SAP systems: The threat of insecure configurations

SAP systems insecure configurations

Onapsis researchers revealed a critical security configuration vulnerability that results from default installations in SAP systems which if left insecure, could lead to a full system compromise in unprotected environments.

In this podcast recorded at RSA Conference 2018, Sebastian Bortnik, the Director of Research at Onapsis, talks about the discovered vulnerability and its impact.

SAP systems insecure configurations

Here’s a transcript of the podcast for your convenience.

Hello, my name is Sebastian Bortnik, I am the Director of Research of Onapsis, and today in the Help Net Security podcast, we’re going to be talking about an insecure by default configuration vulnerability that is present in most SAP implementations around the world.

Before we start I’m going to do a little introduction about myself and the company. Basically I’m running all the research efforts of Onapsis, in case you don’t know us, basically we have been researching and giving solutions regarding ERP security. ERP security most of the time stores and hosts the most critical information and data of big companies around the world, and since 2009 we have been reporting vulnerabilities in both SAP and Oracle. We have reported over 500 vulnerabilities on those platforms, and in this case today we’re going to be talking about a new report that we have just released, about an insecure by default configuration in most SAP implementations.

Basically we discovered, a little more than a year ago, a vulnerability in SAP implementations. This is an interesting thing since it is not a software vulnerability, it’s not a bug in the code, but it’s an insecurity configuration that comes with most of SAP configurations by default.

So, this is something more or less common in our platforms that once you need install them, once you do a deploy, you’re going to need to do some configuration settings to make it more secure. Basically what we discovered in 2016 is that the impact of not enabling these configuration settings, these security settings in SAP servers, was worse than they expected. The SAP details mentioned that you need to do that in order to avoid registering fake application servers in your SAP environment, but we discovered that if an attacker is able to do that, the impact could be huge. They can control most of the implementation, they can probably have unlimited access to all of the servers doing MITM attacks, Denial of Service, change data, delete data, so we reported it to SAP.

SAP confirmed to us that they have a solution for that is well documented, that most of the customers have the details about how to properly solve it. So what do we do after that, we alert our customers, we make sure that they were aware about it but also we have been monitoring a few assessments that we did with both customers and companies around the world, and we realized that nine of ten SAP users never changed this configuration.

So, it’s really huge. We are talking about only one security configuration that can allow an unauthenticated attacker, that the only thing he needs is to have network connectivity to the servers. That is enough, of course a little bit of protocol understanding, but that is the only thing they are going to need. After that, once they register a fake application server, they’re are going to be able to do several post implementation attacks that can lead to full compromise of the system.

What we’re trying to do is improve the way customers are doing implementations from scratch. Once you have everything installed, the cost of changing the configuration is five or six times bigger than if you do that at the implementation stage, and so it’s really a big deal if you do implementations without thinking about security. As soon as you include security in the deploy process, in the deploy stage, it’s not only matched well in terms of security, this is basically what we all want to avoid, vulnerabilities in the company, but also its five or six times less expensive.

If you want to know the details about the vulnerability and on the timeline around it as I mentioned at the beginning we shall release a threat report about it, you can find it in our website on onapsis.com. Of course in the same website you can see all of our research efforts, our blog posts, and for sure you can take a look on our solution on Onapsis Security Platform and how we can help your protect your business applications.

RSA Conference 2018