Analysis of 3000 vulnerabilities in SAP
According to official information from SAP portal, more than 3000 vulnerabilities have been closed by SAP.
Here are 6 highlights from a research conducted by the ERPScan team during 7 years of deep analysis of SAP vulnerabilities. A significant share of the analyzed vulnerabilities was found by the ERPScan research team themselves.
Percentage of vulnerabilities in SAP is much higher that people usually think – number of vulnerabilities closed by SAP is more than 3000, which equals to about 5% of all vulnerabilities ever published on the Internet.
Interest in SAP security is growing exponentially – share of vulnerabilities found by 3rd parties in all vulnerabilities patched by SAP has grown from about 10% in late 2000s to 60-70% in recent monthly updates.
SAP is making good steps in SDLC – number of vulnerabilities in SAP per month has decreased approximately 2 times comparing to the high peak in 2010.
Interest in hacking of NEW SAP products is growing – number of issues found in new SAP products, like SAP HANA, is growing faster than in others, although there are about 10 issues in total.
What is popular with traditional security is not always popular with SAP security – memory corruption vulnerabilities are 7 times less popular in SAP than in general types of products.
SAP is a very complicated system, and a significant part of security measures lies on the shoulders of the administrators – configuration issues in SAP are 5 times more popular than in general types of products.
Let’s take a closer look on the details with the help of comments made by the ERPScan CTO Alexander Polyakov.
According to cvedetails.com, a website calculating most vulnerable vendors by the number of CVEs, SAP is on the 37th place in the complete list of vendors. But not all SAP issues have CVEs. SAP itself does not publish them, and external researchers do it either only from time to time.
However, if we count by the number of public advisories (there are about 500 of them), SAP is on the 15th place. Interesting enough, that if we count by the total number of resolved vulnerabilities (more than 3000 security notes), SAP will share the second place after Microsoft. But it remains not a valid comparison, due to the fact that Microsoft probably closes much more issues internally.
While the number of vulnerabilities closed by SAP Security Notes (small patches) per year is decreasing, SAP moves a lot of vulnerabilities to Service Packs, leaving in security notes only highly critical issues and the issues which were found by external researchers. So, in previous years, only about 10% of monthly published vulnerabilities were found by external researchers but up to 60-70% in more recent updates. At the same time, the total number of SAP security patches per year is decreasing.
Different SAP products have different amount of vulnerabilities found per year. For some new SAP platforms, such as HANA, the percentage of issues is growing each year, whereas for JAVA platforms the percentage of issues is roughly the same each year. At the same time, the amount of issues found in the old platforms, such as ABAP, is decreasing a bit, and the number of vulnerabilities found in client applications, comparing to the peak in 2010 when we started to explore them, is going down significantly.
While typical issues have, more or less, the same results, we have two areas where the statistics go different. First of all memory corruption vulnerabilities such as buffer overflow – the most popular vulnerability in the world (14% of all issues) – constitute only 2% in SAP, and only 1% of them is actually remotely exploitable, and even those are mostly on client applications. The reason is simple. Memory corruption issues are hard to exploit in SAP, that is why we always say in our workshops and trainings that you need payloads for different versions and platforms. But there always remains a slight chance of something going wrong. However, for pentesters and especially for cybercriminals, those issues are not interesting because issues related to configuration, access control, or authentication are much easier to use both for pentest and for fraud.
Secondly, the number of issues related to configuration is about 11% of SAP issues, while in general those issues only constitute about 2%. This result is quite predictable for people who have been in SAP security for a long time. They know that the biggest problem is the complexity and customization of SAP solutions. SAP has thousands of different configuration tweaks in multiple platforms, and they make a real difference.
Unfortunately, those configuration issues are not so easy to patch because they affect business processes. At the very least, you have to reboot the system to reconfigure it. For example, to close a vulnerability in the authentication protocol of the SAP Software Deployment service, the new version of client and server software have to be installed, and it can sometimes be quite challenging. It is harder to monitor, check, and control than simply apply patches, which usually close only typical issues, such as XSS or Directory Traversal.