The previous articles of SAP Security for CISO series covered examples of potential attacks on these systems, so now it is high time to learn how these attacks can be conducted via vulnerabilities discovered in SAP systems.
At the outset, let’s consider the patching process in SAP. When the vendor fixes vulnerabilities in its program components, it releases a SAP Security Note. It is a small patch with instructions regarding important actions, like when you have to change security parameters in your system and don’t need to implement any patches. Sometimes the SAP Security note requires both implementations of a new patch and configuration of parameters. It generally consists of a patch for one particular vulnerability, but in the recent updates, patches providing corrections for multiple vulnerabilities were noticed. The real number of security issues is thus even more than the number of patches.
Take a look at the figures: 3662 patches were released for all SAP Products. More than 2500 of them are intended for the SAP NetWeaver ABAP platform.
As you can see in the picture, most of the issues were found in the ABAP engine, followed by J2EE, and then the rest.
SAP NetWeaver ABAP Platform Security
SAP NetWeaver ABAP is the main SAP Platform – it is a kind of a framework on top of which SAP creates its business applications. Almost all business applications that are developed to automate different business processes of an organization (e.g. Enterprise Resource Planning or Supply Chain Management) are based on the SAP NetWeaver ABAP Platform. By exploiting vulnerabilities in this platform itself, an attacker can access any business application on top of this platform. This access allows halting mission critical business processes and committing industrial espionage or fraud.
As illustrated below, 2585 issues were patched in this platform. We carry out our annual research “SAP security in figures.” The picture provides statistics about different types of vulnerabilities.
Missing or improper authorization checks are the most common types of flaws in the ABAP Platform, which were identified even in SAP's developers’ code. Taking into account the system’s complexity, imagine how many of them can be found in the custom code. Because of that, there are many functions that can be caused by users who do not require such functionality to accomplish their work.
The above graph of yet more statistics gives the number of vulnerabilities in the SAP NetWeaver ABAP platform by year. Figure 1 shows the percent of vulnerabilities in ABAP platform in comparison with the number of vulnerabilities found on other platforms. The two trends together demonstrate that research interest is shifting from this old platform to the newer ones. However, it still leads to a number of fixed vulnerabilities.
SAP NetWeaver ABAP Platform Overview
Before we go deeper into SAP NetWeaver ABAP's platform security, let’s learn about its architecture and the standard procedure for how the system works. In brief, a client uses an old fat client SAP GUI application to connect to the SAP NetWeaver ABAP application server, particularly to Dispatcher service. The Dispatcher service transfers requests to the main process called ABAP Work Process. It obtains necessary data from the database. In fact, there are numerous additional services for different functions, and all these services can be susceptible to hacks. For example, Gateway service is an alternative way to execute SAP functionality. It is like a remote API for running functions without any user interaction. Users can deploy “scripts” called RFC functions to execute actions in the SAP system.
Here is the list of other services and ports that are usually open for remote connections. The port number depends on the application server instance number with values from 00 to 99. For example, the role of Message Server is that of load balancing. Imagine you need to serve thousands of users, so you install different application servers, and each of them has its own Dispatcher process. To transparently use one or another application server, there is SAP Message Server, which transfers requests from a user to the application server. Needless to say, with access to the Message Server a perpetrator can control the data flow from a user to the application server. Message Server HTTP is just a web interface with statistics, but if it is not configured properly, an attacker can obtain all the application server's configuration parameters. ICM service is intended to enable access to SAP functionality by a web browser. IGS is an old service that provides some statistical information. If misconfigured, it can be used by malicious actors to exfiltrate critical data. The enqueue server provides administers locks on objects during SAP transactions. The locks are requested by applications to ensure the consistency of the SAP system. Server failure in the absence of high availability protection leads to the total loss of the stored locks, with consequences such as the automatic rollback of transactions. MMC and Host control services exist for administrative purposes. They represent SOAP interfaces that can execute a bunch of administrative commands, some of which don’t require authentication if misconfigured.
Therefore, there are services installed by default, with vulnerabilities and misconfigurations, usually left unattended by administrators who rarely take care of their security.
