Skip to content

SecurityBridge finds Vulnerability in SAP Transport System

transport-modifiable

SAP closed the security gap in October ‘21 thanks to the initiative of SecurityBridge SAP security experts.

Ingolstadt, January 13, 2022 – Supply chain attacks are a new type of threat that targets software development departments and vendors. SecurityBridge has now identified a methodology that allows internal attackers without privileged rights to intervene undetected in the SAP software distribution process. The vulnerability was reported to SAP in October 2021, and the corresponding patch has already been published, or deployed to the customer’s SAP system.

Using the internal SAP development supply chain, customers can request additional functionality and in-house developments to the SAP standard. Such coding and repository changes are provided via the various staging systems of the respective SAP landscape with SAP transport requests. The transport files are needed to physically deploy changes from development to the next staging level. These requests should not be modified after they have been exported from the central transport directory (which is usually shared by development, test, and integration instances) and released.

By the end of 2021, SecurityBridge had discovered a method using its SAP Security Platform that allowed internal attackers without privileged authorizations to penetrate this SAP software supply chain. Immediately after exporting a transport request (containing the new development) and before importing it into the subsequent staging system, there was a window of opportunity where someone with fraudulent intent and sufficient rights could have changed the status of the transport request from “released” to “modifiable” and thereby have the potential to inject malicious code into the SAP development phase – even into transport requests that had already been imported into the test system. The content of the transport request could be changed without being noticed shortly before being imported into production to enable code execution.

Ivan Mans, CTO of SecurityBridge: “Such attacks are very efficient, especially when the various SAP staging systems share a single transport directory. This makes it very easy to attack the SAP development supply chain.” SAP has issued the patch in security advisory SNOTE 3097887– [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform with a Hot News Priority (CVSS 9.1) as part of SAP Security Patch Day on October 12, 2021. This protects the file system from manipulation. Only the account on which the SAP NetWeaver or S/4HANA application is also running will be granted access (the so-called ADM). “SAP customers should check the transport log for tampering before production import. In it, the described attack method becomes visible. However, those who have implemented the CVSS 9.1 hint are on the safe side now.”

Ivan Mans

CTO at SecurityBridge

Ivan Mans

Posted by

Till Pleyer
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
CISA - NIST Webinar Q3 2023
Join us for an enlightening webinar where we simplify these regulatory frameworks, map CISA guidelines to SAP instances, and showcase how the SecurityBridge platform can assist you in achieving your SAP compliance needs.
SAP vulnerability
SAP Vulnerability
As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default - there will always be security challenges, and SAP is no exception. In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them with SecurityBridge.
SAP security Patch day
Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
Leadership team
SecurityBridge, a leading provider of cybersecurity solutions for SAP customers, acquired Dutch SAP security specialist Protect4S. Through the acquisition, customers will benefit from an even more comprehensive one-stop-shop software platform that will improve every SAP customer’s security position across all technology stacks.