9 deadly sins in SAP Security

by Andreas Wiegenstein, Virtuall Forge

There are probably a million things SAP customers can do wrong, when it comes to SAP security.

I have collected the most critical mistakes my team has observed in SAP Penetration testing projects over the past 10 years.

Here is the definitive list of the most deadly sins:

1. Hard-coded SAP* user active

The moment a malicious user gets a network connection to a login mechanism of your SAP system (e.g. SAP GUI, BSP, Web Dynpro, RFC) he can login with the hard coded username (‘SAP*’) and password (‘PASS’), gaining SAP_ALL privileges and has full control of the SAP system.

2. Insecure gateway

Any malicious user with a network connection to your SAP system can execute arbitrary commands on the operating system of the SAP server. This allows attackers to sabotage the server, install malware or to further penetrate your SAP landscape.

3. Critical patches not applied

Security researchers constantly discover and report new critical vulnerabilities in the SAP standard. When SAP patches these vulnerabilities, every (malicious) person with access to the corresponding SAP note can analyze the patch and derive an attack vector. If patches are not installed very timely, your systems are at high risk.

4. Default passwords of high-privileged users not changed

The moment a malicious user gets a network connection to a login mechanism of your SAP system (e.g. SAP GUI, BSP, Web Dynpro, RFC) he can login with the well-known credentials of high-privileged users like SAP*, DDIC and EARLYWATCH, gaining SAP_ALL privileges and has full control of the SAP system.

5. User with S_RFC * authorization

Any malicious user with S_RFC * authorization can call any of the 34.000+ remote-enabled function modules of the SAP standard. There are many critical function modules that allow to create users, change system settings and to read/write business data.

6. Unscanned custom code

Custom code can bypass all security settings in your SAP system. Malicious custom code is equivalent to SAP_ALL access to your system and allows attackers to take over full control. Any custom code deployed on the SAP server that was not previously inspected is therefore a very high security risk.

7. Solution Manager on the Internet

Although Solution Manager in itself contains no business data, it is a gate to the entire SAP system landscape. The moment a malicious user gets access to Solution Manager, the entire landscape is to be considered compromised. If this system is on the Internet it is just a matter of time, until it gets hacked.

8. Too many ICF services active

ICF services can be called via HTTP(S) and are therefore reachable remotely. There are many dangerous ICF services in the SAP standard that allow to read/change system settings and to read/write business data. If a malicious user gets access to these services, your SAP system is at severe risk.

9. Trusted connections between DEV and PROD systems

Development and QA systems are usually not as secure as productive systems. If there are trusted connection between your development/QA systems and your productive systems, an attacker able to break into a development/QA system can from there further penetrate your SAP landscape and get access to productive systems.