A GLOBAL SURVEY 2001 2013 Authors:

12 YEARS OF SAP SECURITY IN FIGURES: A GLOBAL SURVEY 2001 2013 Authors: Alexander Polyakov Alexey Tyurin Other contributors: Kirill Nikitenkov Evgeny Neyolov Alina Oprisko Dmitry Shimansky

A GLOBAL SURVEY 2001 2013 0. Content Content Content... 1 Disclaimer... 3 1. Intro... 4 1.1. Corporate security changes... 5 2. Brief results... 6 3. Vulnerability statistics... 8 3.1. Number of SAP Security Notes... 8 3.2. SAP Security Notes sorted by criticality... 9 3.3. SAP Security Notes sorted by type... 10 3.4. Number of acknowledgements to external researchers... 12 3.5. Amount of publicly available information... 15 3.6. Top 5 most valuable vulnerabilities in 2012... 17 4. Growing interest... 21 4.1. Number of security reports in technical conferences... 21 5. SAP on the Internet... 23 5.1. Google search results by country... 23 5.2. Shodan search results by country... 25 5.3. Internet Census scan... 28 5.4. PortScan search result by country... 29 6. SAP versions... 31 6.1. ABAP engine versions... 31 6.2. J2EE engine versions... 32 6.3. OS popularity for SAP... 33 6.4. RDBMS popularity for SAP Backend... 34 7. Critical services on the Internet... 34 7.1. SAProuter... 34 7.2. WebRFC service as part of NetWeaver ABAP... 36 7.3. CTC service as part of NetWeaver J2EE... 36 7.4. SAP Message Server HTTP... 37 7.5. SAP Management Console... 37 7.6. SAP Host Control... 38 7.7. SAP Dispatcher service... 38 8. Future predictions and trends... 40 www.erpscan.com www.eas-sec.org 1

12 Years of SAP Security in Figures 8.1. Internal threats... 40 8.2. External threats... 40 8.3. SAP forensics... 41 8.4. What can happen?... 42 8.4.1. Autocad virus... 42 8.4.2. Internet-Trading virus... 42 8.4.3. News resources hacking (Sabotage)... 42 9. Conclusion... 43 About ERPScan... 44 About EAS-SEC... 45 Project... 45 Project mission... 45 Links and future reading... 46 Our contacts... 50 2

A GLOBAL SURVEY 2001 2013 0. Disclaimer Disclaimer The partnership agreement and relationship between ERPScan and SAP prevents us from publishing the detailed information about vulnerabilities before SAP releases a patch. This whitepaper will only include the details of those vulnerabilities that we have the right to publish as of the release date. However, additional examples of exploitation that prove the existence of the vulnerabilities are available in conference demos as well as at ERPScan.com [1]. Our SAP security surveys and research in other areas of SAP security do not end with this whitepaper. You can find the latest updates about the statistics of SAP services found on the Internet and other endeavors of the EAS-SEC project [2] at SAPScan.com [3]. The survey was conducted by ERPScan as part of contribution to the EAS-SEC non-profit organization, which is focused on Enterprise Application Security awareness. This document or any part of it cannot be reproduced in whole or in part without prior written permission of ERPScan. SAP AG is neither the author nor the publisher of this whitepaper and is not responsible for its content. ERPScan is not responsible for any damage that can be incurred by attempting to test the vulnerabilities described here. This publication contains references to SAP AG products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany. www.erpscan.com www.eas-sec.org 3

12 Years of SAP Security in Figures 1. Intro ERP system is the heart of any large company. It enables all the critical business processes, from procurement, payment and transport to human resources management, product management and financial planning. All of the data stored in ERP systems is of great importance, and any illegal access can mean enormous losses, potentially leading to termination of business processes. In 2012, according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 5% of yearly revenue on average [4]. Global fraud loss is estimated at more than $3.5 trillion for 2010 2012[5]. Thus, a typical entity loses 5% of annual revenue to fraud. The average value for 4 years is 6%. That is why we decided to increase awareness in this area. Losses to internal fraud constituted 6% of yearly revenue on average The wide-spread myth that ERP security is limited to SoD matrix has been dispelled lately and seems more like an ancient legend now. Within the last 7 years, SAP security experts have spoken a great deal about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI client workstations [10]. Interest in the topic has been growing exponentially: in 2006, there was 1 report [6] on SAP at a technical conference dedicated to hacking and security, whereas in 2011 there were more than 20 of them already. In 2012, the popularity of the topic inspired more than to 30 various reports, and by the middle of 2013, about 20 reports had been issued in only half a year. A variety of hack tools has been released that prove the possibility of SAP attacks [7], [8], [9]. According to the statistics of vulnerabilities found in business applications, there were more than 100 vulnerabilities patched in SAP products in 2009, while it grew to more than 500 in 2010. By the August of 2013, there are more than 2700 SAP Security notes about vulnerabilities in various SAP components. Most of SAP vulnerabilities allow an unauthorized user to gain access to all critical business data, so it is necessary to consider the main attack vectors and the ways to secure those highly critical systems 4

A GLOBAL SURVEY 2001 2013 1. Intro 1.1. Corporate security changes The development of corporate infrastructure tends to move from a decentralized model towards integration of business processes into united systems. Not long ago, there would be several servers in a company, including mail server, file server, domain controller, etc. However, these functions have been integrating into a united business application, resulting in more convenient access but also in a united failure point. Business applications and ERP systems store all of the critical corporate data, from financial reports and personal information to lists of contractors and corporate secrets. Such a system would be the main target of an insider or an external attacker, and their ultimate aim is nowhere near administrative access to the domain controller. Nevertheless, many information security officers are, unfortunately, scarcely informed about the security of business applications like SAP. Another problem is that the function of providing security lies on the system owner rather than the CISO, and owners only respond to themselves. In the end, nobody is responsible for the security of the most critical system elements. Less global problems are, for example: Lack of qualified specialists SAP specialists in most companies see SAP security as the SoD matrix only, whereas CISOs hardly understand SAP threats, not to mention advanced tweaks. Great range of advanced configuration There are more than 1000 parameters in the standard system configuration, plus a great range of advanced options, not to mention segregation of access rights to various objects like transactions, tables, RFC procedures etc. For example, web interfaces to access the system alone can amount to several thousands. Securing a configuration of this scale can be hard even for a single system. Customizable configuration There are no two similar SAP systems because most parameters are customized for every client in one way or the other. Furthermore, custom programs are developed and their security is to be accounted for, too, in a complex assessment. The purpose of this report is to provide a high-level overview of SAP security in figures so that the area is not just theoretically comprehensible but based on actual numbers and metrics from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan [3]. www.erpscan.com www.eas-sec.org 5

12 Years of SAP Security in Figures 2. Brief results Vulnerabilities Old issues are being patched, but a lot of new systems have vulnerabilities. SAP acquires new companies and invents new technologies faster than researchers analyze them. Number of vulnerabilities per year is going down compared to the peak in 2010, but they have become more critical. 69 % of issues closed by SAP are marked as critical. Top 5 issues are more critical now than they were last year. Almost all of them have CVSS 10 (the highest rate). Interest Number of companies which find issues in SAP is growing (2 times comparing to previous year), and the percentage of issues found with the help of external researchers is getting higher and higher. The interest in SAP platform security has been growing exponentially, and not only among whitehats. SAP systems can become a target both for direct attacks (e. g. APT) and for mass exploitation because a range of simply exploitable and widely installed services is accessible from the Internet. Internet Almost 5000 SAProuters were found and 85% of them vulnerable to remote code execution Almost 30% growth of web-based SAP solutions (90% growth of SAP Portal). Giant growth of Latin American and Asian segment of web-based SAP systems. Most popular release (35%) is still NetWeaver 7.0, and it was released in 2005. One third of Internet-facing SAP web services does not use SSL at all. Number of internet-exposed services is 3-5 times lower (depends on the service) but still relevant. Internal Number of internally exposed critical services and vulnerabilities is extremely big (30 95% depending on the service). Only 10% of systems have security audit log enabled. Internal fraud and ABAP-specific backdoors are more likely now. Defense SAP security in default configuration is getting much better. [+] SAP invests money and resources in security, provides guidelines, and arranges conferences. 6

