Report DIVD-2022-00006 - SAProuterWritten on 15 Feb 2022 by Joris van de Vis
Joris van de Vis
CSIRT: Victor Pasman
Researchers: Victor Pasman , Joris van de Vis
Case file: DIVD-2022-00006
SAProuters are software-defined routers that route traffic from and to SAP systems. A typical use-case is for SAP support to access your internal SAP systems from SAP HQ for remote support. The SAProuter routes traffic e.g., from the internet to internal resources (SAP systems). When not correctly secured, anyone from the internet can access internal resources. This, in turn, might lead to the exploitation of internal SAP resources that would otherwise not be possible in a direct manner.
Typical vulnerabilities in the SAProuter are a misconfigured Access Control List (called saprouttab) or the absence of Firewall restrictions blocking access to the SAProuter.
By sending so-called information requests to the SAProuter we can test for misconfigurations and the absence of access restrictions. This is a non-intrusive call to the SAProuter that only retrieves information about connected devices.
By scanning 8000+ SAProuters worldwide (as retrieved from Shodan), we found 300+ SAProuters that responded to our information requests. Less than 10 of these SAProuters used IP addresses from the Netherlands. Vulnerable IP addresses are reported to the email addresses as retrieved via WHOIS.
|07-02-2022||8000+ SAProuters found on Shodan|
|08-02-2022||Script developed to send SAProuter information requests|
|08-02-2022||First scan done on a subset of IP addresses and next full scan|
|09-02-2022||Enrichment done on vulnerable IP addresses and first version of this case file|
|10-02-2022||Published first version of this case file|
|11-02-2022||DIVD CSIRT sent out the first batch of notifications|