All SAP risks can be divided into three groups: Espionage, Sabotage and Fraud. The presentation provides a review of 13 most dangerous risks any business may face with. For every risk, there is its type, attack scenario, affected sector, and vulnerable module.

1. Invest
in
security
to
secure
investments
13
Real
ways
to
destroy
business
by
breaking
company’s
SAP
Applica<ons
and
a
guide
to
avoid
them
Alexander
Polyakov
CTO
ERPScan,
President
EAS-­‐SEC
13
Real
ways
to
destroy
business
by
breaking
company’s
SAP
Applica<ons
and
a
guide
to
avoid
them

2. About
ERPScan
• The
only
360-­‐degree
SAP
Security
solu<on
-­‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta<ons
key
security
conferences
worldwide
• 25
Awards
and
nomina<ons
• Research
team
-­‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2

3. SAP
• Most
of
my
work
has
focused
on
SAP
Security
• Things
that
will
be
discussed
can
be
applied
to
every
system
• Since
I
enjoy
a
closer
familiarity
with
SAP,
most
examples
will
be
SAP
relevant.
• Then
again
all
ideas,
aTacks,
risks
can
be
applied
to
every
system
• This
talk
is
not
really
a
faulUinding
exercise
with
SAP,
as
can
be
easily
misperceived.
• This
talk
is
about
the
‘need
to
know’
things,
ones
you
can’t
afford
to
ignore
aXer
implementa<on
of
any
business
applica<on
processing
cri<cal
data
• So,
let’s
go!
3

4. Big
companies
• Oil
and
Gas
• Manufacturing
• Logis<cs
• Finance
• Nuclear
Power
• Retail
• Telecommunica<on
• etc.
4

5. Business
Applica<ons
• Business
applica<ons
can
make
your
life
easier
• The
need
to
harness
them
to
op<mize
business-­‐processes
• Scope
for
enormous
reduc<ons
in
resource
overheads
and
other
direct
monetary
benefits.
• Poten<al
problems
that
one
can’t
disregard
• The
need
to
consider
security,
can
it
be
overstated!
• Why
is
it
REAL
and
Existent
Risk?
5

6. • Espionage
– TheX
of
Financial
Informa<on
– Corporate
Secret
and
informa<on
theX
– Supplier
and
Customer
list
theX
– HR
data
theX
• Sabotage
– Denial
of
service
– Tampering
with
financial
records
– Access
to
technology
network
(SCADA)
by
trust
rela<ons
• Fraud
– False
transac<ons
– Modifica<on
of
master
data
6
What
can
happen

7. • Risk:
credit
card
data
theN
• Affects:
Companies
storing
and
processing
PCI
data:
Banks,
Processing,
Merchants,
Payment
Gateways,
Retail.
• Type:
Espionage
• Module:
SD
(
Sales
and
Distribu<on)
–
part
of
ERP
• ATacker
can
get
access
to
tables
that
store
credit
card
data.
There
are
mul<ple
tables
in
SAP
where
this
data
is
stored.
Tables
such
as
VCKUN,
VCNUM
,CCARDEC
and
also
about
50
other
tables.
Credit
card
data
theX
is
a
direct
monetary
and
reputa<on
loss.
7
Risk
1:
Stealing
credit
card
data

8. • There
are
mul<ple
ways
how
an
aTacker
can
access
the
CC
Data
• Even
if
it’s
encrypted
you
can:
– use
FM
to
decrypt
it
-­‐
CCARD_DENVELOPE
– Use
Report
to
get
decrypted
– Or
use
another
report
to
find
some
info
RV20A003
• DEMO
• Solu<on:
Configura<on
checks,
Patch
Management,
Access
Control,
Code
scanning
• Defense
– Decryp<on
of
credit
card
data
in
SD
-­‐
notes
766703
– Decryp<on
of
credit
card
data
for
the
whole
ERP
-­‐
note
1032588
– Credit
Card
data
in
report
RV20A003
-­‐
note
836079
8
Risk
1:
Stealing
credit
card
data

