A dedicated group of volunteers scanning the internet
It was almost a year ago that I got in touch with the Dutch Institute for Vulnerability Disclosure (DIVD). This great and smart group of volunteers are working effortlessly to scan the internet for vulnerabilities to make sure they are reported in a timely and understandable manner to organisations that can remediate them, keeping your SAP systems secure. In addition, the DIVD Academy trains young hackers to work with this information in a responsible manner. All to make the internet a safer place, or as the mission states:
Upon joining as a volunteer last year, the DIVD was already working on many cases. For example, the Kaseya case that had gotten attention on a global scale, and many others. See below for some statistics on cases and vulnerable IP addresses already notified:
When I was in DIVD, I noticed that there was already a ton of experience available on many topics, but there was no specific SAP knowledge. As many organisations rely on their mission-critical SAP systems, it is crucial that these systems are properly hardened, especially in scenarios where they are connected to the internet (and many are!). Thousands of SAP systems and other components like SAProuters are connected to the internet. An example below only shows the SAProuters found online, and that number alone already surpasses the 7,500.
Figure 1: Shodan example of SAProuters found online (own scanning reveals thousands of other SAP components connected to the internet)
Currently, two SAP specific cases are started:
For the first case, 300+ notifications were sent to owners of vulnerable SAProuters, which could lead to penetration of your internal network over the internet via vulnerable SAProuters. See the report on this case for more details.
The second case handles an HTTP smuggling vulnerability (CVE-2022-22536) in the SAP Internet Communication Manager (ICM) component that was just recently patched by SAP with an SAP Security note that has a CVSS score of 10.0/10.0.
A scan on 20,000+ IP addresses revealed close to 9,000 vulnerable SAP systems and almost 7,000 notifications were sent out to individual organisations to make them aware of the issue.
The above numbers underline a few things in my view:
- There is a big need for initiatives such as the DIVD!
Because of the work of the DIVD, organisations are more aware of the risk in their systems and notified of vulnerabilities they can then remediate, making the internet a safer place!
- There are many critical SAP systems or related components connected to the internet.
This is not a new finding but again confirms that there are tens of thousands of SAP systems and related components found online. Given the fact that many governmental organisations, critical infrastructure and a large portion of the global economy relies on these systems, we better make sure they are properly secured to prevent large economical or societal damage.
- Large portions of these systems and components have one of more vulnerabilities at the time of writing.
This is of course a time-dependent observation but based on the numbers of case 2022-00010 alone, over 40% of these components are vulnerable at the time of writing.
- The importance of a proper Vulnerability Management process and timely patching cannot be overestimated.
To remediate vulnerabilities in many cases comes down to patching early and often and making sure your configuration is done in a secure way. Having insight in these settings and patch status is crucial and requires a mature organisation and a Vulnerability Management process. This sounds logical, yet we see many organisations struggle with this because of priorities, budgets and missing people and skills. Yet, it is the only way to get in control and stay in control.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
To support the mission of the DIVD, please see their website for options.
