How secure is SAP (NYSE: SAP)? That's a question that security researcher Alexander Polyakov set out to answer during a session at the Black Hat security conference last week.
Polyakov is the CTO of security firm ERPscan, with a specific area of security research into ERP systems. During his presentation, Polyakov identified the potential attack surface for SAP applications, which includes both internal and external threats. In Polyakov's view, attackers are most interested in remote attacks that don't require local access.
The root cause of SAP insecurity, according to Polyakov's research, comes from the use of Java.
"The Java engine is the black hole of SAP security," Polyakov said during his Black Hat session. "It's Apache Tomcat, only 100 times more complex."
There are multiple types of vulnerabilities within the SAP Java engine used in NetWeaver, according to Polyakov. The most basic avenue of attack detailed by Polyakov is to simply use Google to find SAP servers on the Internet and then find out what version is being used. He noted that the attacker can then look for known vulnerabilities in an SAP server that SAP has already issued an advisory on and patched. The attacker just needs to look for vulnerable installs that have not yet been patched.
"There are hundreds of Cross-Site Scripting (XSS) vulnerabilities and many are still being patched," Polyakov said.
While Polyakov was able to find multiple bugs in SAP that could potentially lead to individual exploits, he noted that he wanted to go a step further and find a super flaw that could exploit all SAP using just one bug.
Polyakov discovered such a flaw with a type of exploit known as HTTP Verb Tampering. The HTTP Verb is a method for authentication on a web server allowing for access control. Polyakov said that for a Verb Tampering attack to work, the underlying system must use security control lists that list HTTP verbs and fail to block verbs that are not listed. Additionally, the attack requires that GET functionality on the server executes with a HEAD verb. According to Polyakov, all of those conditions are met by the SAP NetWeaver engine by way of the WEB.XML file.
Using the Verb Tampering approach as his attack vector, Polyakov looked across 500 different SAP applications and found that 40 applications were potentially vulnerable. One potential exploit could enable an attack to overwrite any file on an SAP server remotely. The same attack vector could potentially enable an attacker to add any user to any group.
"For example, you can add a guest user to the Administrators group, which will lead to total destruction in public portals," Polyakov said.
SAP patch is on the way
While Polyakov discussed SAP security risks, his overall goal is to improve SAP security. He works with SAP to help the company identify and fix issues. Polyakov noted that SAP is in the process of patching the items he has found. He added that he has also found additional vulnerabilities that he is not at liberty to discuss because of his working relationship with SAP.
So what can SAP users do now to protect themselves?
The first step that Polyakov suggests is to make sure that SAP users install the latest patches and follow the guidance in the SAP security notes. He also advises SAP administrators to disable any unnecessary services.
Polyakov's company also produces a free tool called ERPScan that will scan SAP applications for the types of vulnerabilities and risks that he has identified.
"This is just the just the beginning of our research, and there are still things that are being patched by SAP," Polyakov said. "For researchers, if you really want to find something, work hard and you will get what you want."
Read more about SAP ERP here.