9. 9
Risk
1:
Stealing
credit
card
data

10. • Risk:
Compromising
compe<tor’s
bidding
informa<on
• Affects:
Companies
using
SRM
for
bidding
• Type:
Espionage
• Module:
SRM
• Compe1tors
intelligence
(Espionage)
• Access
to
the
SAP
SRM
systems
is
available
through
the
Internet
and
could
give
unfair
compe<tors
an
opportunity
to
access
privileged
pricing
informa<on
and
allow
them
to
propose
compe<<ve
pricing,
thus
helping
in
wining
a
tender
by
unfair
means.
10
Risk
2:
Compe<<ve
intelligence

11. • SAP
Cfolders
applica<on
for
document
exchange
is
a
part
of
SRM
and
has
some
vulnerabili<es
and
unsecure
configura<on
problems,
which
could
help
in
availing
access
to
official
pricing
informa<on.
• This
means
that
the
compe<tor’s
documents
could
be
completely
removed
from
the
systems,
or
the
informa<on
might
be
manipulated
to
win
a
tender.
• This
aTack
was
successfully
simulated
during
penetra<on
tests.
• Some
program
vulnerabili<es
allow
aTacker
to
do
that:
– hTp://erpscan.com/advisories/dsecrg-­‐09-­‐014-­‐sap-­‐cfolders-­‐mul<ple-­‐stored-­‐xss-­‐vulnerabilies/
– hTp://erpscan.com/advisories/dsecrg-­‐09-­‐021-­‐sap-­‐cfolders-­‐mul<ple-­‐linked-­‐xss-­‐vulnerabili<es/
• Defense:
SAP
Notes
1284360
,1292875
11
Risk
2:
Compe<<ve
intelligence

12. • Risk:
Crea<ng
defects
in
products
inten<onally
(Sabotage)
• Affects:
Manufacturing
sector
such
as
Avia<on,
Aerospace
Automo<ve,
Transporta<on,
Consumer
Products,
Electronics,
Semiconductor,
Industrial
Machinery
and
Equipment
• Type:
Sabotage
• Module:
SAP
PLM
• Access
to
SAP
PLM
systems
could
cause
unauthorized
changes
in
product
crea<on
schema<cs,
because
usually
SAP
PLM
is
integrated
into
CAD.
This
means
that
only
one
small
change
could
result
in
produc<on
of
a
defec<ve
batch
of
products,
causing
serious
financial
and
reputa<onal
losses
and
some<mes
even
casual<es.
12
Risk
3:
Crea<ng
defects
in
products
inten<onally

13. • FDA
recalled
the
whole
produc<on
batch
of
1200
tracheostomical
devices
because
of
three
deaths
which
were
caused
by
technical
problems
• IKEA
had
to
recall
the
en<re
batch
of
10000
beds
with
steel
rods,
claiming
it
to
be
a
designer’s
mistake
[8],
that
had
caused
physical
trauma
to
kids.
• Toyota
was
obligated
to
recall
3
large
batches
of
passenger
cars
totaling
up
to
500000
each
<me
because
of
wide
ranging
construc<on
problems,
with
airbags,
throTle
and
other
parts
of
the
car
not
working
properly.[9]
• USA
sta<s<cs
from
FDA
[10]
tells
us
about
such
recalls
occurring
frequently.
The
same
situa<on
can
also
be
observed
with
consumer
products
The
financial
losses,
caused
by
different
traumas
is
about
one
trillion
dollars
per
year.
*
those
examples
are
not
caused
by
misusing
SAP!
13
Risk
3:
Crea<ng
defects
in
products
inten<onally

14. • Risk:
Salary
data:
unauthorized
modifica<ons
• Affects:
Every
company
• Type:
Fraud
• Module:
HCM
• Access
to
the
SAP
HR
system
also
allows
insiders
to
manipulate
the
wage
amounts.
Since
the
direct
change
can
be
easily
detected,
the
risk
lies
in
the
manipula<on
poten<al
of
number
of
addi<onal
working
hours
to
be
processed,
which
affects
the
amount
payable
as
wages.
In
such
a
case,
the
fraud
is
extremely
difficult
to
detect.
14
Risk
4:
Salary
data
unauthorized
modifica<ons

