Almost EVERY SAP install hackable, researchers say

A staggering 95 percent of enterprise SAP installations contain high-severity vulnerabilities that could allow systems to be hijacked, researchers say.

Researchers from SAP security tools vendor Onapsis say attackers can target the SAP installs to pivot from low to high integrity systems, execute admin privilege commands, and create J2EE backdoors.

Onapsis chief executive Mariano Nunez says the 250,000 SAP customers are exposed for an average of 18 months from when vulnerabilities surface, with SAP taking some 12 months to develop patches.

"The big surprise is that SAP cyber security is falling through the cracks at most companies due to a responsibility gap between the SAP operations team and the IT security team,” Nunez says.

"The truth is that most patches applied are not security-related, are late or introduce further operational risk."

The Boston firm found SAP pumped out 391 patches last year of which half were labelled high priority.

Nunez lay blame in part on SAP HANA which he says is responsible for a whopping 450 percent increase in the number of security patches.

"This trend is not only continuing, but exacerbating with SAP HANA ... positioned in the center of the SAP ecosystem [where] data stored in SAP platforms now must be protected both in the cloud and on-premise,” Nunez says.

The worst vulnerabilities topped 9.5 out of a severity rating of 10 for four holes in SAP SQL Anywhere, followed by 18 holes rated 7.5 for Sybase ESP.

"We are not only speaking about the number of vulnerabilities, which is quite large, but also the criticality," ERPScan founder Alexander Polyakov says.

Polyakov has made a name popping SAP systems. He says SAP's closed customer-only support portal shows some 388 small patches dubbed 'security notes' released last year, up seven percent since 2013.

"SAP Security notes are actually small patches that usually close one or more vulnerabilities in SAP applications found by third party companies and SAP's internal security team," he says.

The situation is probably substantially worse, according to Polyakov, considering the likelihood of bugs introduced into custom SAP installations.

"If experienced SAP developers can still leave mistakes in their code, imagine what is happening with customized SAP programs, [especially] those outsourced to other companies. High competition between outsourcing companies drives them to minimise development time and resources, which usually impacts security," he says.

Polyakov has published whitepapers detailing common SAP vulnerabilities, penetration testing guidelines, and defences. ®