Forgot your password?
typodupeerror
Security Businesses

Scores of Vulnerable SAP Deployments Uncovered 118

Posted by Unknown Lamer
from the double-your-paycheck dept.
mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."
This discussion has been archived. No new comments can be posted.

Scores of Vulnerable SAP Deployments Uncovered

Comments Filter:
  • I can explain (Score:5, Insightful)

    by slashmydots (2189826) on Monday June 17, 2013 @10:06PM (#44035869)
    As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
    When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!
    • by maden (1855410)
      I would have expected the feasibility of maintenance and support to be an important factor when adopting new software... I hardly see how this can be overlooked!
      • Re:I can explain (Score:5, Insightful)

        by Scutter (18425) on Monday June 17, 2013 @10:31PM (#44036021) Journal

        When it's all overhead, maintenance fees are a very attractive number for the budget-cut knife.

      • When IT doesn't buy software, IT doesn't get to make sure it is bought correctly. And it's usually not IT that buys "business critical" applications like these. It's accountants and receptionists and such types that get hoodwinked, and then proceed to supersede any IT decision by going directly to the CFO, who uses his political pull to force IT to install the application and then fuhgeddaboudit.
        • by DarkOx (621550)

          True but IT isn't usually able to evaluate the business requirements of something like an ERP package. You need a team with all the stake holds and they all need to be equal partners.

          What you usually happens though is IT gets invited to the meetings, usually isn't allowed to ask to many questions and is told to by some currently political powerful middle manager to just be quiet when the lowest bid contractors proposes some infrastructure build out missing all the really expensive but show stopping parts l

      • Work at my place then, lol. The bosses are basically the IT manager instead of me. If they like a shiny software suite, they buy it as long as I verify that it literally runs. We're also 85% behind on deploying Windows 7 machines to replace our 80% XP ones. That's right, 1/20th of the amount we needed to replace on my schedule haven't been replaced for budget reasons. So basically they don't approve any expense that we really need unless they personally like it or came up with the idea. That's pretty
    • by Anonymous Coward

      You may be a head IT manager, but you're not a CxO, other executive or key investor/debt holders who keep the attention of the executive suite. They seem to care more at a fundamental level how their stock options, etc. are performing. Especially the CFO, balking at the costs of ongoing support contracts like for SAP. If they can get away with running it w/o ongoing support from the vendor (and, even more, the headcount that goes with it), they will.

    • Re:I can explain (Score:5, Interesting)

      by sjwt (161428) on Monday June 17, 2013 @10:36PM (#44036037)

      I can also explain, having gone through a SAP implementation 2 years ago, we were still plagued with bugs that had fixes issued over 4 years ago..

      Seems they somehow didn't install fully patched updated modules, and with a yearly renewal.upgrade cost it all makes sense now.

    • How do you explain (Score:4, Insightful)

      by Anonymous Coward on Monday June 17, 2013 @10:37PM (#44036045)

      And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.

      The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.

    • by Flere Imsaho (786612) on Monday June 17, 2013 @11:01PM (#44036139)

      SAP - Send Another Payment, or, Sucks All Profit

      • I was on an SAP project in 2000. They were $20M into the implementation and changed course. Then they switched to Oracle for an expected $30M. The software never materialized from Oracle.
    • by Anonymous Coward on Monday June 17, 2013 @11:12PM (#44036199)

      Chuckle. I used to work at a place that gave all their database stuff to a SAP outside vendor, all their letters and form documents.

      One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change.

      The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.

      (My coworker printed that page, got a hilighter, hilighted the text, scanned it, and emailed that image thereafter.)

      • by Rich0 (548339)

        One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change...The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.

        That seems awfully cheap, frankly. Maybe it was just the incremental cost to add it to an already-planned release.

        When you're messing with software at this scale 95% of the effort goes into making sure that you don't break it, and documentation. Changing the report file probably takes 5 minutes, and then the rest of the time is writing the requirements, reviewing the prototype, having a PM check that it was done on time, writing up the system/acceptance tests, testing that all the other 47 requirements fo

        • by drinkypoo (153816)

          When you're messing with software at this scale 95% of the effort goes into making sure that you don't break it, and documentation. Changing the report file probably takes 5 minutes, and then the rest of the time is writing the requirements, reviewing the prototype, having a PM check that it was done on time, writing up the system/acceptance tests, testing that all the other 47 requirements for that report are still met, writing up the install script and updating the install package, scheduling the downtime for the upgrade, updating the servers (likely on a weekend - oh and don't forget you have to do it once for your test instance as well), etc.

          You're seriously talking about a graphical change. This would be about fifteen seconds' work on an IBM mainframe, to diddle the format. If it isn't on SAP, then SAP sucks shit and no amount of your apologizing will change it any more than it would change Lotus Notes.