15. • User
can
find
out
a
colleague’s
salary
details
(PA30
transac<on)-­‐>
Demo<va<on
• Also,
aTacker
may
do
this
by
direct
table
PA0008,
PA0014,
PA0015
access
• DEMO
(PA30)
15
Risk
4:
Salary
data
unauthorized
modifica<ons

16. • User
can
modify
own
salary
– Transac<on
PA30
Is
responsible
for
salary
access
– ATacker
can
change
number
of
hours
by
using
this
transac<on
• DEMO
16
Risk
4:
Salary
data
unauthorized
modifica<ons

17. • Risk:
Delayed
Salary
payout
(Sabotage)
• Affects:
Every
company
• Type:
Sabotage
• Module:
HCM
• Denial
of
service
on
the
HR
system,
for
e.g.
on
a
payday
could
lead
to
holding
up
of
salary
payouts
resul<ng
in
employee
disgruntlement,
thereby
nega<vely
impac<ng
produc<vity.
The
implementa<on
of
this
aTack
with
a
certain
periodicity
in
case
of
a
difficult
economic
situa<on
for
the
company
or
the
geopoli<cal
situa<on
could
even
poten<ally
lead
to
work
strikes
17
Risk
5:
Delayed
Salary
payout
(Sabotage)

18. • 2%
(~60)
of
vulnerabili<es
in
SAP
can
be
exploited
for
DOS
aTacks
– Most
of
services
are
vulnerable:
• SAP
Gateway
• SAP
Message
Server
• SAP
Router
• SAP
Dispatcher
• SAP
MMC
• SAP
Portal
• Some<mes
you
do
not
need
a
vulnerability
• You
can
execute
some
heavy
func<onality
18
Risk
5:
Delayed
Salary
payout
(Sabotage)

19. • Risk:
Falsifica<on
of
business-­‐cri<cal
data
to
allocate
more
than
needed
or
simply
unneeded
expenditure.
• Affects:
Every
company
with
asset
management
• Type:
Sabotage/Fraud
• Module:
EAS
• If
an
aTacker
can
get
access
to
these
systems
he
can
modify
data
about
some
equipment
condi<ons
in
different
ways.
For
example,
he
may
change
data
passing
from
CMB
(Condi<on
Based
Maintenance
)
in
such
way
that
there
is
a
need
to
replace
different
elements
of
facili<es.
Such
an
act
will
thus
force
the
company
to
spend
money
and
<me
on
new
equipment
when
it
is
not
needed.
19
Risk
6:
Falsifica<on
of
business-­‐cri<cal
data

20. • For
beTer
op<miza<on
of
Business
Processes
EAM
systems
some<mes
are
integrated
with
CBM
where
the
state
of
the
equipment
is
observed
and
monitored
con<nually
on
a
real-­‐
<me
basis.
• Devia<ons
from
a
standard
range
or
tolerance
will
cause
some
form
of
alarm
and
iden<fica<on
of
the
need
for
a
maintenance
interven<on.
• So,
if
an
aTacker
can
get
access
to
those
systems
he
can
modify
data
about
some
equipment
health
in
different
ways.
• ATack
on
EAM,
ATack
on
CBM,
ATack
between
systems.
20
Risk
6:
Falsifica<on
of
business-­‐cri<cal
data

21. • Risk:
Industrial
sabotage
and
Disaster
• Affects:
Every
company
with
ICS/Technology
network.
Oil
and
Gas,
U<li<es,
Manufacturing
• Type:
Sabotage/Fraud
• Module:
SAP
EAM
/
SAP
XMII
• SAP
EAM
system
can
have
technical
connec<ons
to
facility
managements
systems
thus,
by
breaking
into
EAM
system
it
may
be
possible
to
hack
facility
management/SCADA/Smart
Home/Smart
Grid
systems
as
well.
So,
if
hacker
can
get
access
to
SAP
EAM
he
can
more
easily
get
access
to
facility
management
and
industrial
systems
and
he
can
actually
change
some
cri<cal
parameters
like
heat
or
pressure
which
can
lead
to
disaster
and
poten<al
loss
of
life.
21
Risk
7:
Industrial
Sabotage

