An easy way into your multi-million dollar SAP systems: An unknown default SAP account

March 16, 2016 (at 1:30 p.m.) in SAP Security

Fortunately more and more SAP customers start securing their business critical SAP infrastructure after many SAP security presentations on conferences and others ways of raising awareness. Securing SAP systems is never an easy task, taking into account the complexity and wide variety of possible deployment scenarios for SAP systems.

However, you can secure the low hanging fruit and prevent the most easy compromises by focusing on just a couple of vulnerabilities. One of the most obvious and simple precautions is to get rid of DEFAULT accounts. This is a simple task as the list of default users and passwords was limited to only 5 accounts for a long time, but that has changed. Welcome to SAP default account number 6; the SMDAGENT user....

A total compromise of a SAP system will be demonstrated in this presentation. Combined with two other vulnerabilities found by our research, this default account is all it takes to get easy access to your multi-million dollar SAP systems.

Joris van de Vis

Joris has got extensive experience as a SAP Technical consultant and has a wide interest in everything ?under the hood? of SAP systems. In addition to developing and working as a SAP Technical consultant, his main interest lies in the SAP Security domain. Next to helping business to secure their SAP systems, Joris is also a SAP researcher and reported over 40 vulnerabilities in SAP applications. He has got 15 years of experience in working for large fortune-500 companies and helped government departments with implementing and securing SAP landscapes. Joris is co-founder of ERP-SEC, a SAP security focused company based in the Netherlands.

Joris presented at local SAP usergroup events, at many customers’ sites and also on security Conferences like Troopers#16, Hack.LU, cybersecurityalliance and at SAP headquarters.