Infosec bloke pokes hornet’s nest with stick; patch ASAP
Security researchers were able to access default SAP accounts on enterprise systems worldwide by using default passwords.
The security snafu meant that SAP systems worldwide were potentially vulnerable to data theft, business process disruption and fraud, specialist security outfit ERP-SEC warned.
Joris van de Vis, researcher at ERP-SEC, demonstrated full compromises of the SAP Solution Manager and connected systems via three of these default accounts during a presentation at the recent Troopers Security Conference.
The issue only affects users of older versions of SAP’s enterprise software.
Van de Vis’s research identifies some “very high risk” default accounts in affected installations, including one noted as a “hardcoded kernel user”.
“The precise percentage of affected customers is unclear, but a quick check under some of our customers shows at least 50 per cent of them have one or more of these default users with a default password in their systems,” van de Vis explained. “This only affects long-time SAP customers as new installations are not affected.”
Customers need to change the passwords of these users.
SAP has released a security note (login required) in order to support SAP customers with this process.
ERP-SEC has released a free tool to help SAP customers to identity the presence of accounts with default passwords in their environment.
In response to queries from El Reg, SAP said it had fixed the problem:
SAP Product Security Response Team collaborates frequently with research companies to ensure a responsible disclosure of vulnerabilities.
All vulnerabilities disclosed at the IT-security conference Troopers (March 14, 2016, Heidelberg/Germany) have been fixed, and security patches are available for download on the SAP Service Marketplace.
We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.
Sponsored: Network monitoring and troubleshooting for Dummies