22. • Usually
technology
systems
are
not
secure
and
based
on
obsolete
opera<on
systems
and
the
only
security
for
them
is
firewall,
which
totally
isolates
them
from
corporate
network
• except
for
those
systems
with
which
there
should
be
connec<on
for
data
transfer
such
as
SAP
EAM.
• How
they
aTack:
– RFC
Connec<ons
– Shared
Database
or
other
resource
– Same
passwords
for
OS/DB/Applica<on
– Same
domain
– Simply
exploit
ICS
vulnerabili<es
22
Risk
7:
Industrial
Sabotage

23. • Risk:
Unauthorized
tampering
with
Financial
Reports
• Affects:
Every
company
with
Business
Objects
BI
• Type:
Sabotage
• Module:
SAP
BI
– Financial
reports:
unauthorized
data
modifica1on
-­‐
divert
the
aTen<on
of
management
causing
problems
with
the
auditors
and
leading
to
drying
up
of
investment
return
on
projects.
– Tangible
and
intangible
resources
unauthorized
data
modifica1on
-­‐
improper
es<mates
from
the
incorrect
data
on
the
spending
of
resources
and
workload
of
employees.
This
could
lead
to
the
misuse
of
funds
and
cause
direct
and
indirect
losses.
– Sales
reports
unauthorized
data
modifica1on
-­‐
wrong
conclusions
about
pricing
strategy
and
policies
23
Risk
8:
Modifica<on
of
reports

24. • SAP
BI
system
is
based
on
SAP
Business
Objects
plaaorm
• Around
80
vulnerabili<es
were
found
in
this
plaaorm
• The
number
of
vulnerabili<es
is
growing
24
Risk
8:
Modifica<on
of
reports

25. • Risk:
Illegal
updated
upload
• Affects:
Every
company
• Type:
Sabotage/Fraud
• Module:
Solu<on
Manager
• SAP
Solu<on
Manager
is
a
plaUorm
which
allows
SAP
Basis
team
to
remotely
control,
monitor,
and
update
other
SAP
Solu<ons.
Thus,
by
obtaining
access
to
Solu<on
Manager
it
is
possible
to
upload
any
backdoor
code
on
each
SAP
System
in
disguised
as
a
legal
update.
25
Risk
9:
Remote
Illegal
updates
upload

26. • What's
more
dangerous
is
that
aTack
can
be
exploited
– Remotely
(Via
SAP
Router)
– Almost
without
any
trace
• SAP
Router
is
used
to
obtain
updates
from
SAP
before
sending
them
to
SAP
Solu<on
Manager
• ATacker
can
exploit
SAP
Router’s
Heap
overflow
issue
– hTp://erpscan.com/advisories/dsecrg-­‐13-­‐013-­‐saprouter-­‐heap-­‐overflow/
• AXer
that,
he
can
change
updates
on
a
fly
• There
is
no
way
to
iden<fy
this
aTack
• Defense:
SAP
Security
note
1820666
26
Risk
9:
Remote
Illegal
updates
upload

27. • Risk:
Customer
Portal
denial
of
service
• Affects:
Every
company
with
public
portal
on
SAP
• Type:
Sabotage
• Module:
SAP
Enterprise
portal
• Denial
of
service
vulnerabili<es
in
SAP
EP
which
can
be
exposed
to
internet
can
lead
to
down<me
with
portal
opera<ons.
If
it
is
a
customer
portal,
company
may
have
huge
monetary
and
reputa<on
losses.
Such
aTack
was
performed
against
Nvidia
company.
27
Risk
10:
Portal
Denial
of
service

28. • SAP
Portal
has
about
600
Vulnerabili<es
(In
PlaUorm
and
Applica<ons)
• Some
of
them
can
be
exploited
without
any
authen<ca<on
• Most
cri<cal
issues
such
as
Verb
Tampering
can
also
be
used
to
obtain
full
control
on
a
system
– Create
users
– Assign
roles
– Execute
OS
commands
28
Risk
10:
Portal
Denial
of
service

