Some old SAP systems have default kernel user accounts. Guess what happened next?
Infosec bloke pokes hornet's nest with stick; patch ASAP
Security researchers were able to access default SAP accounts on enterprise systems worldwide by using default passwords.
The security snafu meant that SAP systems worldwide were potentially vulnerable to data theft, business process disruption and fraud, specialist security outfit ERP-SEC warned.
Joris van de Vis, researcher at ERP-SEC, demonstrated full compromises of the SAP Solution Manager and connected systems via three of these default accounts during a presentation at the recent Troopers Security Conference.
The issue only affects users of older versions of SAP’s enterprise software. Van de Vis's research identifies some "very high risk" default accounts in affected installations, including one noted as a "hardcoded kernel user".
“The precise percentage of affected customers is unclear, but a quick check under some of our customers shows at least 50 per cent of them have one or more of these default users with a default password in their systems,” van de Vis explained. “This only affects long-time SAP customers as new installations are not affected.”
Customers need to change the passwords of these users. SAP has released a security note (login required) in order to support SAP customers with this process.
ERP-SEC's van de Vis explained that the security weakness originates from security weaknesses in SAP Solution manager 7.0 Enhancement Package 1. "As many customers never changed these accounts and upgraded to the recent version SAP Solution Manager 7.1 the issue is still there for many customers."
The root cause of the problems was a default password being used in wizards that created users. "These wizards created some accounts with the default password ‘init1234’," van de Vis added.
ERP-SEC has released a free tool to help SAP customers to identity the presence of accounts with default passwords in their environment.
In response to queries from El Reg, SAP said it had fixed the problem:
SAP Product Security Response Team collaborates frequently with research companies to ensure a responsible disclosure of vulnerabilities. All vulnerabilities disclosed at the IT-security conference Troopers (March 14, 2016, Heidelberg/Germany) have been fixed, and security patches are available for download on the SAP Service Marketplace.
We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.