It appears you have not yet registered with our community. To register please click here...

Go Back [M] > Madshrimps > WebNews
Ancient SAP software poisons networks Ancient SAP software poisons networks
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Ancient SAP software poisons networks
Thread Tools
Old 19th June 2013, 06:34   #1
[M] Reviewer
Stefan Mileschin's Avatar
Join Date: May 2010
Location: Romania
Posts: 117,483
Stefan Mileschin Freshly Registered
Default Ancient SAP software poisons networks

SAP's expensive business software, which no one knows what it does, and is so esoteric that no one ever bothers to upgrade it, could be a ticking security bomb.

Many companies have SAP installations which are so ancient that they did the logistics for King Charles' "lose your head party".

Research to be released next month by ERPScan shows that hundreds of organisations have been detected running dangerously vulnerable versions of SAP that are more than seven years old.

Vulnerabilities in the platform have been targeted in a range of attacks including those to modify pay cheques. They are also increasingly popular in the whitehat and blackhat exploit trade.

ERPScan chief technology officer and ZeroNights founder Alexander Polyakov found more than 4,000 servers hosting publicly-facing SAP applications during web searches using Google 700 servers and Shodan 3741 servers.

He said that if these outfits did their HR and financials with SAP it would be the end of them.

In a lecture, Ployakov said it was a common misconception that SAP systems were not public facing and remotely accessible.

For example, he found that 35 percent of those SAP systems found were running NetWeaver version 7 EHP 0 which was last updated in November 2005. Just under a quarter ran a version last updated in April 2010 and 19 percent ran a version unpatched since October 2008.

The same findings were uncovered for versions of SAP NetWeaver J2EE, which contained holes in critical services that without authentication could allow attackers to create users and assign roles, execute commands and turn the engine on and off.

Of the 5,000 exposed routers, 15 percent lacked access control lists which risked granting attackers access to the internal network; 19 percent contained information disclosure holes leading to possible denial of service; and five percent had dangerous insecure configurations leading to authentication bypassing.
Stefan Mileschin is offline   Reply With Quote

Similar Threads
Thread Thread Starter Forum Replies Last Post
Head of AOL Networks resigns Stefan Mileschin WebNews 0 12th April 2013 08:29
How to Install Software From Outside Ubuntu’s Software Repositories Stefan Mileschin WebNews 0 8th April 2013 09:09
NASA's Curiosity rover finds ancient streambed on Mars Stefan Mileschin WebNews 0 28th September 2012 07:56
R.A.W. – Realms of Ancient War released Stefan Mileschin WebNews 0 20th September 2012 08:28
Ancient pottery delays TSMC's new fab Stefan Mileschin WebNews 0 17th April 2012 06:28
SSD: One for all or two for RAID? @ APH Networks Stefan Mileschin WebNews 0 16th March 2012 07:06
Li PC-Z60 Computer Case Review @ APH Networks Stefan Mileschin WebNews 0 17th October 2011 07:04
Decoding an ancient computer Sidney General Madness - System Building Advice 1 3rd December 2006 22:09
Bigfoot Networks Killer NIC jmke WebNews 0 10th October 2006 06:56
Automakers Working on Car-to-Car Ad-Hoc Networks jmke WebNews 0 21st December 2004 22:42

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

All times are GMT +1. The time now is 02:17.

Powered by vBulletin® - Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO