Invest in security to secure investments
SAP Security in figures 2013
Alexander Polyakov CTO ERPScan
About ERPScan
• The only 360-‐degree SAP Security solu=on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaEons key security conferences worldwide • 25 Awards and nominaEons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
Agenda
• SAP: Intro • SAP: vulnerabili=es • SAP: threats from the Internet • Cri=cal SAP services • Known incidents • Future trends and predic=ons • Conclusions
3
SAP
• The most popular business applica=on • More than 240000 customers worldwide • 86% of Forbes 500 run SAP
4
Why SAP security?
• Espionage – Stealing financial informa=on – Stealing corporate secrets – Stealing supplier and customer lists – Stealing HR data
• Sabotage – Denial of service – Modifica=on of financial reports – Access to technology network (SCADA) by trust rela=ons
• Fraud – False transac=ons – Modifica=on of master data
5
SAP Security
SAP Vulnerabili=es
6
Security notes by year
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
More than 2600 in total
7
Security notes by criEcality
0
20
40
60
80
100
2012 2011 2010 2009
High priority vulnerabiliEes
0
2
4
6
8
10
12
2012 2011 2010 2009
Low priority vulnerabiliEes
0 200 400 600 800 1000 1200 1400 1600 1800 2000
1 -‐ HotNews
2 -‐ Correc=on with high priority
3 -‐ Correc=on with medium priority
4 -‐ Correc=on with low priority
6 -‐ Recommenda=ons/addi=onal info
By the end of April 2013
8
Security notes by type
25%
22%
20%
9%
7%
5%
4% 4% 3%
1%
Top 10 vulnerabiliEes by type
1 -‐ XSS
2 -‐ Missing authorisa=on check
3 -‐ Directory traversal
4 -‐ SQL Injec=on
5 -‐ Informa=on disclosure
6 -‐ Code injec=on
7 -‐ Unauthen=ca=on bypass
8 -‐ Hardcoded creden=als
9 -‐ Remore code execu=on
10 -‐ Verb tampering
9
Acknowledgments
Number of vulnerabili=es found by external researchers: • 2010 -‐ 58 • 2011 -‐ 107 • 2012 -‐ 89 • 2013 -‐ 52
The record of vulnerabili1es found by external researchers was
cracked in January 2013: 76%
0
10
20
30
40
50
60
70
2010 2011 2012 2013
Percentage of vulnerabiliEes found by external researchers:
10
Acknowledgments
• More interest from other companies * Number of vulnerabili1es that were sent to SAP but were
rejected because they were already found before by other company of SAP internal code review.
0
1
2
3
4
5
6
7
2010 2011 2012
Number of already patched issues per year
11
SAP security talks at conferences
0
5
10
15
20
25
30
35
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
12
Talks about:
• Common: SAP Backdoors, SAP Rootkits, SAP Forensics • Services: SAP Gateway, SAP Router, SAP NetWeaver, SAP GUI,
SAP Portal, SAP Solu=on Manager, SAP TMS, SAP Management Console, SAP ICM/ITS
• Protocols: DIAG, RFC, SOAP (MMC), Message Server, P4 • Languages: ABAP Buffer Overflow, ABAP SQL Injec=on, J2EE
Verb Tampering, J2EE Invoker Servlet • Overview: SAP Cyber-‐aiacks, Top 10 Interes=ng Issues, Myths
about ERP
Almost all every part of SAP was hacked
13
Top 5 SAP vulnerabiliEes 2012
1. SAP NetWeaver DilbertMsg servlet SSRF (June) 2. SAP HostControl command injec=on (May) 3. SAP SDM Agent command injec=on (November) 4. SAP Message Server buffer overflow (February) 5. SAP DIAG buffer overflow (May)
14
SAP NetWeaver DilbertMsg servlet SSRF
Espionage: CriEcal Sabotage: Cri=cal Fraud: Medium Availability: Anonymously through the Internet Ease of exploitaEon: Medium Future impact: High (New type of aiack) CVSSv2: 10 Advisory: hip://erpscan.com/advisories/dsecrg-‐12-‐036-‐sap-‐xi-‐
authen=ca=on-‐bypass/
Patch: Sap Note 1707494
Authors: Alexander Polyakov, Alexey Tyurin, Alexander Minozhenko (ERPScan)
15
SAP HostControl command injecEon
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Anonymously through the Internet
Ease of exploitaEon: Easy (a Metasploit module exists)
Future impact: Low (Single issue)
CVSSv2: 10
