Target SAP

Unauthorized access enables sabotage, espionage and fraud - up to full control over SAP infrastructures.

Due to unauthorized Accesses at Databases spies gain insight into all of a company's critical data: USIS, a provider of background research on personal data, was forced to admit in 2015 to unauthorized external access to at least 25,000 employees' data in U.S. government agencies.

For a fraud extends a Attacker his Right in SAP systems, creates itself as a fake supplier, writes itself an invoice and initiates the transfer to its own account.

This is done by extending the privileges of a user-Accounts - by leveraging the SAP-specific security approach of Segregation of Duties (SoD): While a separation of duties or competencies can be effective for Security provide by Right of employees in development, production, planning and accounting are neatly separated.

However, the separation can also be achieved by strongly privileged Accounts be leveraged.

In a case warned about in May 2016 by the government-affiliated US-CERT, a patch that has actually been closing since 2010 is being Security gap still exploited in SAP systems with Invoker Servlet enabled.

Through the gap can Attacker remotely access new SAPUser with administrative privileges via the web browser.

The gap could be identified at 36 companies - 13 of which generated annual sales of more than ten billion euros.

The attack targeted non-updated or misconfigured SAP Java platforms. Sabotage by shutting down SAP applications or even an entire system is also dramatic.

The damage when an application must be taken offline was estimated by respondents to a Ponemon Institute study in spring 2016 at $4.5 million - including all costs to repair the damage and lost business opportunities.

Attacks on profiles and privileges

The target areas for attacks on access rights and user profiles are the transaction layers - such as Hana or NetWeaver - which manage business information and processes as well as access to them, regulate communication between the instances, and are responsible for their Security for instance by Encryption provide.

Also Accounts and their permissions are managed in the transaction layer with parameters and can be configured like in a Database Change. Attacker try to use these accesses to remotely control data traffic, read, copy, move or overwrite directories of any content.

All parameters of SAP infrastructures can be configured quickly by entering numerical values.

Account-Management and error rate

The most diverse possibilities of Account–Management quickly create complexity and increase the error rate.

Risks arise from the customizing of the SAP software, from the settings made by the user Management Engine (UME) in Java systems, which is responsible for searching or creating new users, and by the Access Control List (ACL), which regulates the logon to servers and the admission of programs or connections (reginfo, secinfo, Webdispatcher, Management Console, Message Server, ICM).

Further dangers exist in the configuration of user roles and user parameters in general (for example, through the universally authorized Sap_All user and user profiles that can accept RFC connections) or in the case of insecure configurations of authentication procedures.

Management from Risk-Applicants

Extensive privileges make users dangerous. However, if credentials have been leaked or authentication procedures have been circumvented, the use of secure user types can still provide a second wall of protection.

A basic rule in rights management is therefore to create a User only with the minimum Right which he needs for his task. The so-called restricted user, who has no special privileges in the default setting, on Databases only accesses via client applications and does not have full SQL access should be security standard.

Standard users who can create their own objects by default, read data in the system view and have a public role should be avoided if possible. Their log-in, data query and data transfer activities must be monitored in particular.

Of course, this also applies to particularly critical Hana-User: The adm user (where stands for the respective Hana-system SID), which is created during the installation process at the operating system level, unprotected represents a Risk represents. It has privileges for all Hana-System Resources.

Many system providers place the Password for this User during the installation of the systems at customers' sites. It should be changed at the latest after handover of the SAP infrastructure.

Also other User on operating system environment, such as the root user, the sapadm user or individually created user profiles, must be configured securely and monitored all the more closely with extensive privileges.

Side entrances

Another backdoor to be monitored, which is often not asked for credentials when entering, are SAP's emergency mechanisms. With the profile parameter login/no_automatic_user_sapstar, an access for uncomplicated problem solving is available, which leads to the dangerous Backdoor can be.

If the super user SAP* is then deleted, this access no longer exists for the auditable Databases. Therefore, it remains undetected when performing conventional audits, but has a connection to the system with all authorizations. In addition, the standardPassword not be changed.

The result of misuse is the compromise of either one or more clients, one or more application servers, or even the entire SAP system.

The simple workaround is to never delete the super user, additionally save the user SAP* and set the value login/no_automatic_user_sapstar with "1".

However, insecure configurations of authentication procedures also pose a high Risk present. Danger create scripts for automatic saving of Passwords in the SAP GUI user interface. If set appropriately, these save the values entered in the log-in field, for example, and thus also Passwords - but also user data from customers.

Such attacks are favoured by an excessively weak Encryption when saving the data. In addition, the history of entries in user name fields for each User saved in a uniformly named file, so that a Hacker find them easily. For more Security provides the Protection of entries in darkened input fields or turning off the saving of past entries.

Another gap are the so-called SAP shortcuts. Here define User not only a target address for logging in to an SAP instance, the transaction to be triggered there, and possibly the entry of a default user name.

A shortcut defined or controlled by the wrong hands can become a gateway to systems. In earlier transaction layers, the danger was even greater because the shortcuts also included the automatic input of individual Passwords could be installed.

SAP has made these options available for new Passwords therefore blocked in the meantime. For already existing Passwords this danger may still exist.

Configuration check and attack defense

Given the complexity and dimension of configuration issues, errors are almost impossible to avoid. But it is important to find and fix them as quickly as possible.

An effective SAP security solution therefore investigates configuration errors and provides near real-time protection against possible attacks.

The inventory of Security gaps can only be achieved through automated assessment solutions. It is important to continuously check the security status of the SAP infrastructure in order to immediately detect any new misconfigurations.

In the process, not only productive systems, but also Test-systems must be taken into account, because it is precisely here that default configured and often forgotten user-Accounts, which are exploited by unwanted visitors.

Configurations from Accounts or authentication solutions can be configured according to different guidelines (SAP-Security Policy, PCI, SOX, NERC, Custom or others).

A threat detection and mitigation solution then first gives step-by-step instructions on how to fix the gaps, which can be implemented quickly.

Against unknown threats, which also arise from configuration-related risks, solutions provide a near-real timeProtection by blocking attacks until an SAP Security Note is available for it.

At the top of the list is also a Monitoring of abnormal access by internal employees.

The developer who suddenly or at unusual times resorts to instances for accounting should not go undetected and its Accesses be blocked if necessary.