50% of SAP servers vulnerable, says research


50% of SAP servers vulnerable, says research

SearchSecurity.in Staff

More than 50% of SAP deployments across the world are vulnerable to attack, according to ERPScan, an independent research firm specializing in enterprise resource planning (ERP) security. Alexander Polyakov, CTO and researcher at ERPScan, found vulnerabilities that make it possible for an attacker to gain access to systems running on SAP, over the Internet. These have been detected in

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

SAP’s NetWeaver software’s J2EE engine.

The security holes allow attackers to bypass authorization checks, create new users, and add them to the administrators group. This can be done by sending two specific unauthorized requests to the system. The vulnerabilities are claimed to even affect systems protected by two-factor authentication systems. The company plans to demonstrate these attacks at the BlackHat USA security conference to be held in Las Vegas this month.

To prove their claims, researchers at ERPScan created a program which searches for SAP servers on the Internet and scans them for these vulnerabilities. In the course of their research, ERPScan claims to have established that over 50% of the discovered servers suffer from these flaws.

According to experts, these vulnerabilities are critical, since every SAP system is unique, trimmed to the requirements of each deployment. This makes each of these vulnerabilities unique, creating a whole new class of vulnerabilities. Since companies customize SAP under their own business process, this gives rise to unique configurations, all riding on the same flawed framework.

ERPScan has developed a free security scanner for SAP, which assists enterprises to detect this class of vulnerabilities. More details can be found at the ERPScan website.