A GLOBAL SURVEY 2001 2013 2. Brief results [-] Unfortunately, SAP users still pay little attention to SAP security. Predictions Still a lot of uncovered areas in SAP security. SAP forensics can be a new research area because it is not easy to find evidence now, even if it exists. New types of cyber-weapons which target ERP systems can appear shortly. www.erpscan.com www.eas-sec.org 7

12 Years of SAP Security in Figures 3. Vulnerability statistics The information about vulnerabilities in SAP sorted by their popularity, criticality and the affected systems is given here. The top 5 most valuable publicly known vulnerabilities are presented as well. 3.1. Number of SAP Security Notes Every month on SAP Critical Patch Day (every second Tuesday), SAP releases one or more internal advisories called SAP Security Notes. Such an advisory usually stores information about one or more vulnerabilities found in SAP products or misconfigurations that bear some risk to SAP systems. The first SAP Security Note was published in 2001. In 2007, the number of published notes began to grow exponentially. As of September 1, 2013, 2718 SAP Security Notes have been published Figure 3.1 1 Number of Sap Security Notes per year (The data was collected on September 1, 2013, when a total of 2718 notes had been published) During 2011, the approximate number of SAP Security Notes published every month on the Critical Patch Day was about 61. In 2012, this number decreased to 54 notes, and by the middle of 2013, it equaled to 29 notes a month on average. In comparison to other software vendors, this is more than in Microsoft, Oracle, or Cisco. Needless to say, just 4 years ago (2009) this number was much lower (approximately 6 times). 8

A GLOBAL SURVEY 2001 2013 3. Vulnerability statistics Figure 3.1 2 Average number of the Notes which are released every month per year From the two previous figures, you can draw a conclusion that the number of security notes has been going down a little since the peak in 2010. However, the number is still huge, and, as you will see in the following figures, the percentage of highly critical vulnerabilities is getting higher. 3.2. SAP Security Notes sorted by criticality SAP has 5 different levels of criticality for published notes: 1. Hot News 2. Correction with high priority 3. Correction with medium priority 4. Correction with low priority 5. Recommendations/additional info Most of the issues (69%) have high priority, which means that about 2/3 of the published vulnerabilities must be corrected quickly Figure 3.2 1 Number of Sap Security Notes, sorted by criticality level, compared: 2011 light, 2013 dark www.erpscan.com www.eas-sec.org 9

12 Years of SAP Security in Figures Figure 3.2 2 Percentage of High priority vulnerabilities per year Figure 3.2 3 Percentage of Low priority vulnerabilities per year As you can see, the overall number of security vulnerabilities found in SAP is getting lower, but researchers have started to focus on critical vulnerabilities. 3.3. SAP Security Notes sorted by type All published SAP Security Notes were analyzed by their popularity. The most popular types of issues are presented below. 10

A GLOBAL SURVEY 2001 2013 3. Vulnerability statistics Figure 3.3 1 SAP Security Notes, sorted by type 3 most common vulnerabilities cover 42% (was 41 %) of all found issues. Top 10 issues cover 63% (was the same) of all issues. About 20% of found vulnerabilities are not included in the top 10 because a lot of unique issues exist in SAP systems. Some of them are available in our presentation called Top 10 most interesting SAP vulnerabilities and attacks [10]. In addition, we compared the SAP vulnerability lists for 2012 and 2013 and the OWASP Top10 to see if there are any differences between web-based issues and business application issues and if there are any changes. Vulnerability type Popularity in SAP till mid 2013 Popularity in SAP till mid 2012 Popularity in SAP till mid 2011 Growth by percent Place in CWE XSS 1 3 (+2) 2(+1) 0.53 2 3 Missing authorization 2 2 1(-1) 0.28 3 7 check Directory traversal 3 1(-2) 3 0.10 10 4 SQL Injection 4 4 4 0.05 4 1 Information disclosure 5 5 6(+1) 0.36 8 6 Code injection 6 8(+2) 8(+2) 0.57 7 1 Authentication bypass 7 6(-1) 5(-2) 0.18 3 2 Hardcoded credentials 8 7(-1) 7(-1) 0.17 N/A 2 Remote code execution 9 9 9 0.13 1 1 Verb tampering 10 10 N/A 0.11 N/A 7 Place in OWASP TOP 10 www.erpscan.com www.eas-sec.org 11

12 Years of SAP Security in Figures As you can see, the situation has changed slightly. We can only guess the core reason for those changes because many different factors can lead to them and the numbers may not be very representative. But here are some ideas. The main factors which can influence those numbers are: Growing number of web-based applications and thus growing number of web vulnerabilities. Enhancements in Static Code Analysis software which shows us that the number of issues which can be easily found using simple regular expressions is getting low. On the other hand, the number of issues that require more accurate static code analysis including data flow is getting high. So, taking into account those things, we can conclude that: Growing number of XSS vulnerabilities is predictable due to the popularity of web-based applications, especially in J2EE stack, and also due to the improvement of static code analysis. Falling number of directory traversal issues is predictable due to the fact that they are easy to find and most of them have already been found before. Also, SAP has added some improvements and additional authorization checks for directory traversal issues in new releases. Growing number of code injection vulnerabilities is due to the high criticality and the fact that any injection flaws will be easier to find with more advanced static code analysis tools. On the other hand, such issues as hardcoded credentials will be harder to find with every year precisely because they are very easy to find (i. e., most of them have already been found by simple regular expressions). There are some areas which are different for WEB and ERP programming vulnerabilities. This situation is another proof that business applications need a different approach and different priorities when we talk about SDLC processes. 3.4. Number of acknowledgements to external researchers In 2010, SAP decided to give acknowledgements to external security researchers for the vulnerabilities found in their products [11]. In the figure, you can see the number of vulnerabilities that were found by external researchers since 2010. 12

A GLOBAL SURVEY 2001 2013 3. Vulnerability statistics Figure 3.4 1 Number of vulnerabilities found by external researchers per year In 2010, there were just 16 companies that had acknowledgements from SAP, but by the middle of 2013, we have counted 46 different companies and 3 researchers, which is almost 3 times more. Figure 3.4 2 Number of companies acknowledged by SAP per year External companies and researchers were acknowledged by SAP for helping to close 353 vulnerabilities in SAP products. Most companies were acknowledged just for one vulnerability while ERPScan has almost a quarter of all acknowledgements with 83 acknowledgements in total (much more than any other contributor). The 80/20 rule works almost perfectly: 80 % of vulnerabilities were found by 17.5% of companies www.erpscan.com www.eas-sec.org 13

12 Years of SAP Security in Figures Figure 3.4 3 Percentage of acknowledgements vs. number of companies The ratio of vulnerabilities found by external researchers versus vulnerabilities found by SAP internally is growing, as does the number of external researchers. Figure 3.4 4 Percentage of acknowledgements to external researchers per year What else can be archived from the relationship of SAP with external researchers? Recently, we have been receiving more and more responses from SAP PSRT to our reports about vulnerabilities, saying that they have already been patched before. This can be due to two reasons, and each of them is good news for SAP users. Firstly, SAP AG itself has significantly improved their internal SDLC and vulnerability research, so some issues were already found by SAP. Secondly, two different researchers sometimes get credits for the same issue, which means that the number of researchers is going to increase. 14

A GLOBAL SURVEY 2001 2013 3. Vulnerability statistics The record of bugs found by external researchers was cracked in January 2013: 76% Figure 3.4 5 Number of duplicated issues sent by ERPScan researchers per year 3.5. Amount of publicly available information The most critical threat is connected to the vulnerabilities which contain information about the methods of exploitation (detailed advisories, POC codes and working exploits) publicly available. Information was gathered from three most popular sources: Security Focus [12] Detailed advisories, sometimes with POC code, can usually be found here. All the vulnerabilities published here have high probability of exploitation. 149 vulnerability advisories (5.5% of all vulnerabilities) were found here (as of September 1). www.erpscan.com www.eas-sec.org 15

12 Years of SAP Security in Figures Figure3.5 1 Advisories per year from SecurityFocus Exploit-DB [13] Usually, exploit codes that can be 100% used without any modification and additional knowledge of exploiting systems can be found here. All the vulnerabilities published here have critical probability of exploitation. A total of 49 exploits (1.8% of all vulnerabilities) were found here (as of September 1). Figure 3.5 2 Exploits per year from Exploit-DB In the figure below, you can find vulnerabilities categorized by probability and ease of exploitation according to the amount of information available to hackers at public sources, as opposed to classified information from SAP Security Notes. 16

A GLOBAL SURVEY 2001 2013 3. Vulnerability statistics Figure 3.5 3 SAP vulnerabilities by probability and ease of exploitation, as of September 1, 2013 3.6. Top 5 most valuable vulnerabilities in 2012 Out of the many published vulnerabilities, we have chosen the top 5 with the most significant threats published in 2012: SAP NetWeaver J2EE DilbertMSG SSRF [14] SAP Host Control Code Injection [15] SAP NetWeaver J2EE File Read/Write[16] SAP Message Server Buffer Overflow[17] SAP Dispatcher DIAG protocol Buffer Overflow[18] We chose 2 main factors among others to understand the most valuable issues disclosed in 2012: Accessibility It is a major factor. Means whether it is possible to exploit a vulnerability from the Internet without user authorizations. Criticality How critical the harm to the system will be. 1. SAP NetWeaver J2EE DilbertMSG SSRF The vulnerability was found in the XML parser of SAP NetWeaverJ2EE engine. Actually, it is several vulnerabilities that lead to SSRF (Server Side Request Forgery) attack, allowing an anonymous attacker from the Internet to send any TCP packet to any internal network and many other things like reading of OS files, bypassing Message Server security, Denial of Service attacks and so on. This type of attack may not be as critical as others, which will be presented below, but it opens a new type of issues, and similar problems can appear in future. www.erpscan.com www.eas-sec.org 17

12 Years of SAP Security in Figures Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Medium Anonymously through the Internet Medium Future impact: CVSSv2: 7.3 High (New type of attack) Advisory: http://erpscan.com/advisories/dsecrg-12-036-sap-xi-authentication-bypass/ Patch: SAP Note 1707494 Author: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan) 2. SAP Host Control Code Injection The vulnerability was found in the SAP Host Control service of SAP NetWeaver ABAP engine, which listens to the TCP port 1128 by default. This vulnerability allows an anonymous attacker to execute any OS command by injecting it into SOAP packet. However, this vulnerability only works when SAP is installed on top of MaxDB Database. This issue took second place due to three factors: ease of exploitation, availability of exploit on the Internet, huge amount of exposed SAP Host Control services on the internet. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Critical Anonymously through the Internet Easy (Metasploit module exist) Future impact: Low (Single issue) CVSSv2: 10 Advisory: http://www.contextis.com/research/blog/sap-parameter-injection-no-spacearguments/ Patch: SAP Note 1341333 Author: Contextis 18

A GLOBAL SURVEY 2001 2013 3. Vulnerability statistics 3. SAP NetWeaver J2EE File Read/Write This vulnerability was found in SAP NetWeaver J2EE stack and allow anonymous attacker to obtain read and write access to any file on operation system. Criticality of that issue is 10 by CVSS. The only two facts which put this issue only on third place is that vulnerable service available internally and secondly there is no public information about details of exploiting this issue. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Future impact: Critical Critical Critical Anonymously Medium Low CVSSv2: 10 Advisory: https://service.sap.com/sap/support/notes/1682613 Patch: SAP Note 1682613 Author: Juan Pablo 4. SAP Message Server Buffer Overflow Remote buffer overflow vulnerability with ability to execute any code on OS level with the rights of <SID> adm user was found in SAP Message Server service. Vulnerability was sold to ZDI and criticality of this issue was marked as 10 by CVSS which is the highest point. Another critical thing is that this service can be also exposed to the internet which will be detailed later. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Critical Anonymous Medium. Good knowledge of exploit writing for multiple platforms is necessary CVSSv2: 10 Advisory: http://www.zerodayinitiative.com/advisories/zdi-12-112/ Patch: SAP Notes 1649840 and 1649838 Author: Martin Gallo www.erpscan.com www.eas-sec.org 19

12 Years of SAP Security in Figures 5. SAP Dispatcher DIAG protocol buffer overflow SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP NetWeaver using the SAP GUI application through DIAG protocol. Martin Gallo from Core Security found multiple buffer overflow vulnerabilities that can lead to the denial of service attack and one of them also allows code execution [19]. The exploit code was published on May 9 and an unauthorized cybercriminal can exploit it without any rights. The good news is that this vulnerability only works when DIAG trace is set to level 2 or 3 which is not a default value but a possible one anyway. Espionage: Sabotage: Fraud: Availability: Ease of exploitation: Critical Critical Critical Low. Trace must be on Medium CVSSv2: 9.3 Advisory: http://www.coresecurity.com/content/sap-netweaver-dispatchermultiple-vulnerabilities Patch: SAP Note 1687910 Author: Martin Gallo 20

A GLOBAL SURVEY 2001 2013 4. Growing interest 4. Growing interest While most of the security trends and possible threats are focused on mobile, cloud, social networks and critical infrastructure which will potentially have threats in near future, there is a topic called ERP security and threats to those systems exist now. That s why the number of companies which are focused on ERP security and which sell software for its assessment is growing. So the number of security consulting companies that try to sell special consulting services for ERP security is growing as well. 4.1. Number of security reports in technical conferences Since 2006, SAP security begins to receive a lot of attention in technical security conferences like CanSecWest, BlackHat, HITB and others. There were also some talks that have SAP-related research in 2004 such as one from Phonoelit. Since 2010, this trend expands to other conferences; more and more companies and researchers begin to publish their research in the field of SAP security. In 2006 2009, talks were mostly focused on showing typical information security threats in SAP landscapes such as SAP web application security, SAP client-side security, SAP backdoors and Trojans. The last year discussions were focused on retrospective and defense areas like SAP Forensics. During almost 10 years of research almost every part of SAP were somehow breached and almost every area was discussed in terms of security Since 2003, almost every part of SAP was somehow breached and almost every area was discussed on technical security conferences Common: SAP Backdoors, SAP Rootkits, SAP Forensics Services: SAP Gateway, SAProuter, SAP NetWeaver, SAP GUI, SAP Portal, SAP Solution Manager, SAP TMS, SAP Management Console [20], SAP ICM/ITS Protocols: DIAG [19], RFC, SOAP (MMC), Message Server, P4 [25] Languages: ABAP Buffer Overflow [23], ABAP SQL Injection [24], J2EE Verb Tampering [25], J2EE Invoker Servlet [26] [29] [30] Overview: SAP Cyber-attacks, Top 10 Interesting Issues, Myths about ERP www.erpscan.com www.eas-sec.org 21