Advisory: hip://www.contex=s.com/research/blog/sap-‐parameter-‐injec=on-‐no-‐space-‐arguments/
Patch: SAP note 1341333
Author: Contex=s
16
SAP J2EE file read/write
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Anonymously
Ease of exploitaEon: Medium
Future impact: Low
CVSSv2: 10
Advisory: hips://service.sap.com/sap/support/notes/1682613
Patch: SAP Note 1682613
Author: Juan Pablo
17
SAP Message Server buffer overflow
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Anonymous
Ease of exploitaEon: Medium. Good knowledge of exploit wri=ng for mul=ple plalorms is necessary
CVSSv2: 10.0
Advisory: hip://www.zerodayini=a=ve.com/advisories/ZDI-‐12-‐112/
Patch: SAP Notes 1649840 and 1649838
Author: Mar=n Gallo
18
SAP DIAG Buffer overflow
Espionage: CriEcal
Sabotage: Cri=cal
Fraud: Cri=cal
Availability: Low. Trace must be on
Ease of exploitaEon: Medium
CVSSv2: 9.3
Advisory: hip://www.coresecurity.com/content/sap-‐netweaver-‐dispatcher-‐mul=ple-‐vulnerabili=es
Patch: SAP Note 1687910
Author: Mar=n Gallo
19
SAP Security
SAP and Internet
20
SAP on the Internet
• Among people who work with SAP, a popular myth exists that SAP systems are inaccessible from the Internet, so all SAP vulnerabili=es can only be exploited by an insider.
21
SAP on the Internet
• Companies have SAP Portals, SAP SRMs, SAP CRMs remotely accessible
• Companies connect different offices (by SAP XI) • Companies are connected to SAP (through SAP Router) • SAP GUI users are connected to the Internet • Administrators open management interfaces to the Internet for
remote control
Almost all business applicaEons have web access now
22
Google search for web-‐based SAPs
• As a result of the scan, 695 unique servers with different SAP web applica=ons were found (14% more than in 2011)
• 22% of previously found services were deleted • 35% growth in the number of new services
23
Google search by country
24
FINLAND RUSSIA
AUSTRIA DENMARK MEXICO SPAIN KOREA
NORWAY BELGIUM FRANCE CANADA BRAZIL
SWITZERLAND ITALY
NETHERLANDS CHINA
UNITED KINGDOM INDIA
GERMANY UNITED STATES
0 50 100 150 200 250
SAP web servers by country (Top 20)
Shodan scan
41%
34%
20%
6%
SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web Applica=on Server
Other (BusinessObjects,SAP Hos=ng, etc)
94% 72%
30%
-‐20%
-‐55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth by applicaEon server
A total of 3741 server with different SAP web applicaEons were found
25
Shodan scan by country
0%
100%
200%
300%
400%
500%
600%
MEXICA CHILE INDIA CHINA TAIWAN
Growth of SAP web servers (Top 5)
0 500 1000 1500
AUSTRALIA TAIWAN
CHILE MEXICO
DENMARK NETHERLANDS
TURKEY CANADA
SWITZERLAND UNITED KINGDOM
KOREA CHINA
FRANCE BELGIUM
BRAZIL SPAIN INDIA ITALY
GERMANY UNITED STATES
SAP web servers by country (Top 20)
26
Internet Census 2012 scan
• Not so legal project by Carna Botnet • As the result 3326 IP’s with SAP Web applica=ons
NO SSL 32%
SSL 68%
27
SAP NetWeaver ABAP -‐ versions
• 7.3 growth by 250% • 7.2 growth by 70% • 7.0 loss by 22% • 6.4 loss by 45%
35%
23%
19%
11% 6% 5%
NetWeaver ABAP versions by popularity
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
The most popular release (35%, previously 45%) is s=ll NetWeaver 7.0, and it was released in 2005!
But security is gerng beier.
28
NetWeaver ABAP – informaEon disclosure
• Informa=on about the ABAP engine version can be easily found by reading an HTTP response
• Detailed info about the patch level can be obtained if the applica=on server is not securely configured
• An aiacker can get informa=on from some pages like /sap/public/info
6% (was 59%) of servers s=ll have this issue
29
SAP NetWeaver ABAP – criEcal services
• Execute dangerous RFC func=ons using HTTP requests • NetWeaver ABAP URL – /sap/bc/soap/rfc • There are several cri=cal func=ons, such as:
- Read data from SAP tables - Create SAP users - Execute OS commands, Make financial transac=ons, etc.
