DIVD-2022-00006 - SAProuter
|Case lead||Joris van de Vis|
|Recommendation||Restrict access to the SAProuter via a Firewall and restricted Access Control Lists.|
|Last modified||02 Nov 2022 21:18|
SAProuters are software defined routers that route traffic from and to SAP systems. A typical usecase is for SAP support to access your internal SAP systems from SAP HQ for remote support. The SAProuter routes traffic e.g. from the internet to internal resources. When not properly secured anyone from the internet can get access to internal resources.
What you can do
A best practice is to have a Firewall in front of the SAProuter that only allows traffic from trusted sources. Additionally the SAProuter ACL file (called saprouttab) must be restricted and only route traffic from trusted sources to a limited number of internal resources.
What we are doing
We used a so called information-request to try and retreive data from the SAProuter involved. This is a non-intrusive call to the SAProuter that only retreives information about connected devices.
|07 Feb 2022||8000+ SAProuters found on Shodan.|
|08 Feb 2022||Script developed to send SAProuter information-requests.|
|08 Feb 2022||First scan done on subset of ip-addresses and next full scan.|
|09 Feb 2022||Enrichment done on vulnerable ip-addresses and first version of this case file.|
|10 Feb 2022||Published first version of this case file.|
|11 Feb 2022||DIVD sent out a first batch of notifications.|
|13 Jul 2022||Case closed|