12 Years of SAP Security in Figures Figure 4.1 1 Number of SAP security talks presented at different conferences by year * *Data was collected from different conference websites as of August 15, 2013 22

A GLOBAL SURVEY 2001 2013 5. SAP on the Internet 5. SAP on the Internet Among many people who work with SAP, a popular myth is that SAP systems are inaccessible from the Internet, so all SAP vulnerabilities can only be exploited by an insider. Business applications are not only accessible internally; this myth comes from 10 years ago when mainframes were prevalent. Business is changing and companies want to have their applications connected. They need to connect to departments worldwide, share data with clients via web portals, SRM and CRM systems and get access from any place with mobile solutions. Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible Companies connect different offices (can be connected by SAP XI) Companies are connected to SAP (through SAProuter) SAP GUI users are connected to the Internet Administrators open management interfaces to the Internet for remote control Almost all business applications have web access now This part of the report is destined to destroy the myth by showing how many companies make which services available for remote access, and how those services are vulnerable to the latest threats. 5.1. Google search results by country These statistics were collected using the well-known Google search requests [28]. Application server type SAP NetWeaver ABAP SAP NetWeaver J2EE SAP Business Objects Search string Inurl:/SAP/BC/BSP Inurl:/irj/portal inurl:infoviewap As a result of the scan, 695 (was 610) unique servers with different SAP web applications were found. It is 14 % more than in 2011 including that fact that 22 % of services that were found in 2011 now are not available but 35 % of new services appear. The J2EE server seems to be the most popular platform. Unfortunately, this server is more vulnerable than the ABAP engine, having at least 3 different vulnerabilities that can be executed anonymously and give full access to the system. On the other hand, the ABAP engine has numerous default users [32] that can be used by attackers. SAP BusinessObjects server has both problems. www.erpscan.com www.eas-sec.org 23

12 Years of SAP Security in Figures Application server Number % SAP NetWeaver J2EE 268 44 % SAP Web Application Server 163 27 % SAP BusinessObjects 106 17 % SAP NetWeaver ABAP 73 12 % Figure 5.1 1 SAP application servers by type Figure 5.1 2 SAP application servers by country (by Google search) 24

A GLOBAL SURVEY 2001 2013 5. SAP on the Internet Figure 5.1 3 Overall number of SAP application servers found in Google, sorted by country (top 20) 5.2. Shodan search results by country Another source which can help to find SAP web interfaces available on the Internet is called www.shodanhq.com. The difference is that this service not only finds those applications which were crawled by web spiders but it scans the whole Internet for the 80th port (others, too) and can be used for finding more SAP systems. A total of 3741 (was 2677) servers with different SAP web applications were found www.erpscan.com www.eas-sec.org 25

12 Years of SAP Security in Figures Figure 5.2 1 SAP application servers by type SAP NetWeaver J2EE platform is the most popular on the Internet and it is still growing a lot. Comparing with previous year by ShodanHQ statistics, the number of Internet-located SAP Portals doubled during the previous year! Figure 5.2 2 Growth by application server 26

A GLOBAL SURVEY 2001 2013 5. SAP on the Internet Figure 5.1 3 SAP application servers by country (by ShodanHQ search) Figure 5.2 4 Overall number of SAP application servers found in ShodanHQ, sorted by country (top 20) www.erpscan.com www.eas-sec.org 27

12 Years of SAP Security in Figures Statistics that were gathered by country are very interesting especially if we compare it with the previous year. It will show us where there is a growth of SAP market: in Latam and Asia. 5.3. Internet Census scan Figure 5.2 5 Growth of SAP web servers (Top 5) This year, one interesting project was presented. It was done by an anonymous researcher using not so legal techniques such as exploiting devices and making worldwide scan from them on popular ports. It would have been great if this list had contained all ports but, unfortunately for us, it is useful only for the 80th port. 3326 IP addresses with SAP web applications were found, which is close to the number that we got from Shodan. This data also gives us information about SSL usage. It turned out that almost one third of Internet-facing SAP applications don t use SSL, which is extremely bad statistics. Figure 5.3 1 Usage of SSL by SAP applications 28

A GLOBAL SURVEY 2001 2013 5. SAP on the Internet 5.4. PortScan search result by country The most interesting and complex research was performed by scanning the Internet not only for web services but also for services which shouldn't be accessible from the Internet. At first stage, it has been performed with a simple algorithm which only scans subnets of the servers that were found during Google and ShodanHQ scan (about 1000 subnets in total). Many ports were found which are listened by SAP Applications such as Message Server HTTP, SAP Gateway, and SAPHostControl. During the scan, information about publicly available SAP services such as SAP Host Control, SAP Dispatcher, SAP Message Server, SAP Management Console was collected. Figure 5.4 1 SAP application servers by country (by PortScan (Nmap) search) In the picture, you will find the percentage of companies that expose their unnecessary SAP services to the Internet. The number of open ports will be updated online at sapscan.com [3] the official site of this project. 10 % of companies that use SAP expose critical services like Gateway or Dispatcher directly to the Internet bypassing SAProuter security www.erpscan.com www.eas-sec.org 29

12 Years of SAP Security in Figures Figure 5.4 2 Percent of companies that expose critical SAP services to the Internet 30

A GLOBAL SURVEY 2001 2013 6. SAP versions 6. SAP versions We have checked the major versions of the ABAP and J2EE engines which were found on the Internet to understand the lifecycle of released products and to know which version is the most popular now. We have also checked the popularity of OS and RDBMS which are used with SAP. 6.1. ABAP engine versions ABAP versions were collected by connecting to the root of an application server and parsing the HTTP response methods. We also used an information disclosure vulnerability. Information about SAP NetWeaver version can easily be found if the application is configured insecurely so that it allows an attacker to get information from the /sap/public/info URL. We were happy to note that, comparing with previous year, the number of Internet-facing systems with information disclosure vulnerabilities highly decreased. After scanning all the available SAP NetWeaver ABAP servers, it was found that 6% (previously 59 %) of them are vulnerable to information disclosure Release version is vital for security. For example, the most powerful security options, like disabling access to all BSP, are installed by default in EHP 2, and EHP 2 is only installed on 23 % (was 11) of all servers. This means that even if SAP cares about the security of their systems, the best part of securing SAP systems lies on administrators. The most popular release (35 %, previously 45 %) is NetWeaver 7.0, released in 2005! Figure 6.1 1 NetWeaverABAP versions by popularity www.erpscan.com www.eas-sec.org 31

12 Years of SAP Security in Figures If we compare those results with previous year we will see good changes such as extremely high growth in percent of 7.3 and 7.2 releases, well, the absolute growth of cause is quite small comparing with overall. 7.3 growth by 250 % 7.2 growth by 70 % 7.0 loss by 22 % 6.4 loss by 45 % 6.2. J2EE engine versions The information about the version of the J2EE engine can be easily found by reading an HTTP response. However, detailed info about the patch level can be obtained if the application server is not securely configured and allows an attacker to get information from some pages. As an example, there are at least 3 pages that disclose information about the J2EE engine: /rep/build_info.jsp[33] /bcb/bcbadmsysteminfo.jsp[34] /AdapterFramework/version/version.jsp[35] 2.6% (61 % last year) 1.5% (17 % last year) 2.7% (a new issue) The detailed information about the major versions is presented below. Figure 6.2 1 Percentage of NetWeaver JAVA versions by popularity If we compare those results with previous year, we will see good changes. New versions such as 7.31 and 7.3 appear with total 12 % of all servers. Detailed changes are here: 7.31 growth from 0 to 3 % 32

