Ancient SAP software poisons networks

SAP’s expensive business software, which no one knows  what it does, and is so esoteric that no one ever bothers to upgrade it, could be a ticking security bomb.

Many companies have SAP installations which are so ancient that they did the logistics for King Charles’ “lose your head party”.

Research to be released next month by ERPScan shows that hundreds of organisations have been detected running dangerously vulnerable versions of SAP that are more than seven years old.

Vulnerabilities in the platform have been targeted in a range of attacks including those to modify pay cheques. They are also increasingly popular in the whitehat and blackhat exploit trade.

ERPScan chief technology officer and ZeroNights founder Alexander Polyakov found more than 4,000 servers hosting publicly-facing SAP applications during web searches using Google 700 servers and Shodan 3741 servers.

He said that if these outfits did their HR and financials with SAP it would be the end of them.

In a lecture, Ployakov said it was a common misconception that SAP systems were not public facing and remotely accessible.

For example, he found that 35 percent of those SAP systems found were running NetWeaver version 7 EHP 0 which was last updated in November 2005. Just under a quarter ran a version last updated in April 2010 and 19 percent ran a version unpatched since October 2008.

The same findings were uncovered for versions of SAP NetWeaver J2EE, which contained holes in critical services that without authentication could allow attackers to create users and assign roles, execute commands and turn the engine on and off.

Of the 5,000 exposed routers, 15 percent lacked access control lists which risked granting attackers access to the internal network; 19 percent contained information disclosure holes leading to possible denial of service; and five percent had dangerous insecure configurations leading to authentication bypassing.