WAGENINGEN, Netherlands (PRWEB) March 26, 2016
The vulnerability has been demonstrated at the Troopers Security Conference, an annual Security Conference with a specific track dedicated to SAP Security. Mr. Joris van de Vis, researcher at ERP-SEC demonstrated full compromises of the SAP Solution Manager and connected systems via 3 of these default accounts.
As the vulnerability is a set of default credentials, it is not possible to implement patches in order to mitigate the issue. Instead customers need to change the passwords of these users. SAP has released a Security Note in order to support SAP customers with this process.
As stated by Joris van de Vis, “The impact of these default users is very high. Especially since they exist in the heart of your SAP landscape, the SAP Solution Manager. If this system gets compromised your entire SAP landscape is likely to be fully compromised. The precise percentage of affected customers is unclear, but a quick check under some of our customers shows at least 50% of them have one or more of these default users with a default password in their systems. This only affects long-time SAP customers as new installations are not affected.”
Detecting whether these accounts exist with default passwords can be a difficult process. To make this easier, ERP-SEC has released a Free tool for SAP running customers to support them.
About ERP Security B.V.
ERP Security B.V. consists of specialists and developers experienced in SAP security. The company’s solutions are based on years of security research that has helped reduce security risks for systems running SAP software. ERP Security's mission is to raise the security of business-critical SAP platforms with minimal impact on day-to-day business.
# # #
SAP, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. All other product and service names mentioned are the trademarks of their respective companies.
For more information: Please contact Mr. Robin Vleeschhouwer: rvleeschhouwer(at)erp-sec(dot)com