if i want a perfect cyberweapon, i'll target erp - second edition
TRANSCRIPT
Invest in security to secure investments
If I Want a Perfect Cyberweapon I'll Target ERP: Second edi<on.
Alexander Polyakov. CTO ERPScan
About ERPScan
• The only 360-‐degree SAP Security solu<on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presenta=ons key security conferences worldwide • 25 Awards and nomina=ons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
• Intro • Big companies and cri<cal systems • ERP Risks • How easy is that • What can happen • Examples • What we can do • Conclusions
3
Intro
Big companies
4
Portal
HR Logis<cs
Warehouse
ERP
Billing
Suppliers Customers
Banks Insurance Partners
Branches
BI
Industry
CRM
SRM
Big companies
• Oil and Gas • Manufacturing • Logis<cs • Financials • Nuclear Installa<ons • Retail • Telecommunica<on • etc.
5
SAP • More than 246000 customers worldwide • 86% of Forbes 500 Oracle • 100% of Fortune 100 MicrosoK • More than 300,000 businesses worldwide choose Microso^
Dynamics ERP and CRM so^ware
6
If business applica=ons are popular?
• Business applica<ons can make your life easier • The need to harness them to op<mize business-‐processes • Scope for enormous reduc<ons in resource overheads and
other direct monetary benefits. • Poten<al problems that one can’t disregard • The need to consider security, can it be overstated! • And it’s a REAL and Existent Risk
7
Business Applica=ons
• Espionage – Stealing financial informa<on – Stealing corporate secrets – Stealing supplier and customer lists – Stealing HR data
• Sabotage – Denial of service – Modifica<on of financial reports – Access to technology network (SCADA) by trust rela<ons
• Fraud – False transac<ons – Modifica<on of master data
8
What can happen
• I have spent 7 years analyzing security of Business Applica<ons • I started with simple things such as
– web applica<ons and CRM systems – Applica<on servers such as Websphere, Weblogic, Apache Tomcat.. – Then Databases: Oracle, MsSQL…
• A^er that I switched to huge enterprises – SAP ECC / SAP Portal – Oracle Peopleso^ HRMS – Microso^ Dynamics
• I exposed about 300 different vulnerabili<es in those systems and I can say it was not too hard
9
Why
• Most of my work has focused on SAP Security • Things that will be discussed can be applied to every system • Just because I know SAP much bejer most examples will be SAP
relevant. • Then again all ideas, ajacks, risks can be applied to every
system • This talk is not a faulkinding exercise with SAP as you may
assume • It is about the things you need, you can’t afford to ignore post
implementa<on of any business applica<on which process cri<cal data
• So, let’s go!
10
SAP
• Risk: misappropria=on of material resources • Affec<ng: Oil And Gas, Opera<ons related to mining natural
resources, Retail and others • Type: Insider Fraud • Module: MM(Material Management) – part of ECC • Ajacker can manipulate data about quan<ty of material
resources in stock or delivery, pilfer from warehouses at <mes in collusion with the very employees entrusted with the stock taking responsibili<es.
11
SAP ECC Risks (1)
• Risk: Blocking of materials for pos=ng • Affec<ng: Retail, Other. • Type: Sabotage • Module: MM(Material Management) – part of ECC • It is possible to block material pos<ng by star<ng physical
inventoriza<on process. Thus it will not be possible to do any opera<ons with goods. The only way to get back to normal opera<ons is to use transac<on responsible for Freezing Book Inventory.
12
SAP ECC Risks (2)
• Risk: Changing the goods’ price • Affec<ng: Retail, Other • Type: Insider Fraud/Sabotage • Module: MM(Material Management) – part of ECC • Ajacker can manipulate actual data of the goods’ price (by
using transac<on MR21). Then, there are two ways. – If you are insider, you can decrease price and then buy goods with high
discount by crea<ng a fake vendor in the system. – If you are compe<tor, you can increase prices for goods of this company,
so that number of their exis<ng clients declines. That’s not all, now you can easily lure the affected clients by offering more compe<<ve pricing.