A GLOBAL SURVEY 2001 2013 6. SAP versions 7.30 growth from 0 to 9 % 7.02 growth by 67 % 7.0 loss by 23 % 6.4 loss by 40 % 6.3. OS popularity for SAP Using the /sap/public/info URL, it is possible to obtain information about OS versions for ABAP implementations. While analyzing the results that were gathered from Internet facing SAP systems, we found that the most popular OS is Windows NT (28%) and AIX (25%). According to our statistics from internal SAP assessments, *.NIX systems are more popular in general, while Windows is more popular for Internet facing SAP systems. The most popular OS for SAP are Windows NT (28 %) and AIX (25 %) Figure 6.3 1 Percent of OS popularity for SAP www.erpscan.com www.eas-sec.org 33

12 Years of SAP Security in Figures 6.4. RDBMS popularity for SAP Backend The most popular RDBMS used as a backend for SAP is still Oracle 59%. Other RDBMS systems are listed below. Figure 6.4 1 Percent of RDBMS popularity for SAP Backend It should be mentioned that Oracle RDBMS installed with SAP is vulnerable to a very dangerous attack, where authentication is bypassed and an unauthorized attacker obtains direct access to the database system without any authorizations because of the improper use of REMOTE_OS_AUTHENT parameter. It is a very old bug first published in 2002 but still active [36]. 7. Critical services on the Internet Apart from the web interfaces that should be enabled on the Internet because of various business needs, such as SAP Portal, SAP SRM or SAP CRM solutions, there are some services that should not be available externally at all. Not only do they bring a potential risk but they have real vulnerabilities and misconfigurations which are well-known and well-described in public resources. Of course it is not the full list of critical SAP services, just the most popular ones. The scan was performed across 1000 subnetworks of companies that use SAP worldwide Services like SAP Dispatcher, SAP Message server, SAP Host Control and more, presented on slides, should not be open for connecting through the Internet 7.1. SAProuter SAProuter is a special service which was made by SAP for a number of purposes such as: Transfers requests from Internet to SAP (and not only) Connect SAP systems between each other in many locations 34

A GLOBAL SURVEY 2001 2013 7. Critical services on the Internet Connect systems of different companies such as customers and partners The main mission of this service is to get updates from SAP and remotely install them on SAP systems. It also provides access to Earlywatch services thus every company which uses SAP should install SAProuter. There is a number of ways how to implement it either by configuring VPN access to SAP or by remotely exposing SAP Router service to the Internet port which is by default 3299 and known for everybody. More details can be found at Easy Service Marketplace [37]. The analysis of all SAProuters that were found remotely enabled in 1000 companies showed that 99 SAProuters were enabled on default port, i. e. approximately 10 % (was 32 %). This result was not enough for us so we started another project intended to find out how many SAProuters are on the Internet in total. First of all, we were interested in understanding how many of them were vulnerable to existing issues as well as to a very critical heap overflow vulnerability that was found by researchers from ERPScan team. The vulnerability allows getting full control of SAProuter within one TCP packet and thus obtaining access to the internal corporate network. This issue was closed in May 2013, and the details can be found in SAP Note 1820666. We decided to calculate the number of vulnerable SAProuters almost 6 month after the patch was released. Here are the results of the scan: There were about 4600 SAProuters in the whole Internet in total 15 % of the routers lacked ACL. It can be used to: o Scan internal network o If something is found during scan, to proxy any request to any internal address of SAP or non-sap system 19 % of routers have an information disclosure vulnerability related to internal systems. It can be used to: o Cause denial of service by specifying many connections to any of the listed SAP servers (There is a limit by default, only 3000 connections is possible) o Proxy any request to any internal address of SAP or non-sap system if there is no ACL 5 % of routers have insecure configuration, authentication bypass which can be used to configure the router without authentication remotely Finally, 85 % of routers are still vulnerable to the Heap Overflow issue that was closed almost half a year ago and can be used to break into any internal network of about 4600 different companies around the world There is also an additional SAP Note for SAProuter security: 1895350. 85% of almost 5000 SAProuters on the Internet were found to be vulnerable www.erpscan.com www.eas-sec.org 35

12 Years of SAP Security in Figures 7.2. WebRFC service as part of NetWeaver ABAP WebRFC is a web service which is available by default in the SAP NetWeaver ABAP platform. It allows executing dangerous RFC functions using HTTP requests to the NetWeaver ABAP port and URL /sap/bs/web/rfc. Among those functions, there are several critical ones, such as: Read data from SAP tables Create SAP users Execute OS commands Make financial transactions etc. By default, any user can have access to this interface and execute the RFC_PING command by sending an XML packet. Other functions require additional authorizations. So there are 2 main risks: If there is a default username and password in the system, an attacker can execute numerous dangerous RFC functions because default users have dangerous rights. If a remote attacker obtains any existing user credentials, he can execute a denial of service attack on the server by sending the RFC_PING request with malformed XML packet [38][39]. It was found that 6 % (was 40 %) of ABAP systems on the Internet have the WebRFC service enabled While we did not check if those systems had default passwords, according to different statistics obtained from our research and the research of our colleagues, about 95 % of systems have at least 1 default user account. 7.3. CTC service as part of NetWeaver J2EE CTC is a web service which is installed by default on the NetWeaver J2EE engine. It allows managing the J2EE engine remotely. This is a web service that can be found by Google and it often exists on SAP Portals. It is possible to execute such functions as: Create users Assign a role to a user Execute OS commands Remotely turn J2EE Engine on and off The researchers from ERPScan have presented a vulnerability [25] in this service which is called Verb Tampering. It allows bypassing authorization checks for remote access to CTC service. It means that anybody can remotely obtain full-unauthorized access to all business-critical data located in the J2EE engine. 36

A GLOBAL SURVEY 2001 2013 7. Critical services on the Internet It was found that 50 % (61 %) of J2EE systems on the Internet have the CTC service enabled Unfortunately this year situation has not changed much and we have about half of all J2EE systems with CTC installed and available from internet which is not good and we still see some services which are vulnerable. *While we did not scan those systems to find if they were vulnerable or not but, according to our statistics from penetration tests, about 50 % of them are still vulnerable. 7.4. SAP Message Server HTTP SAP Message Server HTTP is an HTTP port of SAP Message Server service which allows balancing the load on SAP Application Servers. Usually this service is only available inside the company but some implementations have been found that have external IP addresses, which is typically not needed for business processes and can lead to critical actions. By default, the server is installed on the 81NN port where NN is the system number [40]. One of the issues of SAP Message Server HTTP is a possibility to get the values of the configuration parameters of SAP system remotely without authentication. It can be used for future attacks. During a sampling scan of 1000 sub networks which are assigned to companies that use SAP, 29 Message Server HTTP systems were found to be available (last year were 98). Approximately 2% (were 11%) companies expose Message Server HTTP to the internet which is potentially vulnerable to unauthorized gathering of system parameters remotely 7.5. SAP Management Console SAP Management Console or SAPControl is a service which allows remote control of SAP systems. The main functions are remote start and stop and they require the knowledge of username and password. Apart from the functions which require authentication, there are some functions that can be used remotely without authentication. Most of them allow reading different logs and traces and sometimes system parameters. Those issues were well-covered by Chris John Riley, an independent researcher [33]. A more prevalent danger that ERPScan researchers have found is the possibility to find information about JSESSIONID in the log files [11]. JSESSIONID is an identification by which HTTP sessions are controlled. One of the possible attacks is to insert this JSESSIONID into a browser cookie and get unauthorized access to a user s session. During the same scan as in the previous tests, it was found that 2 % of subnetworks have Management console services open. www.erpscan.com www.eas-sec.org 37