SAP NetWeaver ABAP Platform Vulnerabilities
The SAP NetWeaver ABAP application server is the oldest and most vulnerable SAP platform. Researchers presented dozens of reports describing the security of each of the provided services. I will highlight the most important reports so far.
In 2007, a researcher from the Argentinian company Cybsec published information about a vulnerability in the SAP Gateway service that allowed one to bypass security restrictions and execute any OS command on the SAP Server. This issue still affects different systems.
In 2011, a research project called “Scrubbing SAP clean with SOAP” revealed multiple ways to obtain critical information from SAP using an MMC service. Later on, we presented more attacks with results such as reading configuration files from the server using an MMC Service.
In 2012, there was a talk worth mentioning that described SAP Solution Manager security as a topic to watch. Solution manager is like a management console to all SAP Systems. By gaining unauthorized access to it, an attacker reaches all systems in the landscape. It occurs due to RFC and other connections between SAP Systems, which usually store credentials to access a satellite system. You will find more on that in my subsequent articles. “Top 10 most interesting SAP vulnerabilities and attacks,” is an informative presentation where I collected compelling and curious attacks on SAP Systems to prove that SAP Security is much more than just the segregation of duties.
Finally, if you want to get an overview of real attacks and learn more technical details about them, I recommend looking at the presentation from the 2013 RSA conference, titled, “If I Want A Perfect Cyberweapon, I’ll Target ERP.” For you to know how to perform a SAP Security assessment manually, there is the “Practical SAP Pentesting” workshop available.
Remote Attacks on SAP NetWeaver ABAP
There is still a myth that SAP Systems are only available internally. In fact, a wide range of services is not only open for connections from the corporate network but also accessible from the Internet.
What about the most considerable vulnerabilities, which can be exploited remotely? Almost every SAP Client uses the SAP Router application to download updates from the vendor as well as to provide remote access for SAP support teams to the systems in case of emergency. It means that access to the SAP Router service is available via the Internet, and every potential vulnerability can be used by attackers to break into every company that has SAP Router installed and doesn’t implement updates in time. Our researchers successfully identified critical remote command execution vulnerabilities in the SAP Router service. By the time of our research, 85% of SAP Routers were not updated! This vulnerability can be used to infect the system with a stealth agent, a “backdoor” which can stay undetected and modify any updates uploaded into SAP systems. It makes this vulnerability one of the most dangerous issues identified in SAP, but bear in mind it is only one of 3600+ issues.
Every year the situation is changing, and researchers are looking for different areas of vulnerability, which had earlier seemed secure. The year 2014 was known for the multiple denials of service vulnerabilities in different SAP Services. Previously, system availability and sabotage attacks used to be underestimated areas. While a single denial of service vulnerability in a standard application is not a big deal, it can cause serious trouble for such systems as ERP or Core Banking systems. That is why researchers identified multiple DoS issues in SAP applications.
Another area we focus on is the reverse engineering of SAP proprietary protocols and identifying different remote command execution issues. Vulnerabilities in protocols of such services as SAP Dispatcher, SAP Message Server, and SAP Router were presented in 2014 – 2015. 2014 was a year of Crypto vulnerabilities in general; most of them (e.g. FREAK, BEAST, and VENOM) affect SAP Systems as well.
Securing SAP NetWeaver ABAP Platform
Now let’s shortly discuss defensive measures (a detailed Defense article will come later). There are two main areas: Infrastructure security (network, OS, and DB) and Application security.
As for Infrastructure, it does not matter how properly you secure your application if you have a default password for the OS. I hope everybody realizes it and there is no need to discuss all the details of Infrastructure Protection, which you can get from industry guidelines such as NIST and SANS.
Speaking of the latter, there are three areas in SAP security. First, you should care about vulnerability management (deal with SAP Security notes) and secure configuration (default passwords, unnecessary services, etc.), then check your custom code for vulnerabilities and backdoors and, finally, review access control and SoD issues so that no users will be able to execute more than they are required to do. The SAP NetWeaver ABAP Platform Vulnerability Assessment Guide developed by the EAS-SEC organization with the help of the ERPScan team is a great source of information to start secure configuration of SAP NetWeaver ABAP application server.