13
SAP ECC Risks (3)
• Risk: Changing limits for opera=ons • Affec<ng: All • Type: Insider Fraud/Sabotage • Module: MM(Material Management) – part of ECC • Ajacker can Change tolerance limits for price and quan<ty. By
modifying those limits it will be possible to: – By disabling tolerance limits it will be possible to make unlimited
opera<ons in purchasing and selling (Insider Fraud) – By increasing tolerance limits it will be possible to make a denial of
service ajack because for all purchase orders there should be an approval (Sabotage)
14
SAP ECC Risks (4)
• Risk: Stealing the Money! • Affec<ng: All • Type: Insider Fraud • Module: SD( Sales and Distribu<on) – part of ECC • Ajacker can create fake vendor in the system by using
transac<on VD01 and a^er that, generate sales order for this vendor by using transac<on VA01. It will enable him to quietly siphon off the money from the company.
15
SAP ECC Risks (5)
• Risk: Changing credit limits • Affec<ng: All • Type: Sabotage • Module: SD( Sales and Distribu<on) – part of ECC • Ajacker can modify limits for opera<ons with credit by using
transac<ons Customer Credit Management Change ( FD32) or Credit Limit Data Mass Change(F.34). By modifying those limits, company will procure goods without any limits and if there are no other checks or signs which can tell that credit limits are exceeded, company even risks bankruptcy.
16
SAP ECC Risks (6)
• Risk: Modifica=on of price by changing condi=ons • Affec<ng: All • Type: Insider Fraud/Sabotage • Module: SD( Sales and Distribu<on) – part of ECC • In SAP, pricing is automa<cally generated based on predefined
condi<ons. Condi<ons are factors used by the system to calculate a price. They can include factors such as customer group, order quan<ty, date, discount and so on. These factors are stored as condi<on records in master data and controlled by transac<ons VK11, VK12, VK14. Taking into account that price is usually calculated automa<cally and sales reps o^en don’t remember all condi<ons, any modifica<on such as increasing or decreasing price can o^en go undetected.
17
SAP ECC Risks (7)
• Risk: Stealing credit card data • Affec<ng: Companies that store and process PCI data: Banks,
Processing, Merchants, Payment Gateways, Retail. • Type: Espionage • Module: SD( Sales and Distribu<on) – part of ECC • Ajacker can get access to tables that store credit card data.
There are mul<ple tables in SAP where this data is stored. Tables such as VCKUN, VCNUM ,CCARDEC and also about 50 other tables. Stealing of credit card data is a direct monetary and reputa<on loss.
18
SAP ECC Risks (8)
• Risk: Modifica=on of financial reports • Affec<ng: Any • Type: Sabotage • Module: SD( Sales and Distribu<on) or FI – part of ECC • Ajacker can make a unauthorized modifica<on of financial
reports thereby digressing management’s focus from core business issues to problems with auditors or choose false direc<on by having fake financial reports.
19
SAP ECC Risks (9)
Some more examples of Fraud
• Invoice company for a greater number of hours than worked • Ghost employees of the vendor • Vendor employees billed at amounts higher than contract rate • Vendor employees billed at higher job classifica<on than actual
work performed (skilled vs. non-‐skilled labor rates) • Invoice company for incorrect equipment or materials charges • Vendor charges for equipment not needed or used for the job
performed
20
Some more examples of Fraud
• Vendor charges for materials not used or materials are for the personal benefit of company employee
• Vendor charges for equipment or material at higher prices than allowed by the contract
• Invoice company incorrectly for other services • Vendor charges for services performed where work is not
subject to audit clause • Vendor charges include material purchases from or for work
performed by related companies at inflated prices hjp://www.padgej-‐cpa.com/insights/ar<cles/fraud-‐risks-‐oil-‐and-‐gas-‐industry
21
Fraud
• The Associa<on of Cer<fied Fraud Examiners (ACFE) survey showed that U.S. organiza<ons lose an es<mated 7% of annual revenues to fraud.
