Some old SAP systems have default kernel user accounts. Guess what happened next? Security researchers were able to access default SAP accounts on enterprise systems worldwide by using default passwords. The security snafu meant that SAP systems worldwide were potentially vulnerable to data theft, business process disruption and fraud, specialist security outfit ERP-SEC warned. Joris van de Vis, researcher …
Oh good. Now can someone please explain why SAP thought hardcoded kernel users was a good idea in the first place ?
Because that is something I'd really like to know. Hey guys, we're making this really complex and hard-to-configure enterprise software application that will be available over LAN, WAN and wireless. Why don't we include a hardcoded kernel user to make sure we can always debug a client installation ? After all, what could possibly go wrong ?
Well, I'll give you that it's not good practice and I'd add that it's been a while since I've seen anyone do this (except for system accounts hmmmm).
I'm also not sure how long ago SAP stopped doing this.
On the other hand is there a requirement to leave ssh access open to the world on the machine with the hard coded login? I would expect any administrator worth their salt to at the very least make external accesses go via another machine first..... which makes this attack vector a lot less useful.
Perhaps there's something in this part of SAP which means you have to allow access to the machine for world+dog...... I don't know.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
