Are you sure all SAP default passwords are still secure?
SAP Security alert: new default passwords in SAP Solution Manager detected
Organizations put a lot of focus on hardening the security of their SAP applications, but often forget important elements. The recent IT-security conference Troopers showed us once again that keeping all your security up-to-date is essential for any organization.
29 March 2016
Earlier this month the IT-security conference Troopers took place in Heidelberg, Germany. At this conference the world’s leading experts and ethical hackers presented their latest research. Among them were SAP security experts who recently identified vulnerabilities within the SAP product suite. They demonstrated these vulnerabilities, which show the need for all organizations that use SAP to implement a sound security baseline and patch management process to keep up-to-date with the latest vulnerabilities.
New default passwords SAP Solution Manager
Organizations put a lot of focus on hardening the security of their SAP applications. But what about the large spider in your SAP landscape; SAP Solution Manager? Solution Manager is the central system in every recent SAP implementation. SAP mandates that Solution Manager is used in your landscape in order to perform maintenance- and update/upgrade activities, or get support from SAP. At the Troopers conference, new SAP research was presented related to a large number of default users with default passwords in older versions of SAP Solution Manager (7.0/7.0-EHP1 or upgrades to 7.1/7.2 from 7.0). The identified users are not among the well-known default users like SAP*, DDIC and TMSADM:
During installation of SAP Solution Manager the default users are created when using the configuration wizard. All the identified users have roles assigned that allow for dangerous activities to be performed, such as executing operating system commands and executing function modules. Once access is obtained by solution managers, attackers are one step closer to your sensitive business data.
Implement the SAP Security Note and evaluate your patch management activities
Last week SAP released a security note with a high priority, which recommends organizations to change the default passwords of the identified users (SAP note: 2293011 - Upgrade Information: Default Users within SAP Solution Manager). Solutions like this usually only require minimal effort to be implemented, but have a huge impact on the overall security level of your SAP systems. It is therefore important to monitor for newly released SAP security notes and implement all relevant notes to your system.
From our experience we know this is often a task that doesn’t have high priority, and that going through all these security notes can be cumbersome task. Our SAP security specialists can help to establish a decent holistic vulnerability management program that focuses on identifying and managing vulnerabilities in the SAP landscape. Each month, a number of vulnerabilities are discovered and/or patched by SAP, and without a vulnerability management program, risks cannot be prioritized, mitigating efforts are sub-optimal and SAP systems remain vulnerable.
Conferences like Troopers give the perfect example of why patch management is of high importance for SAP landscapes, as new SAP security research is published continuously. Furthermore it shows once again that you should not focus solely on production systems (e.g. ERP, CRM, SRM) but also take into account secondary systems like Solution Manager or GRC. We recommend that you ask your SAP Basis and/or Security team to investigate whether this recent SAP security note is relevant for your implementation of Solution Manager. If your implementation is in “the danger zone” it is important to design a remediation plan to implement the security note.
Should you have any questions about this security note, the Troopers conference or SAP Security in general, don’t hesitate to reach out to me at firstname.lastname@example.org.