• Average annual loss per organiza<on for fraud was $500k + collateral damage
• PWC Survey: 3000 organiza<ons in 54 countries – 30% were vic<ms of economic crime in previous 12 months
• Real examples that we came across: – Salary modifica<on – Material management fraud – Mistaken transac<ons
22
SAP ECC Vulnerabili=es
• 2368 Vulnerabili<es were found in SAP NetWeaver ABAP based systems
• 1050 Vulnerabili<es were found in basic components which are the same for every system
• About 350 Vulnerabili<es were found in ECC modules. • Finally we have around 1400 vulnerabili<es affec<ng SAP ECC • This is cri<cal considering that some<mes one vulnerability is
enough to get access to all data
23
24
Public examples
• Sabotage Real example of stealing 14000 records
• Target: HR system • unauthorized disclosure of federal employee Personally
Iden<fiable Informa<on
25
US Department of Energy Breach
• Unauthorized disclosure of federal employees’ Personal
Iden<ty Informa<on • Erase peoples debts
26
Istanbul Provincial Administra=on
27
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
* This ajack has not been confirmed by the customer nor by the police authori<es in Greece inves<ga<ng the case. SAP does not have any indica<on that it happened.
Poten=al Anonymous a`ack
Fraud in Oil And Gas
FRAUD and other infractions in Nigeria’s critical oil and gas industry are
enough to derail any stable economy, going by the report of the Petroleum Revenue Special Task Force by a former chairman of the Economic and Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu.
28
SAP Security
29
What can happen?
What can be next?
• Now imagine mul<ple ajacks of the same type • Combine tradi<onal Fraud with Computer worm/malware • Just imagine what could be done by breaking:
All Business applica<ons of a company All ERP systems of a par<cular industry All ERP Systems in a par<cular country
30
SAP Security
31
How easy is that?
Ease of development
• Price of vulnerability is low • Patching is nightmare • Crea<on of exploit is easy • Interconnec<on is high • Availability via internet
32
Price of vulnerability
• Price for typical vulnerabili<es in flash and browsers are geung higher.
• Security of applica<ons and OS is growing • It is much easier to find architecture vulnerability in ERP • And this vulnerability will work for years • 3000 vulnerabili<es closed only by SAP
hjp://erpscan.com/publica<ons/analysis-‐of-‐3000-‐vulnerabili<es-‐in-‐sap/
33
SAP Security notes by year
34
More than 3000 in total
1 1 13 10 10 27 14 77
130
833
731
641
364
161
322
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Number of vulnerabili=es closed by SAP is about 5% of all exis=ng vulnerabili=es in the world
Patching is nightmare
• You need to halt business processes or produc<on • Some<mes you need to update mul<ple parts • Examples of huge architectural issues from:
– Microso^ Dynamics – Oracle JDE – SAP SDM
35
MicrosoK Dynamics authen=ca=on
Dynamics security – only visual restric<ons of the fat client 1. User enters applica<on login and password 2. Client applica<on took password, and made a “secret”
modifica<on with password 3. Client applica<on connects to database with this password 4. Client Applica<on just checks the type of user in database
table and based on this informa<on decides what kind of func<onality should be enabled on client applica<on.
5. But by connec<ng directly to database we can do whatever we want
NO PATCH! Only new architecture can help (but there isn’t any)
36
Oracle JD Edwards authen=ca=on
• JD Edwards security -‐ only visual restric<ons of the fat client • In fact, all users have the rights to the company’s data because
client is connected using special account JDE • Then depending on user and password the security is checked
on Fat client • User can connect directly to database using JDE account and
modify his rights at the ‘table level’ • Every user can become Administrator • NO PATCH! The only solu=on is to move to 3-‐=er architecture
37
SAP SDM authen=ca=on
• Authen<ca<on is done by providing hash of password • It means that it is possible to do ‘PassTheHash’ • First of all hash can simply be sniffed so it is like authen<ca<ng
using clear password. • Secondly hashes are stored in an OS file so they can be accessed
by using other vulnerabili<es. • A^er geung a hash it is possible to upload any backdoor into
SAP • To patch it you need to modify client and server at one <me. • Install SAP Note 1724516
38
SAP NetWeaver ABAP -‐ versions
39
35%
23%
19%
11%
6% 5%
NetWeaver ABAP versions by popularity
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
The most popular release (35%, previously 45%) is
s<ll NetWeaver 7.0, and it was released in 2005!