29. • Risk:
Access
to
company’s
internal
resources
• Affec<ng:
Every
company
with
public
portal
on
SAP
• Type:
Espionage
• Module:
SAP
Enterprise
portal
• Different
vulnerabili<es
in
SAP
EP
which
can
be
exposed
to
internet
can
lead
to
unauthorized
access
not
only
to
SAP
Portal
itself
but
also
to
internal
resources
of
company.
29
Risk
11:
Aback
from
Internet

30.
• SAP
Portal
usually
can
be
accessed
via
Internet
• More
than
1000
SAP
Portals
exist
in
Internet
• Using
vulnerabili<es
in
portal
aTacker
can
– Use
Single-­‐Sign-­‐On
and
login
into
any
internal
system
– ATack
internal
systems
using
SSRF
vulnerability
– Search
for
passwords
stored
in
Portal
KM
30
Risk
11:
Aback
from
Internet

31. • Risk:
misappropria<on
of
material
resources
• Affects:
Every
company
with
Warehouse,
Or
natural
resources
mining
• Type:
Insider
Fraud
• Module:
MM(Material
Management)
–
part
of
ECC
• ATacker
can
manipulate
data
about
quan<ty
of
material
resources
in
stock
or
delivery,
pilfer
from
warehouses
at
<mes
in
collusion
with
the
very
employees
entrusted
with
the
stock
taking
responsibili<es.
31
Risk
12:
misappropria<on
of
material
resources

32. • Exploit
by
direct
table
access
• Not
so
hard
if
you
can
google
for
it
32
Risk
12:
misappropria<on
of
material
resources

33. • Risk:
Changing
bank
account
data
• Affects:
Every
company
• Type:
Insider
Fraud
• Module:
ERP
• ATacker
can
manipulate
data
about
bank
Account
number
of
any
company
in
database
and
transfer
money
to
a
chosen
account
number.
33
Risk
13:
Changing
bank
account
data

34. • 3000+
Vulnerabili<es
in
all
SAP
Products
• 2368
Vulnerabili<es
were
found
in
SAP
NetWeaver
ABAP
based
systems
• 1050
Vulnerabili<es
were
found
in
basic
components
which
are
the
same
for
every
system
• About
350
Vulnerabili<es
were
found
in
ECC
modules.
34
1
1
13
10
10
27
14
77
130
833
731
641
364
161
322
0
200
400
600
800
1000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAP
Vulnerabili<es

35. 35
Public
examples

36. 36
SAP
Abacks

37. • Price
of
vulnerability
is
low
• Patching
is
nightmare
• Crea<on
of
exploit
is
easy
• Interconnec<on
is
high
• Availability
via
internet
37
36%
23%
19%
11%
6%
5%
NetWeaver
ABAP
versions
by
popularity
7.0
EHP
0
(Nov
2005)
7.0
EHP
2
(Apr
2010)
7.0
EHP
1
(Oct
2008)
7.3
(Jun
2011)
6.2
(Dec
2003)
6.4
(Mar
2004)
0
5
10
15
20
25
30
35
SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
hTpd
SAP
Message
Server
SAP
Router
Exposed
services
2011
Exposed
services
2013
Ease
of
development

38. Defense
• EAS-­‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applica<on
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applica<on
security
38

39. 1. Lack
of
patch
management
2. Default
passwords
3. Unnecessary
enabled
func<onality
4. Remotely
enabled
administra<ve
services
5. Insecure
configura<on
6. Unencrypted
communica<ons
7. Internal
access
control
and
SoD
8. Insecure
trust
rela<ons
9. Monitoring
of
security
events
hTp://erpscan.com/publica<ons/the-­‐sap-­‐netweaver-­‐abap-­‐
plaUorm-­‐vulnerability-­‐assessment-­‐guide/
39
EAS-­‐SEC
Guidelines

40. • Cri<cal
networks
are
complex
• System
is
as
secure
as
its
most
insecure
component
• Holis<c
approach
• Check
eas-­‐sec.org
40
Conclusion