HPE Software is now Micro Focus
HPE Software is now Micro Focus
Security Research

SAP: One of the weaker security links?

SAP: One of the weaker security links?


An Enterprise Resource System (ERP) is often the information backbone of a modern organization -- a point of control for the organization’s financial reporting, human resources, inventory, production costs, sales and procurement. Those systems are so complicated and vast that they may be considered as “information systems within information systems.” Often they have proprietary programming, support, and extensive vendor participation. To complicate things, their penetration of the OSI stack and horizontal organization is not fully understood. This complexity adds another dimension to ERP security and raises risk rating of this crucial system type.


 Systems, Applications & Products in Data Processing (SAP) is one of the most popular and ubiquitous ERP systems in the world serving 282,000 customers in 190 countries, according to their 2014 report. SAP security “holes” have been known and reported ever since the first versions of the system. It is also well known that applications are a main vector of attacks these days. Given ERPs cross boundaries between applications, networks, and even hardware, it is not surprising that more and more hackers choose to either attack them directly or use them as a penetration and pivoting point for further ill-intended presence.  According to a May 2015 study, over 95% of SAP systems worldwide had critical vulnerabilities, and the average period between patches was over 18 months. Security specialists may limit their tests of SAP security to the segregation of duties, as they are either inexperienced or uncomfortable delving into the technical threats surrounding the platform.


Threat Landscape

There is no doubt that hackers possess the same or better information about SAP vulnerabilities as we do. The number of relevant exploits is growing, often followed by significant breaches and disruptions.

Attackers usually choose the path of the least resistance. Those who possess enough knowledge of SAP proprietary code may try to attack directly; web-facing customer and vendor portals are another favorite. Most often these attackers try to move between SAP components, escalating privileges to get to the valuable information.


There are quite a few vulnerabilities and attacks specific to SAP. MITRE lists over 160 CVEs related to various versions of the system. The following table lists the most popular classes of attack against SAP installations, coupled with various indications that such an attack might be in progress. Such indications are useful information to ESM (enterprise security management) systems that collect, aggregate, and correlate them into a cohesive security picture.



Attack Indicator

SAP password cracking

USR02 table is retrieved with transaction SE16 by users who wouldn’t normally need it.


User logs in from unusual location or at unusual time


User performs actions she does not need or does not normally do


Profile parameter login/password_downwards_compatibility is set to 1


BCODE field stores the user password using CODVN B.


BCODE field stores the user password truncated at 8 characters.


BCODE field stores the user password converted to uppercase.


PASSCODE field contains the complete password, hashed with CODVN F.


BCODE field stores the user password using CODVN I


SAP password is shorter than 8 characters


Initial password is a dictionary word


User has access to USR02


SAP servers are not deployed in internal DMZ


Direct connections to the SAP databases are allowed


Tables USR02, USH02 and USRPWDHISTORY can be directly accessed through table maintenance tools (transactions SE16, SE17, SE11 etc.)


Authorization object S_TABU_DIS is not used


Same passwords are used for critical users (SAP*, DDIC, administration users, etc.) in all systems and clients.


login/min_password_lng is less or equal 8


login/min_password_lowercase is less or equal 0


USR40 table configured to allow dictionary-based passwords

Insecure default configuration of SAP Knowledge Management

User is a part of the “Everyone” group


User has the “Full Control” permissions


Phishing scams and Web 2.0 attacks against the employees


Modification and/or deletion of sensitive business information occurred


Two or more user groups have identical access


User is a Guest of SAP Enterprise Portal


"Everyone" group has Full Control in at least one KM folder

Malicious penetration

Transaction SE03 is performed


A new user, with the SAP_ALL Profile is created


login/password_downwards_compatibility profile parameter is set to 3 or 4


Password is checked against the “weak” hash value


USR02 Table is modified

Hardcoded user names

SAP Security Notes contain hard coded name notifications


Transaction SCI or report RS_ABAP_SOURCE_SCAN have not been used or reviewed I a while.

Malicious code in ABAP programs

No code reviews of custom ABAP code for security are performed


Database REPOSRC not secured


 Table REPOSRC was modified


SET DATA was changed In table REPOSRC


PROGNAME was changed In table REPOSRC




Transactions like FK01 (Create Vendor), ME21 (Create Purchase Order), PA30 (Maintain HR Master Data), FI12 (Change House Banks/Bank Accounts) were modified.


Vendor bank account information is changed


Customer's information is sent from the SAP system to a Web Server in the Internet


SAP platform is connected with a SCADA system


ABAP programs that receive the SCADA signal information were modified

Exploits in authenticated mode

SAPMSYST was modified


Transaction SE38 is executed

Invoker Servlet bypass

Call to any servlet class located in the WEB-INF\classes, WEB-INF\lib and WEB-INF\additionallib


Any servlet is called through its fully-qualified class name via URL, e.g. http://sap-server/appname/servlet/com.company.privateServlet1Interface


“EnableInvokerServletGlobally” property of servlet_jsp on the server nodes is “True”

Web access abuse

The ICM returns the following Server headers:

server: SAP Web Application Server (1.0;<VERSION>)

server: SAP NetWeaver Application Server (1.0;<VERSION>)

server: SAP NetWeaver Application Server / ABAP <VERSION>

server: SAP NetWeaver Application Server <VERSION> / ICM <VERSION>


The J2EE Engine returns the following Server headers:

Server: SAP J2EE Engine/<VERSION>

Server: SAP NetWeaver Application Server <VERSION> / AS Java <VERSION>


ICM Server header is default


J2EE Engine banner is default (property UseServerHeader)


Erroneous service request (such as /scripts/wgate/inexistent/!) triggers a default error message (e.g . 403 or 404)


J2EE Engine SAP Enterprise Portal shows the default path for the application (/irj/portal).


SAP EP provides version information in the source code of the generated pages.

Unrestricted Access to ICF Services

ICF service is enabled and public


Standard users SAP*, DDIC, EARLYWATCH, SAPCPIC and TMSADM, have publicly known default passwords


Info Service is enabled


Info Service was accessed through the /sap/public/info URL without business need


SOAP RFC Service is activated


WEBGUI service was accessed through the /sap/bc/gui/sap/its/webgui URL without business need


Web Dispatcher administration interface (default path is /sap/wdisp/admin) is accessible from untrusted networks.


Web Dispatcher administration interface (default path is /sap/wdisp/admin) password for the administrator user is weak.


SAP J2EE Engine application wsnavigator is enabled.


SAP J2EE Server allows direct connections.


HTTP request is sent directly to the SAP server:

GET /irj/portal HTTP/1.1

Host: <server>:<port>


<AUTH_HEADER>: <user_to_impersonate>

AUTH_HEADER is from the spoofed third-party authentication solution.


Post written by Guest Researcher Roman Potapov

0 Kudos
About the Author


Head of OpSec Research

Filter by Labels