Recent news reports have brought vulnerabilities in SAProuter, as well as how nefarious individuals could leverage these vulnerabilities, into the spotlight. The news focused on malware designed to learn about SAP systems networked to PCs that were infected by said malware. The long and the short of it is that cyber criminals are becoming interested in SAP’s.
What is SAProuter? As laid out in the name, this application is produced by SAP. It facilitates, filters, and logs communications and network connections going between various SAP systems. It does the same between SAP systems and other resources or networks. This isn’t a gateway/firewall technology. A client’s communication’s are filtered only if the client has been configured to send communication to the router as opposed to sending it directly to the endpoint.
As a result, this technology should only be used along with a firewall. If not, a user who has been denied access via the configuration of the SAProuter could simply circumnavigate that restriction by manually reconfiguring their SAP client so that it is able to connect with the SAP system and begin interacting directly.
This allows it to bypass the ACLs and other controls in the SAProuter. The only way to block those with direct connections, thereby only granting access to SAP systems to authorized users via SAProuter, is to use a firewall. This way, SAProuter rules can be enforced and connections can be logged. (Great post by Frank Buchholz about this topic).
The purpose of a SAProuter is enforcing ACLs. They ensure that only users or machines with the proper authentication are able to communicate with sensitive SAP systems. Your SAProuter by default needs to be able to communicate with all critical SAP systems. Because of the unprecedented access that your SAProuter router has, you must emphasize the importance of securing your SAProuter.
There are number of articles circulating online about how you can use free or open source tools like Bizploit to access your SAProuter security. This will allow you to take the steps needed to assess the risk of your router and minimize it.
Your SAProuter has an inherent risk that can be exploited by attackers looking for vulnerabilities and then leveraging those vulnerabilities to access the SAProuter has. The solution to this problem is simple, update the SAProuter router instance. If you are using Onapsis X1, you have already taken steps to minimize the risk of threats generated by your SAProuter. With Onapsis X1, you can examine any instance of your SAProuter whenever you want and immediately know if it’s out of date or if and when you need to schedule remediation efforts.
Some Additional Resources/References
- SAP Router Entry page
- Creating a Route Permission Table
- Option -S to change the default port
- Option -n to update the saprouttab without restarting the SAP Router
Documentation on SMP:
- Step by Step Procedure for SAP Router SNC Configuration
- SAProuter – SNC or VPN?
- Getting Started with SAProuter – Tutorials
SAP Router Vulnerabilities
- Time Attack Password Disclosure
- MetaSploit Vulnerability
- Rates of SME Vulnerabilities
- CVE-2014-0984 – Exploit Report
- Rapid 7 Port Scanner Guide