Infosec bloke pokes hornet's nest with stick; patch ASAP
BY: 29 Mar 2016 at 11:42, John LeydenSecurity researchers were able to access default SAP accounts on enterprise systems worldwide by using default passwords.
The security snafu meant that SAP systems worldwide were potentially vulnerable to data theft, business process disruption and fraud, specialist security outfit ERP-SEC warned.
Joris van de Vis, researcher at ERP-SEC, demonstrated full compromises of the SAP Solution Manager and connected systems via three of these default accounts during a presentation at the recent Troopers Security Conference.
The issue only affects users of older versions of SAP’s enterprise software. Van de Vis's research identifies some "very high risk" default accounts in affected installations, including one noted as a "hardcoded kernel user".
“The precise percentage of affected customers is unclear, but a quick check under some of our customers shows at least 50 per cent of them have one or more of these default users with a default password in their systems,” van de Vis explained. “This only affects long-time SAP customers as new installations are not affected.”
full article here: