Newsflash: +++ Hackers Stole Over 6.42 Million SHEIN Customers' Data +++ SAP Customer British Airways hacked: Hackers steal financial data in BA website attack +++ The same hacker group who breached Ticketmasters were behind the British Airways attack, using DIGITAL SKIMMING +++

Milky Blog

know what’s going on out there about SAP®

  • Blog
  • Read Our Rules

PREVENTION? leaving the factory settings as they are is not a good idea !

By Hendrik Jansen  - January 29, 2019

Many companies use SAP, these companies invested a great deal of money in these systems (in the selection phase, the licences, the implementation, the support and in the operation). Should they consider changing their default settings to protect their investments? The question is asked especially in light of #CYBERSECURITY or #SAPSECURITY, since many of these default settings allow hackers to gain access to the business data to easily.

The vulnerability is related to the factory configuration of the SAP NetWeaver software solution (and every OEM provider usually has defaults or standard recommendations, not only SAP), but typically these settings remain and are left unchanged at most enterprises as it was the OEM original setting. SAP NetWeaver serves as the foundation for many tools, including popular products such as S/4HANA.

The problem affects the configuration responsible for transferring data between the various components throughout the SAP infrastructure and components, namely between the Application Server (business applications), the SAP Message Server and the SAP Central Instance, where the enterprise data is stored.

The SAP Message Server plays the role of a mediator and performs SAP infrastructure load balancing during peak activities. When a new application is created, the system administrator must register it (Application Server) via the SAP Message Server. The registration process goes through port 3900.

The Access Control List (ACL) support is implemented in the SAP Message Server, but it is disabled by default and system administrators must activate it themselves. The fact is that all enterprises are different, and if ACL support is enabled by default, many of them might have problems with the initial configuration of business applications.

The problem with the SAP factory configuration has been known since 2005. At that time, the manufacturer issued a security notification and recommended that companies not leave the default settings and configure the ACL as soon as possible, and also allow access to port 3900 from trusted addresses. But if you have justed started with a new product, or a new implementation, or you have a novice admin ..... it does not happen.

Already back in 2009 and 2010, SAP issued two more safety notifications with further instructions. Also, studies have been made public that shed light on the possible consequences of using SAP without an ACL. However, according to security companies, 90% of its customers, who faced an audit of SAP security level, did not change the factory settings and did not include ACL.

According to our experts at agileSI, an attacker or even an employee of an enterprise can create a malicious application, register it in the corporate SAP infrastructure and use it to steal or modify corporate data. (a so called evil twin attack, or man-in-the-middle)

The Access Control List – determines who or what can access an object (program, process, or file), and which operations are allowed or forbidden for the subject (user, group of users) to perform.

Talk to us about the possibilities of:

PREVENTION SERVICE - hardening your SAP® systems



Want to learn more? Contact us here!


Enroll and receive updates!

Popular posts

We take privacy seriously! This is what happens to your data:

  • Data from forms and website-tracking can be saved for analysis.
  • Data can be evaluated for optimizing the website. This enables us to better understand what our visitors are interested in. We primarily use Hubspot for this tracking. You can find more information on this in our privacy policy linked at the bottom.
  • We do not share your data with third parties. In the context of events in which you want to participate it might be necessary to submit your data to contractors.
  • You have the right to have your personal data corrected, deleted or transfered to you at any time.
  • You can withdraw your consent to any sort of communication with us at any time.

More details about what we do and don't do with your personal data can be found in our privacy policy, or you can directly contact me by e-mail!

Felix Möckel
Data Protection Officer