As presented at Troopers, a yearly security conference in Heidelberg Germany, ERP-SEC research has uncovered a set of potential default accounts with default passwords related to the use of SAP Solution Manager. These default accounts might pose a big risk to your SAP platform, it is therefore important to check if they exist in your landscape with a default password and change the default passwords.
To check for the existence of the default accounts, please download the SAP transport and import it in a SAP Solution Manager system, for example the Development Solution Manager system. The tooling can perform the check in the local system, but also in remote systems via RFC for the existence of the specific default accounts. The contents of the transport can be checked in your SAP system as the source code is open.
To start the tooling please run SAP transaction ZESEC_SOLMAN_USERS. Make sure to first activate the webservice /sap/bc/webdynpro/sap/ZESEC_CHECK_SOLMAN_USR_PW in transaction SICF.
Apart from the above users and the standard SAP default users like in report RSUSR003, no other users are checked.
We would love to hear feedback on the tooling. Furthermore to get better insight in the number of affected customer we would appreciate your message to jvdvis AT erp-sec.com and hear whether default accounts were found or not.
P.S. This free tool is not a demo or a part of Protect4S, our SAP Security add-on. For more details on Protect4S please visit https://protect4s.com.