          • Re: I can explain (Score:2, Interesting)

            by Anonymous Coward

            No, he's correct. My last position involved a few cases of "just diddling the format" (literally changing a configuration variable in code I had already written and formally tested - including third-party validation). This particular report was glanced at by the head of a commission, then placed on the Governor's desk. Needless to say, 6 hours would be very short for a formatting change - 40 hours (in house, with an additional 4-8 third party billable) would be much more realistic.

            Again, this is all for a "

          • by Rich0 (548339)

            You're seriously talking about a graphical change. This would be about fifteen seconds' work on an IBM mainframe, to diddle the format. If it isn't on SAP, then SAP sucks shit and no amount of your apologizing will change it any more than it would change Lotus Notes.

            It is 15 seconds of work on any reporting tool, including SAP. The cost comes in all the release management.

            Or do you just log into your production system and routinely edit your report files? If so, then your report fixes certainly will be faster, and that's good because I'm sure you'll be doing plenty of them...

      • at $200/hour to make that change.

        Nice salary if you can get it.

  • by Anonymous Coward on Monday June 17, 2013 @10:13PM (#44035915)

    I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.

    • The weird thing is, more companies seem to be using SAP. Certainly SAP owns more buildings in the Bay Area (maybe putting their name on buildings is their entire advertising budget), and their revenue seems to be up. I honestly don't understand why, and I don't entirely understand what they do.
      • by cusco (717999) <brian.bixby@gma i l .com> on Tuesday June 18, 2013 @12:42AM (#44036537)
        If you ever have to deal with their software you'll eventually realize that they don't understand it either.
        • by dargaud (518470)

          If you ever have to deal with their software you'll eventually realize that they don't understand it either.

          I knew a freelancer who 'fixed issues with SAP'. She charged more per day than I make per month.

      • I think they're some sort of brokerage house that manages and markets buzzwords.

        • by Rich0 (548339) on Tuesday June 18, 2013 @06:53AM (#44037641) Homepage

          I think they're some sort of brokerage house that manages and markets buzzwords.

          ++

          They don't sell software - they sell a vision for your business. They don't sell it to anybody but the CEO.

          They're also a classical example of how the usual RFP process fails. If you give me a list of 500 arbitrary requirements and ask "can SAP do this?" the answer is almost certainly yes. Go ahead and put landing a man on the moon on that list of requirements and the answer still is yes. The problem is that in order to do even the most trivial functions your employees will be exposed to something that almost outdoes the airline industry in terms of arcanity. For various reasons you're not allowed to put on the RFP the question "can your system be operated by anybody other than an SAP developer without first training them to be an SAP developer?"

          This is a common failing in large systems. The only metric is checking all the boxes, so all the boxes get checked, and we don't even bother to deliver usability let alone try to measure it.

    • You mean you didn't learn ABAP and can't understand tables named with German acronyms?
  • No problem. .. (Score:5, Insightful)

    by jd2112 (1535857) on Monday June 17, 2013 @10:16PM (#44035923)
    Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.
    • by Anonymous Coward

      IBM here ... did someone call me?

      • by c0lo (1497653)

        IBM here ... did someone call me?

        Get off, IBM... Oracle [zdnet.com] leased [eaconsult.com] this line some time ago [blogspot.com.au].

        • by dkf (304284)

          IBM here ... did someone call me?

          Get off, IBM... Oracle leased this line some time ago.

          Ah, but who do you think they leased the line from?

  • by Anonymous Coward on Monday June 17, 2013 @10:20PM (#44035959)

    This might seem off topic, but SAP is perhaps unique among the major enterprise software vendors in making it intentionally difficult for someone to self-educate in their products without being a paying customer, and of course being a customer requires serious bucks. There's no "mySAP Express Edition" that I'm aware of, and I've actually bought a couple books on SAP (this was years ago) so I could at least get a grasp on what their software does, besides being "what large corporations run their businesses on". I threw them both out pretty quickly because they were useless.

    So it could be that SAP was also banking on this tactic to stay below the radar of hackers. Well, as the slides point out, some of the bad guys are insiders and contractors who know all about SAP.

    Contrast that with the products of Microsoft, Oracle, IBM, Red Hat, where there's lots of tutorials and express editions available for free, and 800-page books written by serious engineers available for reasonable prices.

    • Contrast that with the products of Microsoft, Oracle

      Apples to apples, I don't believe either of those companies provide an 'Express' version of the ERP software (Oracle/JDE/PeopleSoft/Dynamics AX/NAV). As an independent, it's always been frustrating to try to evaluate new releases from those vendors.

      • by Anonymous Coward

        Just pointing out there is a demo "Lite" type version of MS' ERP, but there are more examples that don't and are used in the "Big 500" than the list above suggests.

        I currently admin/manage/train/support/etc two ERP systems and I was shocked to find the MS is the better documented and more self trainable of the two and by far one of the best.