12 Years of SAP Security in Figures During our internal penetration tests, we see much higher number of vulnerable services. Approximately 80 % of 250 scanned servers of companies that decided to participate in statistics were found to be vulnerable to this issue. Approximately 2 % (was 9 %) companies expose SAP MMC service to the internet which is potentially vulnerable to unauthorized access to log files. 7.6. SAP Host Control SAP Host Control is a service which allows remote control of SAP systems. This service can be installed manually on any host to remotely collect data from SAP systems. This service is usually works on TCP port 1128. The main functions require the knowledge of username and password. Apart from the functions which require authentication, there are some functions that can be used remotely without authentication. First one is an ability to read developer traces without authentication. Those traces can store passwords or other interesting data. Second vulnerability is more dangerous and was already described in a list of top 5 vulnerabilities for 2012. Vulnerability allows remotely injecting OS command and executing it on a server-side. [41] During the same scan as in the previous tests, it was found that 0.6 % (while it was 2.6% last year) of subnetworks have Management console services open. Actually it is quite a small number of systems because this service is optional and installed manually. During our internal penetration tests we saw a little bit more vulnerable services. Approximately 30% of scanned 250 servers of companies which decided to participate in statistics were found to be vulnerable to this issue.. Approximately 1 % (was 2 %) companies expose SAP HostControl service to the internet which is potentially vulnerable to unauthorized access to log files 7.7. SAP Dispatcher service SAP Dispatcher is the main service for SAP client-server communications. It allows connecting to the SAP NetWeaver using the SAP GUI application through DIAG protocol. SAP Dispatcher port should not be available from the Internet directly and even in the internal network only appropriate users or user networks must have access. Keep in mind that we are talking about Dispatcher not WEB Dispatcher which of course should be available from the Internet. Nevertheless, during a brief scan of 1000 subnetworks, that 0.6 % (while it was 15% last year) of subnetworks have Dispatcher service open.. 38

A GLOBAL SURVEY 2001 2013 7. Critical services on the Internet Every 6 th company is vulnerable to DOS attacks and unauthorized access with default passwords in SAP Dispatcher Why it is dangerous? First of all, this service allows direct connection to a SAP system using SAP GUI where all that an attacker needs is a valid username and password. There are numerous default passwords in SAP and, according to our statistics of penetration testing; about 95% of systems have default credentials. Another problem, which was found by Core Security and described in top 5 SAP vulnerabilities for 2012, is that the SAP Dispatcher service has multiple buffer overflow vulnerabilities that can lead to the denial of service attack and one of them also allows code execution[42]. The exploit code was published on May 9 2012 and an unauthorized cybercriminal can exploit it without any rights. The good news is that this vulnerability only works when DIAG trace is set to level 2 or 3 which is not a default value but a possible one anyway. There can be other issues in this service so it must be disabled for external access. www.erpscan.com www.eas-sec.org 39

12 Years of SAP Security in Figures 8. Future predictions and trends While there are so many issues in SAP, we still don t see any HOT news about any company which was breached with a vulnerability in SAP. In November 2012, Infosecurity Magazine published a story about the Anonymous attack on the Finance Ministry of Greece where an exploit was allegedly used on their SAP system, which led to a leak of critical inside documents. This information has no solid proof, and SAP AG has no indication that the attack actually happened, but the publication itself is a sign of interest in this topic. UPD When this report was already finished, our colleagues from an anti-virus company shared with us an example of a banking trojan. The latest version of this trojan has a function of searching if there an SAP GUI application installed on the workstation. This is the first sign of potential interest shift to business applications. Details can be found in press releases [40]. The reason why we don t see much public information is that, first of all, nobody wants to share information about a breach, especially internal. External breaches related to ERP systems are mostly espionage and thus they are not likely to be found (except the latest example [40]). Another reason, probably a shocking one, is that very few companies monitor activity and analyze log files. So how can you be sure that there is no breach when you can t see what is happening in your system and whether it has already been compromised? 8.1. Internal threats Internal attacks made by insiders are more likely to happen now, and they are happening. According to an ACFE research, losses to internal fraud constitute 6 % of yearly revenue on average. What else? 45% of financial organizations have suffered fraud in the last 12 months compared to 30% in other industries (by a recent PWC survey [41]). Cybercrime accounts for 38 % of economic crime incidents for Financial Services organizations and will only grow with growing of IT industry. We personally have seen a couple of examples of internal issues which can be categorized in 3 different areas: salary manipulations, material manipulations, mistakes because of unnecessary rights. 8.2. External threats Not only hacktivists but other large companies, too, can be interested in attacks on ERP, stealing corporate secrets, or executing DoS attacks on a competitor s infrastructure. 40

A GLOBAL SURVEY 2001 2013 8. Future predictions and trends We spoke to some commercial organizations that sell and buy exploits for private and government companies (security intelligence services), and we were interested if there is a market for ERP exploits. They said that there is interest from both sides. Even well-known exploit buying companies like ZDI buy SAP exploits and vulnerabilities, only in 2012 five exploits for SAP were sold to ZDI and two of them are so critical that they appear in our list of top 5 critical SAP issues for 2012. Also, there are forums that sell access to botnets with IP ranges of specific companies. Nowadays, large companies sometimes have more power than governments, so corporate wars are one of possible scenarios, and business critical systems can be the most useful targets. 8.3. SAP forensics Few examples have been made public yet. In most cases it is because very few organizations use at least something to monitor malicious activity, so even if their system was compromised, they are not ready for forensic investigation and cannot expose the fact of compromise. Companies don t have ability to identify attack. Based on our assessment of over 250 servers of companies that allowed us to share results we found quite scary results. It was found that only 10% of systems use security audit at SAP while 2% of those system logs are regularly analyzed. What is more is that less than 1% of companies do deep analysis of SAP Security events and correlation. Taking into account those numbers, how most of them can be sure that there was no compromise of their systems? More detailed review of different log files which can be enabled give us result listed below. Figure 8.3 1 Percent of enabled logs The strange thing related to so big difference between HTTP logs and other logs is explained by the fact that HTTP logging is enabled by default. www.erpscan.com www.eas-sec.org 41

12 Years of SAP Security in Figures 8.4. What can happen? This report includes not only a review of current state but also predictions, so we decided to look at the current situation and changes in terms of typical malware tried to understand what can be done in near future. We have found 3 different examples of recent malicious software and types of attack which can be a beginning of a new era of targeted attacks on corporations and their business applications. 8.4.1. Autocad virus This example of industrial espionage is quite interesting. We think it is one of the first examples of targeted industrial espionage attack focused on particular action. According to research about this virus it was made by Chinese to steal secret documents for manufacturing. If we develop this idea, more target focused viruses can be found which were made for stealing particular data from competitors. By knowing some SAP or other business application internals it is not hard to made virus which will, for example, target SAP PLM system with using specific vulnerability and by knowing where exactly this system stores relevant data [42]. 8.4.2. Internet-Trading virus Next interesting example is the Ranbys virus and its specific modification for QUICK platform which is created for stock management. This virus can commit a fraud but scarier is that if you manage it to automatically do something like buying the same things it will automatically show stock bears a signal to sell more and finally it can make a collapse. As for the SAP, we all know that bank account numbers are stored in a specific table and if there is a worm which will modify this data there is a possibility to combine a power of a computer worm with a fraud and finally get significant money transfer [43]. 8.4.3. News resources hacking (Sabotage) This example is a quite interesting also and shows us how easy it can be to fool market after reporting false news. This idea also can be used by breaking organization s portal based on SAP and putting wrong information thus leading to stock manipulation [44]. So, you have seen just a couple of scary scenarios which can be done by breaking such critical software as SAP. You can imagine how dangerous it can be to get control of all SAP systems of one country. 42

