SAP Implementation Security
The statistics related to exposed SAP web applications can be gained with well-known Google search requests or Shodan, but this approach can give false positive results. Because of that, we used our own scanning method.
As a result of the scan, more than 33000 different SAP Security training web servers were identified (as of the end of 2016).
The research also reveals that most part of legitimate (one that can be exposed to the Internet) SAP application servers exposed to the Internet are located in the USA (2235), India (1000), and Germany (856).
The most interesting and complex research was performed for services which should not be accessible from the Internet, as they are designed only for internal use or require additional network filtration before being directly exposed to the Internet.
There were found almost 25000 such web-exposed SAP systems (namely, SAP Gateway, SAP Message server, SAP HostControl, SAP Visual Admin P4, SAPRouter, SAP MC, SAP Afaria). The risk lies in the fact that vulnerabilities and misconfigurations in such systems are well-known and described in public sources. It may sound even more worrisome, if you take into account that SAP users always slow and backward on installing patches.
Just a simple example – a notorious vulnerability affecting SAP Invoker Servlet intended for managing the J2EE engine remotely. The vulnerability allows bypassing authorization checks for remote access to the service. Last year, US-CERT released an alert that that 36 organizations have failed to correctly install the patch released in 2010 and might fall victim of attacks. The further research revelaed that the number of such companies is larger and counts in the hundreds.