Skip to content

SecurityBridge finds Vulnerability in SAP Transport System

transport-modifiable

SAP closed the security gap in October ‘21 thanks to the initiative of SecurityBridge SAP security experts.

Ingolstadt, January 13, 2022 – Supply chain attacks are a new type of threat that targets software development departments and vendors. SecurityBridge has now identified a methodology that allows internal attackers without privileged rights to intervene undetected in the SAP software distribution process. The vulnerability was reported to SAP in October 2021, and the corresponding patch has already been published, or deployed to the customer’s SAP system.

Using the internal SAP development supply chain, customers can request additional functionality and in-house developments to the SAP standard. Such coding and repository changes are provided via the various staging systems of the respective SAP landscape with SAP transport requests. The transport files are needed to physically deploy changes from development to the next staging level. These requests should not be modified after they have been exported from the central transport directory (which is usually shared by development, test, and integration instances) and released.

By the end of 2021, SecurityBridge had discovered a method using its SAP Security Platform that allowed internal attackers without privileged authorizations to penetrate this SAP software supply chain. Immediately after exporting a transport request (containing the new development) and before importing it into the subsequent staging system, there was a window of opportunity where someone with fraudulent intent and sufficient rights could have changed the status of the transport request from “released” to “modifiable” and thereby have the potential to inject malicious code into the SAP development phase – even into transport requests that had already been imported into the test system. The content of the transport request could be changed without being noticed shortly before being imported into production to enable code execution.

Ivan Mans, CTO of SecurityBridge: “Such attacks are very efficient, especially when the various SAP staging systems share a single transport directory. This makes it very easy to attack the SAP development supply chain.” SAP has issued the patch in security advisory SNOTE 3097887– [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform with a Hot News Priority (CVSS 9.1) as part of SAP Security Patch Day on October 12, 2021. This protects the file system from manipulation. Only the account on which the SAP NetWeaver or S/4HANA application is also running will be granted access (the so-called ADM). “SAP customers should check the transport log for tampering before production import. In it, the described attack method becomes visible. However, those who have implemented the CVSS 9.1 hint are on the safe side now.”

Ivan Mans

CTO at SecurityBridge

Ivan Mans

Posted by

Till Pleyer
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
SAP security by design
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
Accenture webinar
With the recent increase in attention to SAP security from auditors, we decided to investigate SAP baselines. We took a closer look into what SAP baselines are, how they can help you, and how to survive an audit.
coding
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.