Report DIVD-2022-00006 - SAProuter

Report DIVD-2022-00006 - SAProuter

15 February, 2022 by Joris van de Vis

Case lead: Joris van de Vis
CSIRT: Victor Pasman
Researchers: Victor Pasman , Joris van de Vis

SAProuters are software-defined routers that route traffic from and to SAP systems. A typical use-case is for SAP support to access your internal SAP systems from SAP HQ for remote support. The SAProuter routes traffic e.g., from the internet to internal resources (SAP systems). When not correctly secured, anyone from the internet can access internal resources. This, in turn, might lead to the exploitation of internal SAP resources that would otherwise not be possible in a direct manner.

Typical vulnerabilities in the SAProuter are a misconfigured Access Control List (called saprouttab) or the absence of Firewall restrictions blocking access to the SAProuter.

By sending so-called information requests to the SAProuter we can test for misconfigurations and the absence of access restrictions. This is a non-intrusive call to the SAProuter that only retrieves information about connected devices.

By scanning 8000+ SAProuters worldwide (as retrieved from Shodan), we found 300+ SAProuters that responded to our information requests. Less than 10 of these SAProuters used IP addresses from the Netherlands. Vulnerable IP addresses are reported to the email addresses as retrieved via WHOIS.

Timeline

Date Description
07-02-2022 8000+ SAProuters found on Shodan
08-02-2022 Script developed to send SAProuter information requests
08-02-2022 First scan done on a subset of IP addresses and next full scan
09-02-2022 Enrichment done on vulnerable IP addresses and first version of this case file
10-02-2022 Published first version of this case file
11-02-2022 DIVD CSIRT sent out the first batch of notifications