Much in the same way the Target hackers used a HVAC management system to catapult onto the corporate network, attackers focused on oil and gas and other critical industries may be finding similar openings via enterprise applications such as SAP.
Researchers from ERPScan, during last week’s Black Hat Europe event, laid out a frightening array of vulnerabilities in SAP business software that could be exploited to tamper with operational processes and lead to disruptions in production, sabotage, fraud, safety violations and much more.
The vulnerabilities, as well as configuration errors unveiled by ERPScan, were found in SAP’s xMII (Manufacturing, Integration and Intelligence) system, SAP Plant Connectivity, SAP HANA Database, SAP Oil and Gas extension for ERP, and other apps, likely touch most companies in the industry.
“All of those solutions should be connected to particular [industrial control system] as it’s their nature. Almost in every company, it’s possible to find this connection,” said Alexander Polyakov, ERPScan chief technology officer. “It’s usual especially in progressive companies that want to automate processes because management wants to understand how particular things are going in ICS.”
ERPScan said that 85 percent of the Fortune 2000 oil and gas manufacturers globally run some SAP applications, most of which are custom built to manage processes specific to this industry. SAP xMII, for example, collects process data, feeding it to OPC servers that talk to programmable logic controllers and other critical industrial control devices. ERPScan said most of the vulnerabilities it discovered allowed for remote penetration of these systems, the riskiest being a SQL injection found in the J2EE engine of xMII, Polyakov said.
“But vulnerabilities are not the only issue,” he said. “Misconfigurations—things like connections with saved users and passwords, those types of misconfigurations are very important. The fact that systems can be connected with each other insecurely is more critical than the vulnerabilities in those systems.”
Polyakov said SAP has already patched vulnerabilities in xMII, SAP Plant Connectivity and SAP HANA. Another in the Matrikon OPC, a communications bridge between PLCs and SCADA gear, has been privately disclosed but has yet to be patched.
Polyakov said the xMII SQL injection is the riskiest because it’s the only way to pivot to the operational network.
“The attacker needs to extract data about connections to other systems and then use this data to connect to a target system (such as SAP Plant Connectivity),” Polyakov said. “Sometimes an attacker will need to get access to the OS-level of the first victim system (SAP xMII) to be able to connect to the target system (SAP Plant Connectivity) because usually the target system is [behind] the firewall and located in [the operational] network. The only way to hack this system is to hack xMII first, get access to the OS, upload some backdoor and then connect to SAP Plant Connectivity.”
Depending on the configuration, it’s possible to attack these systems remotely by hacking SAP Portal, or SAP router, both of which are Internet facing, he said, and connect to xMII.
Earlier this month, SAP patched a number of high-risk vulnerabilities in the SAP HANA Database. Researchers at Onapsis reported 21 security issues, most of which were patched, or required re-configuration, which was provided by SAP.
Six of the critical advisories were related to the TrexNet administrative interface present in every HANA installation that allows for the execution of business critical functions, especially in high availability environments, Onapsis said.
The interfaces’ default configuration leaves them exposed to remote attack and require a new configuration. An attacker successfully exploiting these flaws could have a direct path to an organization’s business data, which could be manipulated, deleted or stolen.