Skip to Content

On American TV there is a trend away from classic sitcoms and movies into the new world of Reality TV.  I am not sure what is real about it because who wants to eat in Hell’s Kitchen when Gordon Ramsey is touching your food and sending it to your table.  Don’t worry if the chef fails to deliver, they can always be on Worst Cooks in America for a chance to win $25,000.  Maybe even a Survivor on Temptation Island where they discuss 19 Kids and Counting.  It is turning out to be an Amazing Race as America’s Next Top Model becomes an American Idol when they watch Dancing with The Stars and hear So You Think You Can Dance?  Well in my world I believe the Cupcake Wars need to start as every new star at The Black Hat Conference is trying to be the new Howard Stern.  We realize that as long as there has been software there have been bugs and potential risks.  Most people accept that every week you need to shut down Microsoft Windows and reboot.  There are even jokes about if Microsoft built cars you would have to pull over, shut down, walk around the car and continue your trip.  Potentially a funny story as long as it impacts someone else and not you. 

 

Driving home from work I hear the national news discussing events at the 2011 Black Hat Conference on August 4, 2011.  The presenters have pride in the shock and awe factor as they attack the software giants of the world.  Microsoft, Oracle, JD Edwards, IBM, SAP… WHAT?  It was not a big deal until they started in my world.  When Mariano Nuñez Di Croce started the next Extreme Makeover: Home Edition with a guide to hacking SAP, it rocks my world.  I could see that he was either trying to bring down my house, or increase his consulting revenue.  What has my SAP software done to deserve the creation of a hackers cookbook?

 

The shock and awe factor of hacking into SAP is real.  When Howard Stern went out of bounds the FCC attempted to hold him accountable for his actions on the public air waves.  Who is holding the Black Hat Conference accountable?  When I was attempting to insure that my SAP landscapes were protected, I attempted to automate some of this analysis using GRC Access Control.  With experience in security controls, business processes and IT audit, I attempted to build rule sets with the proper authorization checks.  I even reached out to the SDN community to see if my analysis was complete.  Within SDN, participants were quick to point out that this was a public forum and that SAP security risks should not be discussed.  Although I was attempting to use the information for good, there were concerns that the lurkers would use it for evil.  No one in the SDN community offered any valuable feedback for risks or protection.  It seems they either believe that SAP is fully secure, or that the SAP security guide documents all potential risks.  I can confirm that the SAP documentation does document some areas of risk, but there is no single documented source of potential SAP risks. 

 

After hearing the news report I followed up with my SAP contacts and they were aware of the Black Hat guide to SAP vulnerabilities.  I am proud to report that SAP does listen and has a monthly Security Patch Day to address potential security threats.  (I have written about this process previously and you can find it here:  Security Notes Made Simple Part Deux.)  Within days of the conference, SAP had not only released notes 1589525 and 1616058 to address the security risks.  They also created a note specific to the 2011 Black Hat Conference.  This note includes the two above, but also a consolidated list of related notes that were already available to address similar issues.  I would strongly suggest that you review SAP note 1616259 which discusses how to be protected against these published vulnerabilities. 

 

Although SAP has provided solutions to these risks, the threat is still real until you apply the notes within your environment.  Is your application web enabled?  Do your users have unencrypted mobile applications?  Are all of your users’ good stewards of your system and protective of their passwords?  I initially thought that this attempt to Bring Down the SAP House was new, but a quick search of the internet will show you similar topics as far back as the 2008.  The threat is real, but you may be able to stop it with the right protection measures.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Tom Cenens
    Hello Greg

    In my opinion there are just too many security notes released on short amounts of time.

    Reviewing all of them, implementing all of them on all SAP systems (especially when you have very large environments) is very time consuming.

    Do those security threats bring down the house? Not really in my opinion. If you look at those black hat conference “security gaps” a lot of them or almost all of them require administrator access to the backend server.

    The threat is slightly higher for companies who have external facing SAP systems that are accessible through the web. Those customers should follow up and implement the really urgent security notes.

    Even the most highly secure systems and I’m not even talking SAP right now have been hacked in recent history. There is always someone who is better.

    There are many ways information can leak. I think the chances are higher that employees access data they should not access through having too much authorization or abusing authorization compared to your system being hacked from the outside.

    I read you have GRC in place and you take care of user authorization etc which is great but many companies have earlywatch alerts ratings that are either yellow or red on the parts of user authorization. A lot of end-users just have way too many authorization rights.

    When I see them worrying about Black Hat conference security leaks I find that they should first get their basic authorization right instead of worrying about the next level of security.

    Personally, I will not blog about a security leak that I found in SAP which is not known. Instead I create a customer message to give SAP the opportunity to pick up the issue and do something with it.

    On the other hand I will mention known tips and tricks which might bypass certain actions or use the SAP system in ways that were not really foreseen but there is a significant difference there in my opinion.

    Discussing security issues should not be a problem on the forum or in blogs.

    Kind regards

    Tom

    (0) 
    1. Greg Capps Post author
      Tom – I would have to agree with you that there are a lot of security notes.  Security has become more visible and SAP has taken steps to keep you more informed.  As in most companies the biggest risks are usually inside your own firewalls.  However, web enabled applications are under the microscope in many companies.  Each company needs to perform a review or risk analysis to detemine if they want to reduce risk.  If you choose to delay the list only gets longer, but the application of support packs resolves some of these issues.  As a new process SAP has worked hard to identify and classify these notes.  Where I see room for improvment is linking the note to actual transactions or processes that may be impacted.  Most companies are concerned that applying a note to resolve a security risk may also impact their existing processes.  Each company needs to determine their risk tolerance and work to maintain it.  As with any application, there is more than one layer of security and SAP is only one piece of the whole.
      (0) 
  2. Mariano Nunez
    Dear Greg,

    I’m very pleased to meet you, at least virtually for the time being.
    I was referred by a colleague to your post and found it very interesting.