        SAP is one of the worst ERP systems I've had the "fortune" of being exposed to, from a technical perspective and from a management perspective. That is without the const

      • by atom1c (2868995)

        I don't believe either of those companies provide an 'Express' version of the ERP software...

        Tharr shur is. The entire Oracle stack is available in Developer and Trial forms; they only require 3x 6.8GB downloads but it's all there (see http://www.oracle.com/technetwork/indexes/downloads/index.html [oracle.com]). The Microsoft Dynamics are available as part of TechNet and MSDN subscriptions -- if professional enough -- for trial purposes.

        The use-restricted versions (i.e. Express-equivalent) are very limited, however... but as an ISV or consultant, there's enough developer access to learn their wares if you gav

      • Contrast that with the products of Microsoft, Oracle

        As an independent, it's always been frustrating to try to evaluate new releases from those vendors.

        I think that's also by design, to keep C-level business decisions from being influenced by criticism from the technically-astute tier. After all, these deals are often brokered at the golf course, where one's handicap is more relevant than platform or infrastructure culture.

    • by Anonymous Coward

      I have worked for SAP as a senior software engineer for 7 years now, though well outside of our main product line. I don't even know what it is the company software actually does after doing a bit of searching. Whenever someone starts asking me what the company does I just give a vague "business logistics software" and leave it at that.

    • What do they actually do? I'm still not entirely sure.....ERP, whatever that is.
      • by Rob_Bryerton (606093) on Tuesday June 18, 2013 @12:54AM (#44036573) Homepage
        ERP = Enterprise Resource Planning, a bad name for a general class of business software that does just about anything, from billing to shipping & receiving, warehouse automation, reporting, etc, etc. Basically a somewhat integrated suite of applications that tie all (or many) aspects of a business together, implementing business processes in software.

        Implementations typically run in timescales of years and millions of dollars, with teams of developers, DBAs, etc. The software suite is a canned solution that you then slightly (or vastly) modify to tailor to your business needs. ( My job as a systems & storage administrator at a major US-based snack food company has me managing the ~30 Linux servers that run our Oracle databases on the DB tier and Oracle EBusiness suite at the application tier, backed by all manner of storage arrays, NAS devices, FC SANs, load balancers, etc, etc. Fun stuff! )

        Think of it as Quicken, but on a very large scale.
        • That's fascinating. Who uses it? Do people need to be trained to use it? Or is that just something you're expected to know if you're (for example) a warehouse automation kind of guy?
          • by Rich0 (548339)

            Who uses it?

            Anybody who hasn't figured out how to avoid it. Unfortunately that usually ends up being most of the company. At my workplace SAP does everything from payroll to expenses to customs.

            SAP's main advantage is in all its integration. That's about its only advantage. Any individual task done by SAP is usually better-done by something else which leads to endless frustration. The advantage it has is that if I want to get reimbursed for a drive to a meeting I can charge the money to a specific subtask of a pro

            • by drinkypoo (153816)

              The thing is, you can accomplish everything in your theoretical peanut scenario with interactions between humans if they have adequate organization. But you can't accomplish any of that with SAP if you lack adequate SAP organization. So by spending the effort on SAP, what do you get? Maybe the same results if you're lucky and SAP doesn't explode, and now you get to pay for SAP.

              Might as well just buy an AS/400 (can you even still do that?)

          • by drinkypoo (153816)

            SAP is like an operating system for business intelligence applications. It has that much complexity. It's just further proof that those who do not understand Unix are doomed to reinvent it... poorly.

            • by tibit (1762298)

              This is very insightful. SAP's biggest advantage (integration) is its biggest disadvantage, too. In software engineering, tight coupling in such a big system has been repeatedly shown to lead to disasters. By any reasonable metric of software structure, SAP is a disaster.

        • The software suite is a canned solution that you then slightly (or vastly) modify to tailor to your business needs.

          I always thought that you installed SAP, then re-configured your business to work with it :-)

      • What do they actually do?

        It's like drugs. You can do drugs, but sometimes, they do you.

        You can do SAP, but sometimes, they do you.

  • So.... (Score:5, Funny)

    by wbr1 (2538558) on Monday June 17, 2013 @10:31PM (#44036017)
    Their IT departments are full of saps?

    ba-dum-dam

    Thanks, I'll be here all night.

  • It's German for 'Our hands in your wallet'

  • If you are a service provider you should be required to let your clientele know what versions of software you are using.

    • That would violate one of the first fundamental laws of security. Despite what people on slashdot like to rant and rave about, many times being behind on updates has nothing to do with being cheap or lazy. Real networks are complicated... and often you have nested dependencies that force you into situations you'd rather not be in. Load Balancer A has a bug in it's newest OS update, so you can't upgrade to that unless you want to lose access to 4 of your biggest clients. So you have to wait 6 months for the

      • by cusco (717999) <brian.bixby@gma i l .com> on Tuesday June 18, 2013 @12:49AM (#44036555)
        Or my particular headache, you run a 24x7x365 enterprise app distributed across 18 different countries on every continent but Antarctica. We're two years behind on updates because we can't take the system down for an hour.
        • by dbIII (701233)
          I think we need to learn from the gamers and from other industries. If Blizzard can shut down for a few hours every Tuesday night why can't the rest of us shut down for half a day on Christmas or similar slow time? Mature heavy industries with huge opportunity costs from planned shutdowns still do them to avoid the much greater problem of unplanned shutdowns from failures. IT still looks far too much like random basket weaving than engineering and whoever put you in that spot of keeping the system up ind
          • by cusco (717999)
            Security system. Blizzard doesn't face the possibility of someone breaking into the Dublin data center undetected during that downtime, stealing the plans for the next Airbus jet, a magazine publisher's entire customer database, or the source code for a banking web site. We'll have to do it during the next year, when support for this version is discontinued, but then it will go gradually out of date until that happens again.
      • by drinkypoo (153816)

        Despite what people on slashdot like to rant and rave about, many times being behind on updates has nothing to do with being cheap or lazy.

        Sure, there's also stupidity and incompetence.

        If the system can't be taken down for maintenance, in pieces if necessary and with redundance if necessary, then the initial design was incompetent. And if the system is based on SAP, then whoever made the purchasing decision was not only incompetent, but also stupid. A cursory look around will tell you that everyone with SAP and without billions of dollars is very angry.

        • by tibit (1762298)

          If the system can't be taken down for maintenance, in pieces if necessary and with redundance if necessary, then the initial design was incompetent.

          This, a thousand times this!! Google updates their systems constantly, constantly deploying both new hardware and new software. Somehow we can google things without seeing a "down for maintenance, we've got 5000 storage boxes to upgrade" page. And I'm pretty damn sure that whatever infrastructure google runs their search engine on would make even a large SAP deployment something to laugh at.

  • That dude in the photo ain't no sap.
  • Some of these vendor-ware boxes are so hard to install, patch and maintain, that quite often they are left alone to run for years in production until the hardware dies.
    If it gets hacked... it's the hacker's fault.
    When the hardware dies,... it's the hardware vendor's fault.
    If it's left unmaintained, the company saves money
    If it is maintained, the admins won't be allowed to do anything when the company won't give them an update window, out of fear of breaking it. So the admin's sit on their hands and spin in

  • by Domini (103836) <lailoken@gmail.com> on Tuesday June 18, 2013 @07:36AM (#44037805) Journal

    I would say it is because SAP's programming environment is rife with business people and very few programmers. 95% of programmers I have worked with were B.A. students who heard that programming pays more, and SAP pays a lot more. I've been doing SAP ABAP for about 10 years on and off. I've worked in both services and product development and have worked in many different capacities, companies and countries.

    My background is strong C++, having also worked at high frequency traders and other tech companies writing compilers and schedulers and network messaging systems. Never have I encountered anyone in SAP that would care about security... with the exception of a few BASIS consultants. People are so focused on their small part and fear to rock the boat that is causing it to be the monolithic behemoth it has become. ABAP is an awful excuse for a language that pretends to be a cool 4GL, and the SAP system itself is layer upon layer of bugs, unused code and inefficiencies. One can see a hint of a bright SAP developer here and there, but the way it was finished off suggested they cut costs before everything was full completed (WebDynpro, OO ... I'm looking at you.).

    I worked as a contractor at a bank about 10 years ago. And highlighted the fact that their vendors being able to upload file all to a common directory as the same normal user and password was a huge security issue as well as a client confidentiality problem (as various clients/vendors could read each other's files)... but if I could wager a guess they did nothing about it at least for the time I was working there.

    Then there is SAP's resource site (Sap Developer Network), where they are still trying to figure out how to have host aliases and SSO even work reliably. Every time you connect you get a different load balanced host with new host name. The site is a mess and is still struggling to even resemble Web 1.0.

    But all this trouble and incompetence is what makes working in SAP a challenge and earns you the big bucks. Not to mention aggressive and plain rude clients sometimes. I prefer product development instead of contracting, that way I feel I can actually do something concrete to help people.

  • The reason that most companies buy an ERP system is to be in compliance with laws that govern their business. SOX (Sarbaines Oxley) is probably the best known. Publicly traded companies must abide by those rules and ERP systems give you a way of meeting those requirements. It's a big part of the sales pitch. The problem with ERP systems is the cost of maintenance. Typical rates run around 18% of the purchase price annually. Then there are the updates and security patches etc. It can eat up a lot of time. Ke

panic: kernel trap (ignored)

Working...