Skip to content

SAP Supply Chain Attack

What is a Supply chain attack vulnerability using the SAP Transport Management System?

Key Takeaways

  • SAP transport content can be adjusted after being exported and passing through test deployment and QA processes
  • Learn why it is crucial to protect your SAP digital backbone
  • There are tools that help you to prevent a cyberattack scenario, like the recent Kaseya ransomware attack 

What is a supply chain attack?

Supply chain attacks are an emerging kind of threat that targets software developers and suppliers. The attacker’s intent is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. This does not only affect external software, but also internal software deployment processes can be vulnerable to this kind of attack. Changes for SAP production systems are implemented in the development stage, and thereafter, deployed and tested in the test instance before its go live.

SecurityBridge has identified a method that allows internal attackers without privileged authorizations to infiltrate the SAP change management or software deployment process. Here is what we found out about the attack scenario.

What is the SAP deployment supply chain?

Functional enhancements requested from the business, that do not exist within the SAP standard product scope, can be added by custom developments. This is not directly done on the production system since any error may cause disruption of business-critical processes that need to run with high accuracy and availability.

Typical SAP production systems exist at the end of a line of systems consisting of SAP instances that are used for development, testing, and sometimes integration. In many cases, all the instances are sharing a central transport directory. The transport directory is the place where the SAP system stores and sources the transport files. Those files are needed to physically deploy changes from development to the next staging level.

How to modify a released SAP transport request?

We all use SAP transport requests to deploy coding and repository changes through the various staging levels of the SAP system line. The change management process assumes that transport requests can’t be changed anymore once exported.

Here’s an example: I typically export my transport requests only after I’m done with my change and my unit tests have passed. With the export or release of my transport request the deployment process starts. Behind the scenes, the transport contents, contained in a DATA file, is frozen and the COFILE gets updated with the transport release details. You can see the DATA file as the data container and the COFILE being the action log of any SAP transport request.

Once released, my transport request is no longer modifiable. It may happen you realize a dictionary object, or a customizing entry, was missed in the object list, and you need to create a new follow-up transport.

I cannot re-open the existing transport to add the missing pieces, right? Well, not exactly – read on to learn about how you can rewind your action to make the request editable again – at any time, even after the import into quality stage has been passed.

There is a hidden feature that SAP standard ships with the program RDDIT076, accessible via Hotline Tools (program RSWBOSOS). This program allows changing the header attributes of an SAP transport request:

sap-hotline-tools

Now, this is exactly where the problem starts!

How does this resonate with the risk of a supply chain attack?

SAP change management tools and their quality assurance processes are designed with key design assumptions, one being the content of a transport request is frozen once exported from the SAP development system. 

After the export, and before the import into the production system, threat actors have a time window to include malicious objects. A rogue employee with adequate authorizations has the capability to change the release status from ”Released” to ”Modifiable”!

transport-modifiable

The transport request can be changed, even though it already passed all quality gates established in the Change Management Process. In the example below, we add some extra payload to the transport, a program that gets executed automatically after import into a target system, which could be production. This is how the SAP development supply chain can be attacked! 

A similar scenario can be used as seen in the recent  Kaseya supply chain attack:

ransomware attack

Kaseya VSA Ransomware Attack

A Bombshell Supply-Chain Hit

Attackers may introduce malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage. They could alter the transport request content just before promotion into production, allowing for code execution. Such attacks are very efficient, and all SAP environment are vulnerable if the various SAP staging levels share a single transport directory.

SAP SE has provided a patch for the scenario described in SNOTE 3097887

  • Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform release in SAP Security Patch Day October 2021 with a Hot News Priority (CVSS 9.1).


SAP technicians will confirm, there are genuine reasons for allowing changing the header attributes of a transport request. However, there must be inherent security controls that will generate an alert, triggered automatically when something goes off the baseline, such as changing the release status of a transport request, or when including vulnerable/rogue code or other critical objects. Real-time monitoring can be implemented, to instigate a verification process for all such anomalies.

As an SAP security solution provider, we must deploy the highest level of security.

How can you protect yourself?

The filesystem needs to be protected against manipulation and thus only the account that also runs the SAP NetWeaver or S/4HANA Application, the so-called <SID>ADM needs access.

Review the transport protocol looking for manipulation before the production import. The described attack method will be visible within the transport protocols.

Summary

Software products from SAP, are at the very core of powering the most successful global brands. Many of these SAP customers provide critical infrastructure, manufacture food, supply energy, and medical supplies, and as such cannot risk an interruption to production.

Although we see an increasing level of sophisticated SAP attacks, the example above illustrates how an insider could infiltrate a production environment.

Together with our team of experts, we support companies by providing the most advanced cybersecurity platform for SAP customers, to ensure that the very essence of their operation is not endangered by persistent cyber threats.

Posted by

Ivan Mans

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.

Meet us at SAPinsider Las Vegas 2023

March 20-23: SecurityBridge will be attending SAPInsider 2023 in Las Vegas. Come meet us and learn more about SAP Security.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.