![\"Fullsize\"](\"https:\/\/e3mag.com\/wp-content\/uploads\/2026\/03\/banner_26_04_08_1200x150.jpg\")
<\/a><\/div>\nFor a fraud extends a Attacker<\/span> his Right<\/span> in SAP systems, creates itself as a fake supplier, writes itself an invoice and initiates the transfer to its own account.<\/p>\n This is done by extending the privileges of a user-Accounts<\/span> - by leveraging the SAP-specific security approach of Segregation of Duties (SoD): While a separation of duties or competencies can be effective for Security<\/span> provide by Right<\/span> of employees in development, production, planning and accounting are neatly separated.<\/p>\n In a case warned about in May 2016 by the government-affiliated US-CERT, a patch that has actually been closing since 2010 is being Security gap<\/span> still exploited in SAP systems with Invoker Servlet enabled.<\/p>\n Through the gap can Attacker<\/span> remotely access new SAPUser<\/span> with administrative privileges via the web browser.<\/p>\n The gap could be identified at 36 companies - 13 of which generated annual sales of more than ten billion euros.<\/p>\n The attack targeted non-updated or misconfigured SAP Java platforms. Sabotage by shutting down SAP applications or even an entire system is also dramatic.<\/p>\n The damage when an application must be taken offline was estimated by respondents to a Ponemon Institute study in spring 2016 at $4.5 million - including all costs to repair the damage and lost business opportunities.<\/p>\n The target areas for attacks on access rights and user profiles are the transaction layers - such as Hana or NetWeaver - which manage business information and processes as well as access to them, regulate communication between the instances, and are responsible for their Security<\/span> for instance by Encryption<\/span> provide.<\/p>\n Also Accounts<\/span> and their permissions are managed in the transaction layer with parameters and can be configured like in a Database<\/span> Change. Attacker<\/span> try to use these accesses to remotely control data traffic, read, copy, move or overwrite directories of any content.<\/p>\n All parameters of SAP infrastructures can be configured quickly by entering numerical values.<\/p>\n The most diverse possibilities of Account<\/span>-Management<\/span> quickly create complexity and increase the error rate.<\/p>\n Risks arise from the customizing of the SAP software, from the settings made by the user Management<\/span> Engine (UME) in Java systems, which is responsible for searching or creating new users, and by the Access Control List (ACL), which regulates the logon to servers and the admission of programs or connections (reginfo, secinfo, Webdispatcher, Management Console, Message Server, ICM).<\/p>\n Further dangers exist in the configuration of user roles and user parameters in general (for example, through the universally authorized Sap_All user and user profiles that can accept RFC connections) or in the case of insecure configurations of authentication procedures.<\/p>\n Extensive privileges make users dangerous. However, if credentials have been leaked or authentication procedures have been circumvented, the use of secure user types can still provide a second wall of protection.<\/p>\n A basic rule in rights management is therefore to create a User<\/span> only with the minimum Right<\/span> which he needs for his task. The so-called restricted user, who has no special privileges in the default setting, on Databases<\/span> only accesses via client applications and does not have full SQL access should be security standard.<\/p>\n Standard users who can create their own objects by default, read data in the system view and have a public role should be avoided if possible. Their log-in, data query and data transfer activities must be monitored in particular.<\/p>\n Of course, this also applies to particularly critical Hana<\/span>-User: The adm user (where stands for the respective Hana<\/span>-system SID), which is created during the installation process at the operating system level, unprotected represents a Risk<\/span> represents. It has privileges for all Hana<\/span>-System Resources.<\/p>\n Many system providers place the Password<\/span> for this User<\/span> during the installation of the systems at customers' sites. It should be changed at the latest after handover of the SAP infrastructure.<\/p>\n Also other User<\/span> on operating system environment, such as the root user, the sapadm user or individually created user profiles, must be configured securely and monitored all the more closely with extensive privileges.<\/p>\n Another backdoor to be monitored, which is often not asked for credentials when entering, are SAP's emergency mechanisms. With the profile parameter login\/no_automatic_user_sapstar, an access for uncomplicated problem solving is available, which leads to the dangerous Backdoor<\/span> can be.<\/p>\n If the super user SAP* is then deleted, this access no longer exists for the auditable Databases<\/span>. Therefore, it remains undetected when performing conventional audits, but has a connection to the system with all authorizations. In addition, the standardPassword<\/span> not be changed. The result of misuse is the compromise of either one or more clients, one or more application servers, or even the entire SAP system.<\/p>\n The simple workaround is to never delete the super user, additionally save the user SAP* and set the value login\/no_automatic_user_sapstar with \"1\".<\/p>\n However, insecure configurations of authentication procedures also pose a high Risk<\/span> present. Danger create scripts for automatic saving of Passwords<\/span> in the SAP GUI user interface. If set appropriately, these save the values entered in the log-in field, for example, and thus also Passwords<\/span> - but also user data from customers.<\/p>\n Such attacks are favoured by an excessively weak Encryption<\/span> when saving the data. In addition, the history of entries in user name fields for each User<\/span> saved in a uniformly named file, so that a Hacker<\/span> find them easily. For more Security<\/span> provides the Protection<\/span> of entries in darkened input fields or turning off the saving of past entries.<\/p>\n Another gap are the so-called SAP shortcuts. Here define User<\/span> not only a target address for logging in to an SAP instance, the transaction to be triggered there, and possibly the entry of a default user name.<\/p>\n A shortcut defined or controlled by the wrong hands can become a gateway to systems. In earlier transaction layers, the danger was even greater because the shortcuts also included the automatic input of individual Passwords<\/span> could be installed.