A GLOBAL SURVEY 2001 2013 9. Conclusion 9. Conclusion Old issues are being patched, but a lot of new systems have vulnerabilities. Number of vulnerabilities per year is going down compared to 2010, but they are more critical. Number of companies who search for issues in SAP is growing, so we can conclude that interest to SAP platform security has been growing exponentially. And there are positive sides to that for example, the latest SAP products are more secure by default. Taking into account the growing number of vulnerabilities and vast availability of SAP systems on the Internet, we predict that SAP systems can become a target not only for direct attacks (for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities. And while so many issues have already been closed, there are much more areas still not covered by researchers, where lots of vulnerabilities can be discovered. We are working closely with SAP Security Response Team on discovering and patching security issues, and SAP AG publishes secure recommendations and guidelines showing administrators how to protect their systems from most popular threats. This area has changed a lot during the last year, and SAP now invests much more resources in internal SDLC processes and internal security conferences. Unfortunately, like a year ago, the best part of the mission still lies on administrators who should enforce the security of their SAP systems by using guidelines, secure configuration, patch management, code review, and continuous monitoring. Furthermore, we think that SAP forensics can be a new research area, because it is not easy to find evidence with as complex a log system as SAP has now, even if it exists. The more attacks will be conducted in SAP systems, the higher the need will be for forensic investigation and continuous monitoring of SAP security. www.erpscan.com www.eas-sec.org 43

12 Years of SAP Security in Figures About ERPScan ERPScan is an award-winning innovative company founded in 2010, honored as the Most innovative security company by Global Excellence Awards as well as Emerging Vendor by CRN, and the leading SAP AG partner in discovering and solving security vulnerabilities. ERPScan is engaged in ERP and business application security, particularly SAP, and the development of SAP system security monitoring, compliance, and cybercrime prevention software. Besides, the company renders consulting services for secure configuration, development, and implementation of SAP systems which are used by SAP AG and Fortune 500 companies, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship product is ERPScan Security Monitoring Suite for SAP: award-winning innovative software and the only solution on the market to assess and monitor 4 tiers of SAP security: vulnerability assessment, source code review, SoD conflicts, and SIEM/forensics. The software is successfully used by the largest companies from industries like oil and gas, nuclear, banking, logistics, and avionics as well as by consulting companies. ERPScan is a unique product which enables conducting a complex security assessment and monitoring SAP security afterwards. ERPScan is an easily deployable solution which scans basic SAP security configuration in 5 minutes and several clicks. ERPScan was designed to work in enterprise systems and continuously monitor changes for multiple SAP systems. These features enable central management of SAP system security with minimal time and effort. The company s expertise is based on research conducted by the ERPScan research subdivision which is engaged in vulnerability research and analysis of critical enterprise applications and gain multiple acknowledgments from biggest software vendors like SAP, Oracle, IBM, VMware, Adobe, HP, Kaspersky, Apache, and Alcatel for finding 350+ vulnerabilities in their solutions. ERPScan experts are frequent speakers in 40+ prime international conferences held in USA, Europe, CEMEA, and Asia, such as BlackHat, RSA, HITB, and Defcon. ERPScan researchers lead project EAS-SEC, which is focused on enterprise application security. ERPScan experts were interviewed by top media resources and specialized infosec sources worldwide such as Reuters, Yahoo news, CIO, PCWorld, DarkReading, Heise, Chinabyte. We have highly qualified experts in staff with experience in many different fields of security, from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experience to conduct research in SAP system security. 44

A GLOBAL SURVEY 2001 2013 0. About EAS-SEC About EAS-SEC Project EAS-SEC (formerly part of the global strategy group OWASP Projects) [45], a non-profit worldwide organization focused on improving business application software security. EAS-SEC is a guide for people involved in the acquisition, design and implementation of large-scale applications, the so-called Enterprise Applications. Security of Enterprise Applications is one of the most discussed topics in the general area of Applications security. This is due to the fact that such applications control the organization resources including funds which may be lost as a result of any breach of security. Project mission The purpose of the EAS-SEC project launched in 2010 is increase of awareness of business application and enterprise applications security problems for users, administrators and developers and also the creation of guidelines and tools to assess the safety, security, safe set-up and development of enterprise applications. The general analysis of the main business applications was carried out and key areas of safety to which it is necessary to pay attention both when developing and at introduction are collected. In addition, there were two researches «SAP Security in figures for 2011» [46] and «The state of SAP security 2013: Vulnerabilities, threats and trends» [47]. The results of these reports have been presented at key conferences such as RSA and have been highlighted in the press [48]. The EAS-SEC has a number of the main objectives on the basis of which subprojects are created: 1. Notification of broad masses about vulnerabilities of safety of corporate appendices, on means of release of annual statistics of vulnerabilities of safety of corporate appendices. Subproject: Enterprise Business Application Vulnerability Statistics [49]; 2. Help to the companies which are engaged in release of the software, increase of safety of their decisions, providing tools for the Enterprise Business Application Security Vulnerability Testing Guide [50] subproject; 3. Development of free extended tools for an assessment of safety of corporate appendices, and for the Enterprise Business Application Security Software [51] subproject; 4. The help to the companies in an assessment of safety of corporate appendices at the initial stages, providing tools for the Enterprise Business Application Security Implementation Assessment Guide [52] subproject. www.erpscan.com www.eas-sec.org 45

12 Years of SAP Security in Figures Links and future reading [1] "ERPScan strategic SAP AG partner in security," [Online]. Available: http://erpscan.com/. [2] ASP- AS, nline. Available: http: eas-sec.org. [3] "Worldwide Public statistics of SAP systems," [Online]. Available: http://sapscan.com/. [4] "ACFE Report to the Nations," [Online]. Available: https://chapters.theiia.org/birmingham/documents/fraud Internal_Audit_IIA_6Sep2012.pdf. [5] "ERPScan publications: "SAP Security: attacking SAP clients"," [Online]. Available: http://erpscan.com/publications/sap-security-attacking-sap-clients/. [6] "CanSecWest conference report by Steve Lord, Mandalorian," [Online]. Available: cansecwest.com/slides06/csw06-lord.ppt. [7] RPScan s SAP Pentesting Tool, nline. Available: http: erpscan.com products erpscanpentesting-tool/. [8] "ERPScan WEBXML Checker," [Online]. Available: http://erpscan.com/products/erpscan-webxmlchecker/. [9] "Sapyto SAP Penetration Testing Framework," [Online]. Available: cybsec.com/en/research/sapyto.php. [10] "Top 10 most interesting SAP vulnerabilities and attacks," [Online]. Available: http://erpscan.com/wp-content/uploads/2012/06/top-10-most-interesting-vulnerabilities-andattacks-in-sap-2012-infosecurity-kuwait.pdf. [11] "Acknowledgments to Security Researchers," [Online]. Available: http://scn.sap.com/docs/doc- 8218. [12] "Vulnerability Database Security Focus," [Online]. Available: securityfocus.com. [13] "Exploit Database by Offensive Security," [Online]. Available: http://exploit-db.com. [14] "SAP NetWeaver J2EE DilbertMSG SSRF," [Online]. Available: http://erpscan.com/advisories/dsecrg-12-036-sap-xi-authentication-bypass/. [15] "SAP Host Control Command injection," [Online]. Available: http://contextis.com/research/blog/sap-parameter-injection-no-space-arguments/. [16] "SAP NetWeaver J2EE File Read/Write," [Online]. Available: https://service.sap.com/sap/support/notes/1682613. [17] "SAP Message Server Buffer Overflow," [Online]. Available: 46

