Companies using SAP systems for their business software infrastructure might want to review some of their servers' settings for a configuration that if left in its default state will let an attacker gain access to a company's business data.
This config that most companies seem to be forgetting to change resides in SAP NetWeaver, a technology that SAP uses as the base for building other software products, including the highly popular SAP ERP, S/4 HANA, and others.
The config relates to how different parts of the SAP infrastructure talk to each other —and specifically to Application Servers (aka business apps), SAP Message Servers, and the SAP Central Instance (where the company's data is stored).
The role of the SAP Message Server is to act as an intermediary and load-balance a company's SAP infrastructure during peak hours. When a company creates a new app, its sysadmin must also register the new app (Application Server) with the SAP Message Server. The registration process takes place via port 3900.
One of the security features of SAP Message Servers is that they also support an access control list (ACL) that decides who can access the registration port.
But this is where the entire problem is. SAP intentionally ships this ACL disabled by default. The reason is that each company is different, and shipping it enabled might make it extremely difficult to set up a client's initial business apps.
The issue is well known, since 2005, when SAP issued a security alert warning companies to not leave that particular setting in its default state, and set up an ACL as soon as possible, limiting access to port 3900 to only addresses they trust.
SAP issued two more alerts, one in 2009, and a third in 2010, warning of the same thing, and providing further instructions. Some researchers even presented at security conferences [1, 2] about issues that arose from not enabling the ACL.
But despite all of this, Onapsis, a business-focused cybersecurity company, says that 90% of the companies where it performed SAP audits, had the ACL left in its default state —disabled.
The company's experts warn that any malicious actor or any rogue employee can develop a malicious app, register it inside the company's SAP infrastructure, and then pilfer or alter internal data.
The general advice is that companies go over the above-linked SAP security notices and their own SAP infrastructure, and review their deployment's settings to make sure they limit access to the SAP Message Server's registration port via an access control list.