• By default, any user can have access to this interface and execute the RFC_PING command. So there are 2 main risks:
- If there is a default username and password, the aiacker can execute numerous dangerous RFC func=ons
- If a remote aiacker obtains any exis=ng user creden=als, they can execute a denial of service aiack with a malformed XML packet
6% (was 40%) of ABAP systems on the Internet have WebRFC service
30
SAP NetWeaver J2EE -‐ versions
• 7.31 growth from 0 to 3% • 7.30 growth from 0 to 9% • 7.02 growth by 67% • 7.0 loss by 23% • 6.4 loss by 40%
44%
25%
10% 9%
9% 3%
NetWeaver JAVA versions by popularity
NetWeaver 7.00
NetWeaver 7.01
NetWeaver 7.02
NetWeaver 7.30
NetWeaver 6.40
NetWeaver 7.31
The most popular release (44%, previously 57%) is s=ll NetWeaver 7.0, and it was released in 2005!
But security is gerng beier.
31
NetWeaver J2EE – informaEon disclosure
• Informa=on about the J2EE engine version can be easily found by reading an HTTP response.
• Detailed info about the patch level can be obtained if the applica=on server is not securely configured and allows an aiacker to get informa=on from some pages: – /rep/build_info.jsp 26% (61% last year) – /bcb/bcbadmSystemInfo.jsp 1.5% (17% last year) – /AdapterFramework/version/version.jsp 2.7% (a new issue)
32
SAP NetWeaver J2EE – criEcal services
• NetWeaver J2EE URL: /ctc/ConfigTool (and 30 others) • Can be exploited without authenEcaEon • There are several cri=cal func=ons, such as:
• Create users • Assign a role to a user • Execute OS commands • Remotely turn J2EE Engine on and off
• Was presented by us at BlackHat 2011
.
It was found that 50% (was 61%) of J2EE systems on the Internet have the CTC service enabled.
33
From Internet to Intranet
34
SAP Security
* Some numbers are approximate (mostly less than in real world) due to the very high number of resources that needed to fully analyze internet for SAP services with detailed numbers. We use op1mized scan approach which will be described in whitepaper.
35
Disclaimer
SAP Router
• Special applica=on proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connec=ng to SAP to
download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hip://www.easymarketplace.de/saprouter.php
Almost every third company have SAP router accessible from internet by default port.
36
SAP Router: known issues
• Absence of ACL – 15% – Possible to proxy any request to any internal address
• Informa=on disclosure about internal systems – 19% – Denial of service by specifying many connec=ons to any of the listed SAP
servers – Proxy requests to internal network if there is absence of ACL
• Insecure configura=on, authen=ca=on bypass – 5% • Heap corrup=on vulnerability
37
Port scan results
• Are you sure that only the necessary SAP services are exposed to the Internet?
• We were not • In 2011, we ran a global project to scan all of the Internet for
SAP services • It is not completely finished yet, but we have the results for the
top 1000 companies • We were shocked when we saw them first
38
Port scan results
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hipd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Listed services should not be accessible from the Internet
39
• SAP HostControl is a service which allows remote control of SAP systems
• There are some func=ons that can be used remotely without authen=ca=on
• Issues: – Read developer traces with passwords – Remote command injec=on
• About every 120th (was 20th) company is vulnerable REMOTELY • About 35% assessed systems locally
40
SAP HostControl service
• SAP MMC allows remote control of SAP systems • There are some func=ons that can be used remotely without
authen=ca=on • Issues:
– Read developer traces with passwords – Read logs with JsessionIDs – Read informa=on about parameters
• About every 40th (was 11th) company is vulnerable REMOTELY • About 80% systems locally
41
SAP Management console
SAP Message Server
• SAP Message Server – load balancer for App servers • Usually, this service is only available inside the company • By default, the server is installed on the 36NN port • Issue:
– Memory corrup=on – Informa=on disclose – Unauthorized service registra=on (MITM)
• About every 60th (was every 10th) company is vulnerable REMOTELY
• About 50% systems locally
42
SAP Message Server HTTP
• HTTP port of SAP Message Server • Usually, this service is only available inside the company • By default, the server is installed on the 81NN port • Issue: unauthorized read of profile parameters • About every 60th (was every 10th) company is vulnerable
REMOTELY • About 90% systems locally
43
• SAP Dispatcher -‐ client-‐server communica=ons • It allows connec=ng to SAP NetWeaver using the SAP GUI
applica=on through DIAG protocol • Should not be available from the Internet in any way • Issues:
– There are a lot of default users that can be used to connect and fully compromise the system remotely
– Also, there are memory corrup=on vulnerabili=es in Dispatcher
• About every 20th (was 6th) company is vulnerable REMOTELY
44
Sap Dispatcher service
But who actually tried to exploit it?
