Many companies use SAP, these companies invested a great deal of money in these systems (in the selection phase, the licences, the implementation, the support and in the operation). Should they consider changing their default settings to protect their investments? The question is asked especially in light of #CYBERSECURITY or #SAPSECURITY, since many of these default settings allow hackers to gain access to the business data to easily.
The vulnerability is related to the factory configuration of the SAP NetWeaver software solution (and every OEM provider usually has defaults or standard recommendations, not only SAP), but typically these settings remain and are left unchanged at most enterprises as it was the OEM original setting. SAP NetWeaver serves as the foundation for many tools, including popular products such as S/4HANA.
The problem affects the configuration responsible for transferring data between the various components throughout the SAP infrastructure and components, namely between the Application Server (business applications), the SAP Message Server and the SAP Central Instance, where the enterprise data is stored.
The SAP Message Server plays the role of a mediator and performs SAP infrastructure load balancing during peak activities. When a new application is created, the system administrator must register it (Application Server) via the SAP Message Server. The registration process goes through port 3900.
The Access Control List (ACL) support is implemented in the SAP Message Server, but it is disabled by default and system administrators must activate it themselves. The fact is that all enterprises are different, and if ACL support is enabled by default, many of them might have problems with the initial configuration of business applications.
The problem with the SAP factory configuration has been known since 2005. At that time, the manufacturer issued a security notification and recommended that companies not leave the default settings and configure the ACL as soon as possible, and also allow access to port 3900 from trusted addresses. But if you have justed started with a new product, or a new implementation, or you have a novice admin ..... it does not happen.
Already back in 2009 and 2010, SAP issued two more safety notifications with further instructions. Also, studies have been made public that shed light on the possible consequences of using SAP without an ACL. However, according to security companies, 90% of its customers, who faced an audit of SAP security level, did not change the factory settings and did not include ACL.
According to our experts at agileSI, an attacker or even an employee of an enterprise can create a malicious application, register it in the corporate SAP infrastructure and use it to steal or modify corporate data. (a so called evil twin attack, or man-in-the-middle)
The Access Control List – determines who or what can access an object (program, process, or file), and which operations are allowed or forbidden for the subject (user, group of users) to perform.
Talk to us about the possibilities of:
PREVENTION SERVICE - hardening your SAP® systems
DETECTION SERVICE of for example such EVIL TWIN ATTACKS.
Want to learn more? Contact us here!
We are here for you. SAFELY ENABLING YOUR SAP® BUSINESS