Research by security analysis firm and SAP AG security partner, ERPscan, shows that to date SAP has closed more than 3000 vulnerabilities in its systems. ERPscan CTO and EAS-SEC president Alexander Polyakov reports.
ERPscan recently released a research report titled, ‘Analysis of 3000 vulnerabilities in SAP’. Among the highlights of this research are:
- The percentage of vulnerabilities in SAP is much higher that people usually think. The number of vulnerabilities closed by SAP is more than 3000, which equates to about 5 per cent of all vulnerabilities ever published on the internet about ERP systems from a range of vendors. This number has grown from 100 vulnerabilities patched by SAP in 2009.
- Interest in SAP security is growing exponentially. The share of vulnerabilities found by third parties in all vulnerabilities patched by SAP has grown from about 10 per cent in the late 2000s to 60-70 per cent in recent monthly updates.
- SAP is making good steps in the software development life cycle (SDLC). The number of vulnerabilities in SAP per month has decreased approximately two times comparing to the peak reached in 2010.
- Interest in hacking new SAP products is growing. The number of issues found in new SAP products, like SAP HANA, is growing faster than in others, although these are starting from a relatively low base.
- What is popular with traditional security is not always popular with SAP security. For example, memory corruption vulnerabilities are seven times less popular in SAP than in general types of products.
- SAP is a very complicated system, and a significant part of security measures lies on the shoulders of the administrators. Configuration issues in SAP are identified five times more than in general types of products.
Overall, SAP has begun to pay more attention to security. As a participant in their internal security conferences, we really see how it’s changing in their internal systems. After all the manual and problems checks, they ask us to do a final test for unknown or hard-to-find vulnerabilities.
Trends in vulnerabilities in SAP
While the number of vulnerabilities closed by SAP Security Notes (small patches) per year is decreasing, SAP moves many vulnerabilities to Service Packs, leaving in Security Notes only highly critical issues and issues which have been identified by external researchers. So, in previous years, only about 10 per cent of monthly published vulnerabilities were found by external researchers, but this was up to 60-70 per cent in more recent updates. At the same time, the total number of SAP security patches per year is decreasing.
Different SAP products have different amounts of vulnerabilities found each year. For some new SAP platforms, such as HANA, the percentage of issues is growing each year, whereas for JAVA platforms, the percentage of issues is roughly the same each year. At the same time, the number of issues found in the old platforms, such as ABAP, is decreasing slightly, and the number of vulnerabilities found in client applications, comparing to the peak in 2010 when we started to explore them, is dropping significantly.
HANA is actually more secure by default, because it demands a new type of framework. But as an in-memory database, it was designed to be lightning fast. When we design systems to be fast, we lose security.
While our most recent study has seen the types of issues commonly identified in SAP systems to remain more or less the same, there are two areas which show significant statistical differences.
First of all, memory corruption vulnerabilities such as buffer overflow – the most popular vulnerability in the world (14 per cent of all issues) – constitute only 2 per cent in SAP, and only 1 per cent of them are actually remotely exploitable, and those are mostly in client applications. The reason is simple. Memory corruption issues are hard to exploit in SAP, which is why we always say in our workshops and trainings that you need payloads for different versions and platforms. But there always remains a slight chance of something going wrong. However, for pentesters and especially for cybercriminals, those issues are not necessarily of interest, because issues related to configuration, access control, or authentication are much easier to use both for pentest and for fraud.
Secondly, the number of issues related to configuration is about 11 per cent of SAP issues, while in general those issues only constitute about 2 per cent. People who have been in SAP security for a long time would not be surprised by these results. They know that the biggest problems arise from the complexity and customisation of SAP solutions. SAP has thousands of different configuration tweaks in multiple platforms, and they make a real difference. Unfortunately, those configuration issues are not so easy to patch because they affect business processes. At the very least, you have to reboot the system to reconfigure it. For example, to close a vulnerability in the authentication protocol of the SAP Software Deployment service, the new version of client and server software has to be installed, and it can sometimes be quite challenging. It is harder to monitor, check, and control than simply to apply patches, which usually close only typical issues, such as XSS or Directory Traversal.
Identifying common risks
There are three main strands of SAP security – segregation of duties through access control, source code security, and the security of the SAP platform itself, including the application server and services.
With average losses due to internal fraud constituting 6 per cent of yearly revenue, security threats can just as easily come from within the organisation as from outside.
The table below shows some examples of how SAP systems can be manipulated for fraudulent purposes.
It is also not just SAP modules containing business information that are at risk; technical systems such as SAP Solution Manager and Process Integration are also open to exploitation. As these tools connect all SAP systems, an attacker can use these as a gateway to steal information from other components of the system.
Guidelines for securing business applications
Another part of our research is focused on guidelines for securing business applications. A recent guideline was published about securing the SAP NetWeaver application – being the first guideline on how to properly secure SAP written for IT security people. It is available at http://erpscan.com/wp-content/uploads/2014/05/EASSEC-PVAG-ABAP.pdf. A lot of vulnerabilities were found in configuration, even if the total number of issues is decreasing. However, many significant steps have now been made by SAP to make their products secure by default.
For more information about SAP vulnerabilities, check out our report, where more highlights and details are available. This report, as well as two annual reviews ‘SAP Security in Figures 2013’ (http://erpscan.com/wp-content/uploads/2014/02/SAP-Security-in-Figures-A-Global-Survey-2013.pdf) and ‘SAP Security in Figures 2011’ (http://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdf), were created by the ERPScan Research team as part of contribution to the EAS-SEC project and one of its key directions – creating awareness of vulnerabilities in business applications such as SAP.
This article was published in Inside SAP Winter 2014.
