[ISN] Exploits Target SAP Applications

http://www.darkreading.com/database-security/167901020/security/application-security/229000524/exploits-target-sap-applications.html

By Kelly Jackson Higgins
Darkreading 
Jan 11, 2011

A researcher at next week's Black Hat DC will show how attackers can 
target an enterprise's Web-enabled SAP applications by exploiting the 
way enterprises have misconfigured them, as well as some inherent design 
issues in the enterprise resource management (ERP) apps.

Mariano Nunez Di Croce, director of research and development for 
Onapsis, will demonstrate bypassing authentication in SAP Enterprise 
Portal, injecting a backdoor into a compromised SAP Enterprise Portal, 
internal port-scanning via SAP Web services, and exploiting vulnerable 
SAP Web services.

Because SAP apps are becoming more Internet-connected, they are also 
becoming more of a target for cyberespionage, sabotage, and fraud 
purposes, he says. SAP's Web-based apps include Enterprise Portal, 
Internet Communication Manager (ICM), and Internet Transaction Server 
(ITS), which come with security features. But Onapsis has found via 
penetration tests that most of its own customers, which include Fortune 
100 firms, have not properly locked down their SAP apps, which typically 
run sensitive business processes, such as finance, sales, production, 
expenditures, billing, and payroll.

"Most customers don't change the default [user and password] settings 
[for SAP]," Nunez Di Croce says. "Ninety-five percent of them are 
susceptible to being compromised and to possible espionage and fraud" 
due to these default settings remaining unchanged, he says.

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/