is SAP's resource site (Sap Developer Network), where they are still trying to figure out how to have host aliases and SSO even work reliably. Every time you connect you get a different load balanced host with new host name. The site is a mess and is still struggling to even resemble Web 1.0.

    But all this trouble and incompetence is what makes working in SAP a challenge and earns you the big bucks. Not to mention aggressive and plain rude clients sometimes. I prefer product development instead of contracting, that way I feel I can actually do something concrete to help people.