什么是媒介查询
To illustrate typical attack, and architecture issues, we will provide examples of SAP ERP solution, as it’s the most widespread one installed in 85% of Fortune 2000 companies.
为了说明典型的攻击和体系结构问题,我们将提供SAP ERP解决方案的示例,因为它是85%的财富2000强公司中安装最广泛的SAP ERP解决方案。
The risks of insecure configuration of ERP systems and other business applications are as follows.
ERP系统和其他业务应用程序配置不安全的风险如下。
1.通过弱势服务的攻击 (1. Attacks via vulnerable services)
Most of the ERP systems have dozens and even hundreds of services installed by default. They include typical as well as web-based services. Some of them are responsible for different administrative functions. For example, SAP Management Console, or SAPControl, allows a remote control over SAP systems. Its main functions are remote start and stop, to perform which one requires to know username and password.
默认情况下,大多数ERP系统都安装了数十甚至数百个服务。 它们包括典型的以及基于Web的服务。 其中一些负责不同的行政职能。 例如,SAP管理控制台或SAPControl允许对SAP系统进行远程控制。 它的主要功能是远程启动和停止,执行该操作需要知道用户名和密码。
Nonetheless, there are some functions, which can be used remotely without authentication. Most of them allow reading different logs and traces and sometimes system parameters.
尽管如此,仍有一些功能可以在不进行身份验证的情况下远程使用。 它们中的大多数允许读取不同的日志和跟踪,有时还读取系统参数。
2.内部人员的特权升级 (2. Privilege escalation by insiders)
When users connect to the server via a client application such as SAP GUI, they can execute different functions. If they want to execute some functionality, say, create payment order or a new user or fill up any form, they need to enter the particular transaction name in SAP menu. The system will open a dialog window where a user can specify different parameters. For instance, if users execute the transaction SU01 to create new users in the system, they will see a screen where they need to fill in all details about the newly-made user and then click on the “Create” button. If data is correct, the new user will be created in the system.
当用户通过客户端应用程序(例如SAP GUI)连接到服务器时,他们可以执行不同的功能。 如果他们想执行某些功能,例如创建付款订单或新用户或填写任何表格,则需要在SAP菜单中输入特定的交易名称。 系统将打开一个对话框窗口,用户可以在其中指定不同的参数。 例如,如果用户执行事务SU01在系统中创建新用户,他们将看到一个屏幕,需要在其中填写有关新用户的所有详细信息,然后单击“创建”按钮。 如果数据正确,将在系统中创建新用户。
However, connecting via SAP GUI and running transactions are not the only way to perform SAP functionality. SAP systems are complex and one action can be performed by multiple ways. For example, the other ways to execute functionality in SAP system include:
但是,通过SAP GUI连接并运行事务不是执行SAP功能的唯一方法。 SAP系统很复杂,可以通过多种方式执行一项操作。 例如,在SAP系统中执行功能的其他方式包括:
- running background job using RFC (like RPC in Windows); 使用RFC(例如Windows中的RPC)运行后台作业;
- calling the same function via a SOAP interface – a web-based interface to run RFC programs remotely; 通过SOAP接口调用相同的功能-一种基于Web的接口,以远程运行RFC程序;
- executing Web Dynpro application. Web Dynpro is a web-based frontend for SAP System that can be used if workers do not have a client application and only have a web browser. 执行Web Dynpro应用程序。 Web Dynpro是SAP System基于Web的前端,如果工作人员没有客户端应用程序而仅具有Web浏览器,则可以使用Web Dynpro。
As you can see, all of these methods require a different approach for protection.
如您所见,所有这些方法都需要使用不同的保护方法。
3.恶意开发者 (3. Malicious developers)
Programs written in ABAP language (SAP proprietary language intended to extend functionality of SAP Systems) may have vulnerabilities and, what is more important, this language can also be used for writing backdoors that can provide malicious functionality such as sending details of every transaction to a 3rd party via email or even publishing them on Twitter.