45
Known internal fraud incidents
• Exploit market interest • Anonymous aiacks • Insider aiacks • Evil subcontractors and ABAP backdoors
46
Market Interest
• Whitehat buyers and sellers – Companies like ZDI buy exploits for SAP – Only in 2012 ZDI publish 5 cri=cal SAP issues
• Whitehat buyers and different sellers – Companies who trade 0-‐days say that there is interest from both sides
• Black market – Anonymous aiack? – Why not?
47
Market Interest
48
Anonymous ahack
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
• This attack has not been confirmed by the customer nor by the police authorities in Greece investigating the case. SAP does not have any indication that it happened.
49
Insider ahacks
• The Associa=on of Cer=fied Fraud Examiners (ACFE) survey showed that U.S. organiza=ons lose an es=mated 7% of annual revenues to fraud.
• Real examples that we met: – Salary modifica=on – Material management fraud – Mistaken transac=ons
50
Evil subcontractors and ABAP Backdoors
• They exist! • Some=mes it is possible to find them
51
What had happened already?
• Autocad virus (Industrial espionage) – hip://www.telegraph.co.uk/technology/news/9346734/Espionage-‐virus-‐sent-‐blueprints-‐to-‐China.html
• Internet-‐Trading virus (Fraud) – Ranbys modifica=on for QUICK – hip://www.welivesecurity.com/2012/12/19/win32spy-‐ranbyus-‐modifying-‐java-‐code-‐in-‐rbs/
• News resources hacking (Sabotage) – hip://www.bloomberg.com/news/2013-‐04-‐23/dow-‐jones-‐drops-‐recovers-‐ayer-‐false-‐report-‐on-‐ap-‐twiier-‐page.html
52
What can be
Just imagine what could be done by breaking: • One SAP system • All SAP Systems of a company • All SAP Systems on par=cular country • Everything
53
SAP strategy in app security
• Now security is the number 1 priority for SAP • Implemented own internal security process SDLC • Security summits for internal teams • Internal trainings with external researchers • Strong partnership with research companies • Investments in the automa=c and manual security assessment
of new and old soyware
54
Future threads and predicEons
• Old issues are being patched, but a lot of new systems have vulnerabili=es
• Number of vulnerabili=es per year going down compared to 2010, but they are more cri=cal
• Number of companies who find issues in SAP is growing • S=ll there are many uncovered areas in SAP security • SAP forensics can be a new research area because it is not easy
to find evidence now, even if it exists
55
Forensics as a new trend for 2013
• If there are no aiacks, it doesn’t mean anything • Companies don’t like to share informa=on about data
compromise • Companies don’t have ability to iden=fy aiack • Only 10% of systems use security audit at SAP • Only 2% of systems analyze them • Only 1% do correla=on and deep analysis
* Based on the assessment of over 250 servers of companies that allowed us to share results
56
Forensics as a new trend for 2013
• ICM log icm/HTTP/logging_0 70% • Security audit log in ABAP 10% • Table access logging rec/client 4% • Message Server log ms/audit 2% • SAP Gateway access log 2%
* Based on the assessment of over 250 servers of companies that allowed us to share results.
57
Conclusion
• -‐ The interest in SAP plalorm security has been growing exponen=ally, and not only among whitehats
• + SAP security in default configura=on is gerng much beier now
• -‐ SAP systems can become a target not only for direct aiacks (for example APT) but also for mass exploita=on
• + SAP invests money and resources in security, provides guidelines, and arranges conferences
• -‐ unfortunately, SAP users s=ll pay liile aien=on to SAP security
• + I hope that this talk and the report that will be published next month will prove useful in this area
58
Conclusion
Issues are everywhere but the risks and price for mi=ga=on are different
59
Conclusion
I'd like to thank SAP Product Security Response Team for their great coopera1on to make SAP systems more secure. Research is always ongoing, and we can't share all of it today. If you want to be the first to see new aVacks and demos, follow us at @erpscan and aVend future presenta1ons:
End of Оctober – Release of “SAP Security in Figures 2013”
60
Conclusion
We devote aVen1on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par1cular func1on, you can e-‐mail us or give us a call. We will be glad to consider your sugges1ons for the next releases or monthly updates.
web: www.erpscan.com www.dsecrg.com e-‐mail: [email protected], [email protected]
61