woensdag 20 mei 2015

omgSAPpwnage but then again not really ...

Disclaimer: I don't work for SAP. This is a personal blog and none of it represents the opinion of any entity other than myself.

That said, I ran across the following article today:
http://www.infosecisland.com/blogview/24531-Top-Three-Attack-Vectors-for-SAP-Systems.html

It is titled "Top Three Attack Vectors for SAP Systems" so I was expecting a list of (at least three) direct attack vectors against SAP Systems. Once again, as is the case for many articles on security subjects nowadays, I was disappointed. I can only hope to provide some perspective here from experience and my own insight into the problems surrounding corporate ERP systems.

The top three, as listed in the article and accompanied with comment by yours truly is as follows:

Pivoting Between SAP Systems, where the attack begins with a system with lower security to a critical system in order to execute remote function modules in the destination system
So an attacker is able to gain access to SAP Systems AFTER they have compromised (part of) the supporting infrastructure and and is then able to compromise other connected systems? You don't say! I fail to see how this is a direct problem with SAP systems. If you're not able to prevent OR detect compromises before they reach SAP systems, there isn't much that's stopping an attacker from getting there right? There isn't a big need for vulnerabilities in an SAP system to achieve this either. It's like saying you are able to send text messages in my name when I unlock my phone and hand it to you.
Portal Attacks, where backdoor users are created in the SAP J2EE User Management Engine and an attacker obtains access to SAP Portals and Process Integration platforms and their connected, internal systems
Uh?What? "where backdoor users are created"? Wouldn't you say all bets are off when an attacker is able to do this? Show me a remote and unauthenticated vector for an attacker to do this and I'm happy to put this on # 1 though.
Database Warehousing Attacks through SAP proprietary protocols, where an attacker executes operating system commands under the privileges of a particular user and by exploiting vulnerabilities in the SAP RFC Gateway to gain access to the the SAP database
Again, there is an assumption of prior compromise (including gaining access to credentials) to get to a point where this is possible.

I'm not saying that SAP doesn't have security issues. There are advisories released by the SAP Security team and patches are made available regularly that organizations should apply.

ERP hold a lot of your most valuable assets and they deserve your attention but the article as it is presented does not provide any credible evidence that attackers can arbitrarily access SAP Systems without going through considerable effort before. Moreover, the 3 vectors as presented are easy to address by doing the basics in your supporting infrastructure:

  • Identity Management, Access and Authorization.
  • Intrusion Detection, Log Management & Analysis, ...
  • Network & Host Monitoring
  • Systems Hardening
  • etc. etc.
If we're going to continue letting media drive our agenda (driven by PR companies and organizations interested in pushing a product (yeah, most of the content is provided by an organization pushing an SAP vulnerability scanner/tool) rather than looking to solve the hard underlying problems in security and how organizations should address  those, we're pretty much doomed.

Security is not sexy. Security is not solved with tools. Security is hard work and while I appreciate the idea behind putting it on the agenda with urgency, I'm pretty much tired of the flash fires that detract us from doing what is actually needed.