June 19, 2013, 2:31 PM — SAP has significantly improved the security of its products over the past few years but many of its customers are negligent with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security researchers.
The biggest issue is that companies expose insecure SAP services to the Internet -- not only HTTP services, but also critical administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products for SAP systems, said Tuesday.
Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn't be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations, he said.
Most of the services have vulnerabilities that can be easily attacked, Polyakov said.
Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security testing tool.
The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates to a very large number of companies, he said.
Juan Perez-Etchegoyen, the chief technology officer at Onapsis, a Cambridge, Massachusetts-based company that develops security products for ERP systems, believes that the number of companies running vulnerable SAP systems is actually higher than what Polyakov estimates and that it's growing.
"What makes this worse is the fact that many systems are exposed to vulnerabilities with public exploits that have been known for five or even ten years. The risk for these organizations is huge," he said Wednesday via email.
Another problem is the high number of publicly accessible Web servers that run outdated SAP applications. Using Google search, ERPScan researchers identified 695 unique servers with different SAP Web applications, and an additional 3,741 servers were found using the SHODAN search engine.
SAP NetWeaver J2EE and SAP NetWeaver ABAP were the most common SAP applications found on the servers. However, the most common versions of these two applications were SAP NetWeaver ABAP version 7.0 EHP 0 and SAP NetWeaver J2EE version 7.00, both of which were released in 2005.
Deployments of older versions of these products are not necessarily vulnerable if their administrators applied all patches and followed all security advice issued by SAP over the years.
However, it is more likely for an old version deployment to be more vulnerable than a new one, because newer versions of these products are more secure in their default configurations, Polyakov said.