More than 95 percent of SAP systems deployed in enterprises are exposed to vulnerabilities that could lead to a full compromise of business data, a security firm claims.
Onapsis, a Boston-based company that specialises in SAP security audits, also found that the average time-to-patch for SAP vulnerabilities is more than 18 months -- 12 months for SAP to issue fixes and 6 months for companies to deploy them.
This suggests that many companies are falling behind on SAP security, even though these systems hold some of their most critical and confidential information. The claim will provide food for thought for delegates at SAP's Sapphire event in Orlando this week.
Based on hundreds of security assessments, Onapsis determined that the most likely attack scenarios for compromising SAP systems are these: Pivoting from a lower-security system to a critical one to execute remote function modules; creating backdoor accounts on the SAP J2EE User Management Engine by exploiting vulnerabilities to gain access to SAP portals and other internal systems; and exploiting vulnerabilities in the SAP RFC Gateway to execute operating system commands with SAP admin privileges to obtain or modify information in SAP databases.
One of the challenges organisations face is that they can't reliably use vulnerability management products for SAP as they do for other IT systems, according to Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security.
"The reason is that tracking SAP product vulnerabilities is very difficult due to SAP's antiquated policy regarding disclosure: They provide information about vulnerabilities to customers only via an access restricted portal," Eiram said via email. "Furthermore, customers are not permitted to share this information with other parties like vulnerability databases."
This forces many companies to keep track of SAP security information themselves, instead of relying on security products, which might partially explain why many of them are slow in deploying SAP patches, Eiram said.
SAP released 391 security patches last year, of which half were marked as high priority, according to Onapsis.
But problems may be even more common than they seem: One security patch does not equal one vulnerability.
The SAP Support Portal contained 388 Security Notes in 2014, said researchers from ERPScan, another company that specialises in SAP security. Each note covered a patch for one or more security vulnerabilities, so the number of individual vulnerabilities is actually higher, they said via email.
Eiram's company recorded 389 SAP vulnerabilities in its own vulnerability database last year, but he, too, said that number is probably too low.