36000 SAP systems exposed online, most open to attacks

ERPScan released the first comprehensive SAP Cybersecurity Threat Report, which covers three main angles: Product Security, Implementation Security, and Security Awareness.

The company used its own scanning method to gather information.

“Protocols used to interact with and between SAP servers are often proprietary and not well-known outside of the SAP IT world. It means that open scan resources don’t include those specific protocols in their scans,” Mathieu Geli, Director of SAP Threat intelligence, explained.

“That’s why we built a database of probe requests and then matches probe response to determine the state of the service. When we perform a check for a vulnerability; if there is no friendly payload, we try to fingerprint the version of a remote service to compute potential statistics.”

The key finding of the research are as follows:

SAP Product Security

  • The average number of security patches for SAP products per year has slightly decreased. However, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one. All in all, SAP has released 3662 patches. Most of them (73%) were rated high priority and hot news, which means they pose significant risks to an organization security.
  • The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA. Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA.
  • There are vulnerabilities in almost every SAP module: CRM takes the leading position among them. According to this study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps, as they attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional modules.
  • The number of vulnerabilities in industry-specific solutions has grown significantly. SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in these solutions. The most vulnerable types of industry-specific solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.

SAP Implementation Security

  • Worldwide threat landscape grew up to more than 36000 systems. Most of those services (69%) should not be available directly via the Internet.

    Countries where most of the exposed system are located

  • Critical Infrastructures and IoT devices are at risk. SAP does not only manage enterprise resources but also acts as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.

SAP Security Awareness

  • Almost half of unnecessarily exposed services is located in 3 countries where wide adoption of new technologies takes place (such as USA, India, and China).

    Exposed systems around the globe

  • The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (comparing to the total number of implemented systems). Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.