SecurityBridge identified Supply Chain Vulnerability in SAP Transport System

transport-modifiable

SAP closed the security gap in October ‘21 thanks to the initiative of SecurityBridge SAP security experts.

Ingolstadt, January 13, 2022 – Supply chain attacks are a new type of threat that targets software development departments and vendors. SecurityBridge has now identified a methodology that allows internal attackers without privileged rights to intervene undetected in the SAP software distribution process. The vulnerability was reported to SAP in October 2021, and the corresponding patch has already been published, or deployed to the customer’s SAP system.

Using the internal SAP development supply chain, customers can request additional functionality and in-house developments to the SAP standard. Such coding and repository changes are provided via the various staging systems of the respective SAP landscape with SAP transport requests. The transport files are needed to physically deploy changes from development to the next staging level. These requests should not be modified after they have been exported from the central transport directory (which is usually shared by development, test, and integration instances) and released.

By the end of 2021, SecurityBridge had discovered a method using its SAP Security Platform that allowed internal attackers without privileged authorizations to penetrate this SAP software supply chain. Immediately after exporting a transport request (containing the new development) and before importing it into the subsequent staging system, there was a window of opportunity where someone with fraudulent intent and sufficient rights could have changed the status of the transport request from “released” to “modifiable” and thereby have the potential to inject malicious code into the SAP development phase – even into transport requests that had already been imported into the test system. The content of the transport request could be changed without being noticed shortly before being imported into production to enable code execution.

Ivan Mans, CTO of SecurityBridge: “Such attacks are very efficient, especially when the various SAP staging systems share a single transport directory. This makes it very easy to attack the SAP development supply chain.” SAP has issued the patch in security advisory SNOTE 3097887– [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform with a Hot News Priority (CVSS 9.1) as part of SAP Security Patch Day on October 12, 2021. This protects the file system from manipulation. Only the account on which the SAP NetWeaver or S/4HANA application is also running will be granted access (the so-called ADM). “SAP customers should check the transport log for tampering before production import. In it, the described attack method becomes visible. However, those who have implemented the CVSS 9.1 hint are on the safe side now.”

Ivan Mans

CTO at SecurityBridge

Ivan Mans

Posted by

Till Pleyer
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.
SAP Patchday
On January 11, 2022, we celebrate the first SAP Security Patch Day of the year. We wish all those responsible for securing SAP a good and secure start in 2022. Unfortunately, the new year begins as the old year ended, with even more SAP vulnerabilities.
What is a Supply chain attack vulnerability using the SAP Transport Management System? SAP transport content can be adjusted after being exported and passing through test deployment and QA processes. Learn why it is crucial to protect your SAP digital backbone.
log4j-news
Security News
Stay tuned and read regular updates on the Log4j zero day vulnerability - how it can affect your SAP systems, and what you can do to protect your IT infrastructure