A GLOBAL SURVEY 2001 2013 0. Links and future reading http://www.zerodayinitiative.com/advisories/zdi-12-112/. [18] "SAP Dispatcher Diag protocol Buffer Overflow," [Online]. Available: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities. [19] "Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol," [Online]. Available: corelabs.coresecurity.com/index.php?module=wiki&action=attachment&type=publication&page= Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol&file=Slides.pdf. [20] "SAP Management Console Information Disclosure," [Online]. Available: http://www.onapsis.com/get.php?resid=adv_onapsis-2011-002. [21] "Systems Applications Proxy Pwnage," [Online]. Available: http://www.sensepost.com/cms/resources/labs/tools/poc/sapcap/44con_2011_release.pdf. [22] "Architecture and program vulnerabilities in SAP s J2 engine, nline. Available: http://erpscan.com/wp-content/uploads/2011/08/a-crushing-blow-at-the-heart-sap-j2eeengine_whitepaper.pdf. [23] "The ABAP Underverse," [Online]. Available: http://virtualforge.com/tl_files/theme/whitepapers/blackhat_eu_2011_wiegenstein_the_abap_ Underverse-WP.pdf. [24] "SQL Injection with ABAP," [Online]. Available: http://virtualforge.com/tl_files/theme/presentations/hitb2011.pdf. [25] "SAP NetWeaver Authentication bypass (Verb Tampering)," [Online]. Available: http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verbtampering/. [26] "Invoker Servlet," [Online]. Available: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/bb/f2b9d88ba4e8459e5a69cb513597ec/fra meset.htm. [27] "PROTECTING JAVA AND ABAP BASED SAP APPLICATIONS AGAINST COMMON ATTACKS," [Online]. Available: http://virtualforge.com/tl_files/theme/whitepapers/201106_sap_security_recommendations_pr otecting_java_abap.pdf. [28] "SAP Infrastructure security internals: Google and Shodan hacking for SAP," [Online]. Available: http://erpscan.com/press-center/blog/sap-infrastructure-security-internals-google-and-shodanhacking-for-sap/. [29] "SAP Application Server Security essentials: default passwords," [Online]. Available: http://erpscan.com/press-center/blog/sap-application-server-security-essentials-defaultpasswords/. [30] "SAP NetWeaver SLD Information Disclosure," [Online]. Available: http://erpscan.com/advisories/dsecrg-11-023-sap-netweaver-sld-information-disclosure/. [31] "NetWeaver BCB Missing Authorization / Information disclosure," [Online]. Available: http://erpscan.com/advisories/dsecrg-11-027-netweaver-bcb-%e2%80%93-missing-authorization- www.erpscan.com www.eas-sec.org 47

12 Years of SAP Security in Figures information-disclosure/. [32] "SAP NetWeaver AdapterFramework information disclosure," [Online]. Available: http://erpscan.com/advisories/dsecrg-12-050-sap-netweaver-adapterframework-informationdisclosure/. [33] "ops$ mechanism," [Online]. Available: http://scn.sap.com/community/oracle/blog/2012/10/15/sunset-for-ops-mechanism-no-moresupported-by-oracle-not-used-by-sap. [34] "Easy Service Marketplace," [Online]. Available: http://www.easymarketplace.de/saprouter.php. [35 ] "SAP NetWeaver SOAP RFC Denial of Service / Integer overflow," [Online]. Available: http://erpscan.com/advisories/dsecrg-11-029-sap-netweaver-soap-rfc-%e2%80%93-denial-ofservice-integer-overflow/. [36] "SAP Netweaver XRFC Stack Overflow," [Online]. Available: http://erpscan.com/advisories/dsecrg-10-005-sap-netweaver-xrfc-%e2%80%94-stack-overflow/. [37] "TCP/IP Ports Used by SAP Applications," [Online]. Available: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-9bcc452c280b?quicklink=index&overridelayout=true&42472931642836. [38] "Scrubbing SAP clean with SOAP," [Online]. Available: http://www.slideshare.net/chrisjohnriley/sap-insecurity-scrubbing-sap-clean-with-soap. [39] "CORE Labs Discovery of Six Vulnerabilities within SAP Netweaver," [Online]. Available: http://blog.coresecurity.com/2012/05/09/core-labs-discovery-of-six-vulnerabilities-within-sapnetweaver/. [40] "New malware variant suggests cybercriminals targeting SAP users," [Online]. Available: http://www.computerworld.com/s/article/9243727/new_malware_variant_suggests_cybercrimin als_targeting_sap_users. [41] "Fighting Economic Crime in the Financial Services sector," [Online]. Available: http://docs.media.bitpipe.com/io_10x/io_102267/item_485936/economic%20crime%20in%20fs% 20sector.pdf. [42] "Espionage virus sent blueprints to China," [Online]. Available: http://www.telegraph.co.uk/technology/news/9346734/espionage-virus-sent-blueprints-to- China.html. [43] "Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems," [Online]. Available: http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/. [44] "Associated Press Twitter Account Hacked in Market-Moving Attack," [Online]. Available: http://www.bloomberg.com/news/2013-04-23/dow-jones-drops-recovers-after-false-report-onap-twitter-page.html. [45] "The Open Web Application Security Project (OWASP)," [Online]. Available: https://www.owasp.org/index.php/main_page. 48

A GLOBAL SURVEY 2001 2013 0. Links and future reading [46] "SAP Security In Figures A Global Survey 2007-2011," [Online]. Available: http://erpscan.com/publications/sap-security-in-figures-a-global-survey-2007-2011/. [47] "The state of SAP security 2013: Vulnerabilities, threats and trends," [Online]. Available: http://www.rsaconference.com/writable/presentations/file_upload/das-t03_final.pdf. [48] G. Burton, "Companies exposed to attack by out-of-date SAP applications," [Online]. Available: http://www.computing.co.uk/ctg/news/2275640/companies-exposed-to-attack-by-outofdate-sapapplications. [49] "Enterprise Business Application Vulnerability Statistics," [Online]. Available: https://www.owasp.org/index.php/enterprise_business_application_vulnerability_statistics. [50] "Enterprise Business Application Security Vulnerability Testing Guide," [Online]. Available: https://www.owasp.org/index.php/enterprise_business_application_security_vulnerability_testin g_guide_v1. [51] "Enterprise Business Application Security Software," [Online]. Available: https://www.owasp.org/index.php/enterprise_business_application_security_software. [52] "Enterprise Business Application Security Implementation Assessment Guide," [Online]. Available: https://www.owasp.org/index.php/enterprise_business_application_security_implementation_as sessment_guide. [53] "As economy falters, employee theft on the rise," [Online]. Available: http://www.lasvegassun.com/news/2009/nov/06/managing-fraud-lesson-recession/. [54] "Common Vulnerabilities and Exposures," [Online]. Available: http://cve.mitre.org. [55] "US National Vulnerability Database," [Online]. Available: http://web.nvd.nist.gov/. [56] "The ERP Security Challenge," [Online]. Available: http://www.cio.com/article/216940/the_erp_security_challenge. www.erpscan.com www.eas-sec.org 49

12 Years of SAP Security in Figures Our contacts E-mail: info@erpscan.com PR: press@erpscan.com Web: www.erpscan.com 50