Skip to content

SecurityBridge finds Vulnerability in SAP Transport System


SAP closed the security gap in October ‘21 thanks to the initiative of SecurityBridge SAP security experts.

Ingolstadt, January 13, 2022 – Supply chain attacks are a new type of threat that targets software development departments and vendors. SecurityBridge has now identified a methodology that allows internal attackers without privileged rights to intervene undetected in the SAP software distribution process. The vulnerability was reported to SAP in October 2021, and the corresponding patch has already been published, or deployed to the customer’s SAP system.

Using the internal SAP development supply chain, customers can request additional functionality and in-house developments to the SAP standard. Such coding and repository changes are provided via the various staging systems of the respective SAP landscape with SAP transport requests. The transport files are needed to physically deploy changes from development to the next staging level. These requests should not be modified after they have been exported from the central transport directory (which is usually shared by development, test, and integration instances) and released.

By the end of 2021, SecurityBridge had discovered a method using its SAP Security Platform that allowed internal attackers without privileged authorizations to penetrate this SAP software supply chain. Immediately after exporting a transport request (containing the new development) and before importing it into the subsequent staging system, there was a window of opportunity where someone with fraudulent intent and sufficient rights could have changed the status of the transport request from “released” to “modifiable” and thereby have the potential to inject malicious code into the SAP development phase – even into transport requests that had already been imported into the test system. The content of the transport request could be changed without being noticed shortly before being imported into production to enable code execution.

Ivan Mans, CTO of SecurityBridge: “Such attacks are very efficient, especially when the various SAP staging systems share a single transport directory. This makes it very easy to attack the SAP development supply chain.” SAP has issued the patch in security advisory SNOTE 3097887– [CVE-2021-38178] Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform with a Hot News Priority (CVSS 9.1) as part of SAP Security Patch Day on October 12, 2021. This protects the file system from manipulation. Only the account on which the SAP NetWeaver or S/4HANA application is also running will be granted access (the so-called ADM). “SAP customers should check the transport log for tampering before production import. In it, the described attack method becomes visible. However, those who have implemented the CVSS 9.1 hint are on the safe side now.”

Ivan Mans

CTO at SecurityBridge

Ivan Mans

Posted by

Till Pleyer
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.