用ABAP语言(旨在扩展SAP Systems功能的SAP专有语言)编写的程序可能存在漏洞,更重要的是,该语言还可以用于编写后门程序,这些后门程序可以提供恶意功能,例如将每笔交易的详细信息发送给客户。通过电子邮件的第三方甚至将其发布在Twitter上。
Unfortunately, development inside the company is almost uncontrolled. You can monitor the occurrence of new programs in the system and potentially find a developer but can not detect what exactly every new program is doing unless you read every single string of the source code. Thus, without using additional solutions, nobody knows what exactly developers perform in the system. There are no control measures at all, they can develop insecure code, miss adding access control checks in the program, send money to their bank accounts, and nobody will be able to find it out unless one looks at their source code. Thus, lack of control over developers makes them a kind of the god of SAP, and their actions should be analyzed.
不幸的是,公司内部的发展几乎不受控制。 您可以监视系统中新程序的出现,并有可能找到开发人员,但除非您读取源代码的每个字符串,否则无法检测出每个新程序到底在做什么。 因此,在不使用其他解决方案的情况下,没人知道开发人员在系统中的确切性能。 根本没有任何控制措施,他们可以开发不安全的代码,错过在程序中添加访问控制支票,将钱存入其银行帐户,除非有人查看其源代码,否则没人能找到。 因此,对开发人员的缺乏控制使他们成为SAP的上帝,应该分析他们的行动。
4.不安全的连接 (4. Insecure connections)
You have to connect different applications to automate business processes. For example, if you want to generate an invoice in SAP System automatically and send money to a particular banking account via the banking system, you need to connect ERP and Banking system. Business Application Systems are connected to each other like a spider web. In reality, there are dozens of similar connections and all of them can be critical in terms of security. For example, these connections may store usernames and passwords. Moreover, the systems are intertwined not only inside the corporate network but also with partner networks via the Internet or with other providers such as banks or insurance companies. Some of the systems are connected directly to ICS/SCADA network via particular SAP Systems such as SAP xMII (Manufacturing Integration and Intelligence) or SAP PCo (SAP Plant Connectivity).
您必须连接不同的应用程序以自动化业务流程。 例如,如果要在SAP System中自动生成发票并通过银行系统将钱汇到特定的银行帐户,则需要连接ERP和银行系统。 业务应用系统像蜘蛛网一样相互连接。 实际上,存在许多类似的连接,并且所有这些连接在安全性方面都至关重要。 例如,这些连接可以存储用户名和密码。 而且,这些系统不仅在公司网络内部交织在一起,而且通过Internet或与其他提供商(例如银行或保险公司)交织在一起。 一些系统通过特定的SAP系统直接连接到ICS / SCADA网络,例如SAP xMII(制造集成和智能)或SAP PCo(SAP工厂连接)。
Technically, this process is managed by RFC (Remote Function Call) and other connections between SAP Systems, which usually store credentials to access a satellite system. RFC connections are developed by SAP to transfer data between two SAP systems. ERPScan’s research has revealed that the average number of connections in a typical SAP system is about 50, and 30% of them usually store credentials. Once attackers break into the weakest SAP module, they can easily get access to connected systems, from them to others. Therefore, reviewing all kinds of connections between SAP systems is very important. For example it is possible to get access to OT infrastructure of an Oil and Gas company and steal oil using a chain of vulnerabilities and connections between systems exploiting an SAP vulnerability as a starting point.
从技术上讲,此过程由RFC(远程功能调用)和SAP系统之间的其他连接(通常存储用于访问卫星系统的凭据)管理。 SAP开发了RFC连接,以在两个SAP系统之间传输数据。 ERPScan的研究表明,典型SAP系统中的平均连接数约为50,其中30%通常存储凭据。 一旦攻击者闯入了最弱的SAP模块,他们就可以轻松地访问连接的系统,从它们到其他系统。 因此,审查SAP系统之间的各种连接非常重要。 例如,可以使用石油和天然气公司的OT基础架构来访问,并使用一系列漏洞以及利用SAP漏洞为系统的系统之间的连接来窃取石油。
In next article we will focus on the protection of ERP systems.
在下一篇文章中,我们将重点介绍对ERP系统的保护。
什么是媒介查询
扫一扫
91
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