    Of course, the first thing that caught my attention was to see my name followed by “he was either trying to bring down my house, or increase his
    consulting revenue”, which of course I regard as something very far from reality.

    So I guess I was “responsible” for throwing the first stone, having done the first presentation on cyber-threats to SAP systems back in 2007 at the
    BlackHat Europe conference. So if I wasn’t trying to bring down your house or earn more money, why have I done so? Let me try to elaborate on that.

    I started to work in the infosec industry professionally when I was barely 18, mainly performing network Penetration Tests and doing Vulnerability
    Research. One day, back in 2006, I came across a customer which was running an application on top of an SAP platform. Back then, SAP was a completely
    black box to me, so I first tried to focus on reviewing the application itself. By doing so, I suddenly started finding issues which appeared to be in
    the base platform (which I later learned was called NetWeaver :P), so I reported them to SAP.

    That could have been it, despite for one reason. I realized that there were very few reported SAP security vulnerabilities, not to even think of a
    guide on how to properly assess an SAP system from “my” point of view. So could a gigantic software like SAP, with millions of line of code, have so
    few reported bugs, I wondered? Microsoft and Oracle had already big scores back then. Is it perfect or are we missing something? Software is made by
    humans, and humans make mistakes. Every and each software program has security bugs. So there was only one option.

    And so I realized that there was a *big* problem in our community: a false sense of security, which is one of the most dangerous feelings a person can
    enjoy of.
    Companies were investing hundreds or even *millions* of dollars yearly to secure their SAP systems. What did that mean? Basically applying Segregation
    of Duties controls by configuring SAP user roles & profiles. So that was it. People and companies “felt” that they were secure.
    Feeling secure when an attacker can get SAP_ALL in your SAP system remotely, without needing to provide a user and password, was a status quo which
    didn’t seem very reasonable to me.

    I strongly believe that SoD controls are a fundamental part of the security of an SAP system. The only problem is that they are not enough per se,
    they are just one of the layers that need to be protected.
    If you see my presentations, most of the things I have shown are issues or threats that can be mitigated if customers followed industry’s and SAP’s
    security best-practices. Few of them actually show “SAP bugs”, but mostly things that customers must properly implement to avoid being exposed.

    In the end, it’s all about risk management. I’m far from being an infosec fundamentalist that is going to argue with managers, telling them that they
    have to fix every security bug detailed in a report. I understand companies exist (mainly) to make money, not to apply security fixes. Therefore, all
    my presentations and engagements have the goal of showing which *are* the actual risks that the platform is facing, which is their probability and the
    possible impact for the business.

    How can a manager do proper risk management if he is not aware of the threats he is facing? With proper knowledge, if he decides that it makes sense
    for the business to accept these risks, I’m perfectly fine with it. But ignorance definitely helps the bad guys. I’m (very) far from being a genius,
    so you can definitely tell that if I was able to think of these attack vectors, I was probably not the only one.

    Of course, the next big discussion is how you handle this information. And that, I think, is a key point of your argument.
    I have been reporting security vulnerabilities to SAP since 2006, and held more than 30 presentations on SAP security in different conferences. In no
    single case, I have disclosed a vulnerability for which there was no fix or countermeasure available. Furthermore, in all my presentations, I have
    always detailed how to protect against the threats being presented.

    My goal is then not to bring anyone’s house down, to earn more money or to be an infosec rockstar. I’m sure I won’t be helping anyone (even less my
    customers) by throwing zero-days at a security conference or mailing list. Of course, I only speak for myself and my company, Onapsis.

    I am more than happy to see the direction that SAP’s security is taking and I am personally proud of having, at least in a very small proportion,
    contributed to that. I totally agree that the new initiatives, like the SAP Security Recommendations guidelines, the Security Patch Day and the
    increased openness into discussing SAP security topics were the right decisions from The House. Of course, every change has some shake in the
    beginning, but I humbly believe that this is the right road.

    (0) 
    1. Greg Capps Post author
      Thanks Mariano for your reply.  I would have to agree that many people do not realize what risks they have.  They also believe that both internally and externally that their application will only be used as they designed it.  Many companies never apply security notes except during the application of support packs.  Sometimes it takes a presentation such as yours to raise awarenes and to make people think about how this new information applies to them.  I wrote this blog to make people aware of the risks you mentioned, but also to promote an ongoing review of risk analysis and not just a review when a highly visible issue is made public.  It takes a village to identify application risks and as long as we all provide feedback to SAP the blissful existance of our environment can continue.  I am pleased that SAP is addressing risks timely but your environment cannot be protected if you do not have a process to apply security notes in a timely manner.
      (0) 
      1. Julius von dem Bussche
        Completely agree with you Greg.

        SAp has however improved the default installation values and improved security checks on coding before the source leaves the factory.

        I still have problems however with some Z-code delivered by SAP and critical security features delivered as BADIs or optional exits even.

        This meas that you first need to find (or experience…) the problem before you can fix it.

        This type of approach is not scalable and does not work IMO.

        Good comment.

        Cheers,
        Julius

        (0) 
  3. Julius von dem Bussche
    Hi Greg,

    Can you please post a link as reference to the SDN content you are refering to as not providing any information?

    I can remember providing several informations to you which went unnoticed, but some community members complained about a thread in which you were expecting them to do your work for you. If you are refering to that then your comments here are slightly distorted.

    Cheers,
    Julius

    (0) 

Leave a Reply