BIZEC TEC11
From Bizec.org - The Business Security Community
BIZEC TEC/11
The BIZEC TEC/11 lists the most common and most critical security defects and threats affecting the Business Runtime layer of SAP platforms. This list has been created based on the testing experience of the security companies involved in BIZEC.
The list is sorted, listing issues in descending order from highly critical to critical. Each element has a criticality (Very High(V) or High (H)) and indicates whether it is a Rare (R) or Common (C) problem. This way, companies can prioritize security measures.
| TEC-01 | Missing SAP Security Notes | V | C |
|---|---|---|---|
| The SAP platform is running based on technological components whose versions are affected by reported security vulnerabilities and the respective SAP Security Notes have not been applied. | |||
| Violates | PG-6, PG-7 | ||
| TEC-02 | Standard Users with Default Passwords | V | C |
| Users created automatically during the SAP system installation, or other administrative procedures, are configured with default, publicly known passwords. | |||
| Violates | PG-6, PG-7 | ||
| TEC-03 | Dangerous SAP Web Applications | V | C |
| The SAP Application Server is providing Web applications with reported security vulnerabilities or sensitive functionality (XSS, SQL Injection, Invoker Servlet detour, Verb Tampering, XXE Tunneling, etc.) | |||
| Violates | PG-6, PG-7 | ||
| TEC-04 | Unsecured SAP Gateway | V | C |
| The SAP Application Server’s Gateway is not restricting the starting, registration and/or cancellation of external RFC servers. | |||
| Violates | PG-6, PG-7 | ||
| TEC-05 | Unsecured SAP/Oracle authentication | V | C |
| The SAP ABAP Application Server authenticates to the Oracle database through the external OS authentication scheme, and the Oracle’s listener has not been secured. | |||
| Violates | PG-6, PG-7 | ||
| TEC-06 | Insecure SAP RFC interfaces | V | C |
| The SAP environment is using insecure RFC connections from systems of lower security-classification level to systems with higher security- classification levels (i.e. from Development to Production). | |||
| Violates | PG-6, PG-7 | ||
| TEC-07 | Unsecured SAP Message Server | V | C |
| The SAP System’s Message Server is not restricting the registration of SAP Application Servers, therefore allowing access to unauthorized systems. | |||
| Violates | PG-6, PG-7 | ||
| TEC-08 | Insecure SAP Administration and Monitoring Services | V | C |
| The SAP platform is not protected against unauthorized access to sensitive administration or monitoring services, such as the SAP Management Console, the P4 interface, SDM, Solution Manager, Transport Management System, etc. | |||
| Violates | PG-6, PG-7 | ||
| TEC-09 | Insecure SAP Network Filtering | H | C |
| The SAP platform network is not properly isolated from untrusted networks, both external and internal, and intrusion detection/prevention systems have not been implemented. | |||
| Violates | PG-6, PG-7 | ||
| TEC-10 | Insecure SAProuter Implementation | H | C |
| The SAProuter Route Permission Table is not properly configured to allow connections only from/to authorized systems, restricting the use of native protocols and/or logging features are not properly configured. | |||
| Violates | PG-6, PG-7 | ||
| TEC-11 | Unencrypted SAP Communications | H | C |
| The confidentiality and integrity of communications in the SAP landscape is not enforced. These communications comprise SAP-to-SAP connections as well as interactions between SAP servers and external systems, such as user workstations and third-party systems. | |||
| Violates | PG-6, PG-7 | ||
Retrieved from "www.bizec.org/index.php?title=BIZEC_TEC11&oldid=282"
