More than 50% of SAP deployments across the world are vulnerable to attack, according to ERPScan, an independent research firm specializing in enterprise resource planning (ERP) security. Alexander Polyakov, CTO and researcher at ERPScan, found vulnerabilities that make it possible for an attacker to gain access to systems running on SAP, over the Internet. These have been detected in SAP’s NetWeaver software’s J2EE engine.
The security holes allow attackers to bypass authorization checks, create new users, and add them to the administrators group. This can be done by sending two specific unauthorized requests to the system. The vulnerabilities are claimed to even affect systems protected by two-factor authentication systems. The company plans to demonstrate these attacks at the BlackHat USA security conference to be held in Las Vegas this month.
To prove their claims, researchers at ERPScan created a program which searches for SAP servers on the Internet and scans them for these vulnerabilities. In the course of their research, ERPScan claims to have established that over 50% of the discovered servers suffer from these flaws.
According to experts, these vulnerabilities are critical, since every SAP system is unique, trimmed to the requirements of each deployment. This makes each of these vulnerabilities unique, creating a whole new class of vulnerabilities. Since companies customize SAP under their own business process, this gives rise to unique configurations, all riding on the same flawed framework.