Skip to the content.

DIVD-2022-00006 - SAProuter

Our reference DIVD-2022-00006
Case lead Joris van de Vis
Researcher(s)
CVE(s)
  • n/a
Products
  • SAProuter
Versions
  • All versions
Recommendation Restrict access to the SAProuter via a Firewall and restricted Access Control Lists.
Patch status n/a
Status Open
Last modified 20 Jun 2022 07:35

Summary

SAProuters are software defined routers that route traffic from and to SAP systems. A typical usecase is for SAP support to access your internal SAP systems from SAP HQ for remote support. The SAProuter routes traffic e.g. from the internet to internal resources. When not properly secured anyone from the internet can get access to internal resources.

What you can do

A best practice is to have a Firewall in front of the SAProuter that only allows traffic from trusted sources. Additionally the SAProuter ACL file (called saprouttab) must be restricted and only route traffic from trusted sources to a limited number of internal resources.

What we are doing

We used a so called information-request to try and retreive data from the SAProuter involved. This is a non-intrusive call to the SAProuter that only retreives information about connected devices.

Timeline

Date Description
07 Feb 2022 8000+ SAProuters found on Shodan.
08 Feb 2022 Script developed to send SAProuter information-requests.
08 Feb 2022 First scan done on subset of ip-addresses and next full scan.
09 Feb 2022 Enrichment done on vulnerable ip-addresses and first version of this case file.
10 Feb 2022 Published first version of this case file.
11 Feb 2022 DIVD sent out a first batch of notifications.
gantt title DIVD-2022-00006 - SAProuter dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00006 - SAProuter (still open) :2022-02-07, 2022-07-01 section Events 8000+ SAProuters found on Shodan. : milestone, 2022-02-07, 0d Script developed to send SAProuter information-requests. : milestone, 2022-02-08, 0d First scan done on subset of ip-addresses and next full scan. : milestone, 2022-02-08, 0d Enrichment done on vulnerable ip-addresses and first version of this case file. : milestone, 2022-02-09, 0d Published first version of this case file. : milestone, 2022-02-10, 0d DIVD sent out a first batch of notifications. : milestone, 2022-02-11, 0d

More information