Special payload is not needed
• Remember ‘ Verb Tampering” vulnerability for User crea<on • Just one request and you are inside the system • Second request and you are the ‘admin’ • Then you can do whatever you please with simple HTTP
requests • If it is only technical system you can jump to connected system
40
Systems are highly connected
• Systems are highly connected with each other by trust rela<onship
• Even between companies they are connected by ESB systems • Remember SSRF? • hjp://cwe.mitre.org/data/defini<ons/918.html • Second place in Top 10 web applica<on techniques 2012 • Allows to bypass firewall restric<ons and directly connect to
protected systems via connected systems
41
Business applica=ons on the Internet
• Companies have Portals, SRMs, CRMs remotely accessible • Companies connect different offices by ESB • SAP users are connected to SAP via SAPRouter • Administrators open management interfaces to the Internet for
remote control
42
Business applica=ons on the Internet
SAP HTTP Services can be easily found on the Internet: • inurl:/irj/portal • inurl:/IciEventService sap • inurl:/IciEventService/IciEventConf • inurl:/wsnavigator/jsps/test.jsp • inurl:/irj/go/km/docs/
43
Shodan scan
44
A total of 3741 server with different
SAP web applica=ons were found
94% 72%
30%
-20% -55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth by applica=on server
40%
34%
20%
6% SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web Application Server
SAP Router
• Special applica<on proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connec<ng to SAP to
download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hjp://www.easymarketplace.de/saprouter.php
45
• Absence of ACL – 15% – Possible to proxy any request to any internal address
• Informa<on disclosure about internal systems – 19% – Denial of service by specifying many connec<ons to any of the listed SAP
servers – Proxy requests to internal network if there is absence of ACL
• Insecure configura<on, authen<ca<on bypass – 5% • Remote code execu=on – 85%
SAP Router: known issues
46
Port scan results
• Are you sure that only the necessary SAP services are exposed to the Internet?
• We were not • In 2011, we ran a global project to scan all of the Internet for
SAP services • It is not completely finished yet, but we have the results for the
top 1000 companies • We were absolutely shocked by what we saw!
47
Port scan results
48
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hjpd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Listed services should not be accessible from the Internet
Examples
49
50
SAP Worm
SAP Security Forensics
• There is not so much informa<on about breaches in the public domain
• Companies are not interested in publica<on of compromises • But main problem is here:
– How can you be sure that there was no compromise? – Only 10% of systems have Security Audit Log enabled – Only few of them analyze those logs – And much fewer do a central storage and correla<on
* Based on the assessment of over 250 servers of companies that allowed us to share results.
51
• EAS-‐SEC: Recourse which combines – Guidelines for assessing enterprise applica<on security – Guidelines for assessing custom code – Surveys about enterprise applica<on security
52
Defense
1. Lack of patch management 2. Default passwords 3. Unnecessary enabled func<onality 4. Remotely enabled administra<ve services 5. Insecure configura<on 6. Unencrypted communica<ons 7. Internal access control and SoD 8. Insecure trust rela<ons 9. Monitoring of security events hjp://erpscan.com/publica<ons/the-‐sap-‐netweaver-‐abap-‐plakorm-‐vulnerability-‐assessment-‐guide/
53
EAS-‐SEC Guidelines
54
Guides
Security assessments
Code review
Con=nuous Monitoring of all areas
Segrega=on of du=es
Conclusion
• Issues are everywhere, it is not only an ERP problem • It is also not just a SAP problem, other applica<ons are the
same • Problem is that price of a ‘lapse’ in Business Applica<ons is
much bigger than in tradi<onal IT security
55
Conclusion
SAP Security
56
QuesAons?