SAP closed the security gap in October ‘21 thanks to the initiative of SecurityBridge SAP security experts.
Ingolstadt, January 13, 2022 – Supply chain attacks are a new type of threat that targets software development departments and vendors. SecurityBridge has now identified a methodology that allows internal attackers without privileged rights to intervene undetected in the SAP software distribution process. The vulnerability was reported to SAP in October 2021, and the corresponding patch has already been published, or deployed to the customer’s SAP system.
Using the internal SAP development supply chain, customers can request additional functionality and in-house developments to the SAP standard. Such coding and repository changes are provided via the various staging systems of the respective SAP landscape with SAP transport requests. The transport files are needed to physically deploy changes from development to the next staging level. These requests should not be modified after they have been exported from the central transport directory (which is usually shared by development, test, and integration instances) and released.
By the end of 2021, SecurityBridge had discovered a method using its SAP Security Platform that allowed internal attackers without privileged authorizations to penetrate this SAP software supply chain. Immediately after exporting a transport request (containing the new development) and before importing it into the subsequent staging system, there was a window of opportunity where someone with fraudulent intent and sufficient rights could have changed the status of the transport request from “released” to “modifiable” and thereby have the potential to inject malicious code into the SAP development phase – even into transport requests that had already been imported into the test system. The content of the transport request could be changed without being noticed shortly before being imported into production to enable code execution.
Ivan Mans, CTO of SecurityBridge: “Such attacks are very efficient, especially when the various SAP staging systems share a single transport directory. This makes it very easy to attack the SAP development supply chain.” SAP has issued the patch in security advisory SNOTE 3097887– [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform with a Hot News Priority (CVSS 9.1) as part of SAP Security Patch Day on October 12, 2021. This protects the file system from manipulation. Only the account on which the SAP NetWeaver or S/4HANA application is also running will be granted access (the so-called ADM). “SAP customers should check the transport log for tampering before production import. In it, the described attack method becomes visible. However, those who have implemented the CVSS 9.1 hint are on the safe side now.”