<\/p>\n SAP has made these options available for new Passwords<\/span> therefore blocked in the meantime. For already existing Passwords<\/span> this danger may still exist.<\/p>\n Given the complexity and dimension of configuration issues, errors are almost impossible to avoid. But it is important to find and fix them as quickly as possible.<\/p>\n An effective SAP security solution therefore investigates configuration errors and provides near real-time protection against possible attacks.<\/p>\n The inventory of Security gaps<\/span> can only be achieved through automated assessment solutions. It is important to continuously check the security status of the SAP infrastructure in order to immediately detect any new misconfigurations. In the process, not only productive systems, but also Test<\/span>-systems must be taken into account, because it is precisely here that default configured and often forgotten user-Accounts<\/span>, which are exploited by unwanted visitors.<\/p>\n Configurations from Accounts<\/span> or authentication solutions can be configured according to different guidelines (SAP-Security Policy<\/span>, PCI, SOX, NERC, Custom or others).<\/p>\n A threat detection and mitigation solution then first gives step-by-step instructions on how to fix the gaps, which can be implemented quickly.<\/p>\n Against unknown threats, which also arise from configuration-related risks, solutions provide a near-real timeProtection<\/span> by blocking attacks until an SAP Security Note is available for it.<\/p>\n At the top of the list is also a Monitoring<\/span> of abnormal access by internal employees.<\/p>\n The developer who suddenly or at unusual times resorts to instances for accounting should not go undetected and its Accesses<\/span> be blocked if necessary.<\/p>","protected":false},"excerpt":{"rendered":" SAP-controlled business processes and data are an attractive target for attackers. External as well as internal attackers who hijack foreign credentials or extend authorizations can access data and applications via the transaction layers of incorrectly or riskily configured SAP systems.<\/p>","protected":false},"author":79,"featured_media":4256,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"pmpro_default_level":"","footnotes":""},"categories":[4,740],"tags":[637,1359,117],"coauthors":[22310],"class_list":["post-4240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-management","category-mag1612","tag-hacker","tag-onapsis","tag-sicherheit","pmpro-has-access"],"acf":[],"featured_image_urls_v2":{"full":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"thumbnail":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-150x150.jpg",150,150,true],"medium":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",400,280,false],"medium_large":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-768x538.jpg",768,538,true],"large":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"image-100":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-100x70.jpg",100,70,true],"image-480":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-480x336.jpg",480,336,true],"image-640":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-640x448.jpg",640,448,true],"image-720":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-720x504.jpg",720,504,true],"image-960":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-960x672.jpg",960,672,true],"image-1168":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"image-1440":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"image-1920":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"1536x1536":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"2048x2048":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"trp-custom-language-flag":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",18,12,false],"bricks_large_16x9":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",964,675,false],"bricks_large":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"bricks_large_square":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",1000,700,false],"bricks_medium":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",600,420,false],"bricks_medium_square":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898.jpg",600,420,false],"profile_24":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-24x24.jpg",24,24,true],"profile_48":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-48x48.jpg",48,48,true],"profile_96":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-96x96.jpg",96,96,true],"profile_150":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-150x150.jpg",150,150,true],"profile_300":["https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/shutterstock_242118898-300x300.jpg",300,300,true]},"post_excerpt_stackable_v2":" SAP-gesteuerte Gesch\u00e4ftsprozesse und Daten sind f\u00fcr Angreifer ein attraktives Ziel. Externe wie interne Angreifer, die fremde Zugangsdaten in Beschlag nehmen oder Berechtigungen ausweiten, k\u00f6nnen auf Daten und Anwendungen \u00fcber die Transaktionslayer von falsch oder riskant konfigurierten SAP-Systemen zugreifen.<\/p>\n","category_list_v2":"Business-Management<\/a>, MAG 16-12<\/a>","author_info_v2":{"name":"Mariano Nunez, Onapsis","url":"https:\/\/e3mag.com\/en\/author\/mariano-nunez\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/posts\/4240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/users\/79"}],"replies":[{"embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/comments?post=4240"}],"version-history":[{"count":0,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/posts\/4240\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/media\/4256"}],"wp:attachment":[{"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/media?parent=4240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/categories?post=4240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/tags?post=4240"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/e3mag.com\/en\/wp-json\/wp\/v2\/coauthors?post=4240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Mariano](\"https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/Mariano-Nun.jpg\" "\\"Target")
<\/a>However, the separation can also be achieved by strongly privileged Accounts<\/span> be leveraged.<\/p>\nAttacks on profiles and privileges<\/h3>\n
Account<\/span>-Management and error rate<\/h3>\n
Management<\/span> from Risk<\/span>-Applicants<\/h3>\n
Side entrances<\/h3>\n
![\"Hazard](\"https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/Gefa\u0308hrdungstabelle.jpg\" "\\"Target")
<\/a><\/p>\nConfiguration check and attack defense<\/h3>\n
![\"SAP](\"https:\/\/e3mag.com\/wp-content\/uploads\/2016\/12\/SAP-Sicherheit.jpg\" "\\"Target")
<\/a><\/p>\n