SAP AG is one of the largest software companies in the world with more than 183,000 customers around the globe using its applications and services. Well-known products such as SAP ERP, SAP Business Warehouse and SAP BusinessObjects power some of the biggest global enterprises.
The fact that Polyakov's attack targeted an SAP test service named after the cartoon character Dilbert is a little worrying.
Possessing such a huge user base inevitably makes SAP's software an attractive target for attackers. It's easy to see why: valuable data, stored in one place, processed by software used by thousands and accessible from the Internet. Cybercriminals are willing to allocate extensive time and resources to develop malware that targets SAP deployments because the potential payoff will be worth it.
At Black Hat 2012, ERPScan researcher Alexander Polyakov used an attack technique known as server-side request forgery (SSRF) to initiate a chain of vulnerabilities to cause a buffer overflow in the SAP Kernel, the core of the SAP software stack. An SSRF-based attack aims to avoid detection by hiding malicious code within seemingly benign application data packets, enabling it to bypass firewalls and internal SAP security configurations. The demonstrated attack was implemented in a single request, which makes it practically impossible for a signature-based intrusion detection system (IDS) to identify it as malware.
In this tip, I'll provide an overview of SAP security for enterprises that are concerned about the security of their SAP implementations, plus some tips on defending against a server-side request forgery attack.
SAP security overview
Major software vendors, including SAP, have improved their software security efforts significantly over time. Security requirements are an integral part of SAP's development model, called the Product Innovation Lifecycle (PIL). PIL focuses on legal compliance, total cost of ownership reduction and the avoidance of potential vulnerabilities. SAP performs internal security assessments on its products and allows assessments by external and independent parties to ensure that their secure development guidelines are followed. (Though the fact that Polyakov's attack targeted an SAP test service named after the cartoon character Dilbert is a little worrying.)
Of course, no software will ever be completely devoid of bugs and vulnerabilities. A problem similar the one exposed by Polyakov was discovered in the Java Virtual Machine, so business systems like PeopleSoft and Oracle E-Business Suite, which are based on J2EE and use XML to transfer data, are potentially vulnerable to an SSRF-style attack. Such ongoing discoveries underscore the importance of properly configuring enterprise software and hardening the machines that run the software. SAP has fixed the flaw that made Polyakov's attack possible, but, as always, administrators must subscribe to their vendors' alerts to stay informed of new threats and the patches to combat them.
Many organizations don't patch mission-critical systems because of the difficulties in updating such complex and customized deployments. As a response to the zero-day vulnerability TNS Poison, Oracle only issued a security alert, not a patch, citing that a fix would be complex and extremely risky to backport. This problem of complexity in enterprise software means that many systems run with numerous known vulnerabilities and rely purely on firewalls and DMZs for protection. Considering new vulnerabilities are discovered all the time, mission-critical software processes should be located on a properly protected network segment, with firewalls monitoring both incoming and outgoing traffic.
Protecting SAP implementations
If an attack emanates from a trusted source, such as Polyakov's SSRF-based attack, inbound firewall rules are unlikely to stop it. An attacker must still extract the targeted data at some point, so enterprises should monitor outbound network traffic to check that it is destined for a legitimate destination using the expected protocol and ports. All machines need to be hardened and the configuration of databases and software processing data configured following the vendor's guidelines to ensure settings are secure. Because business-critical application servers never process data in isolation, connections to and from these machines should also be encrypted.
From the editors: More on database security management
Learn how to prevent an Oracle TNS Listener poison attack.
Write secure SQL database code with these tips.
Extensive logging is vital to be able to spot and trace an attack. For example, a zero-day attack used to compromise a system may go undetected, but having network sensors logging and analyzing internal network traffic for unusual activity can trigger an alert that may uncover an infection that could otherwise go unnoticed. Another essential security control is penetration testing, which can assess whether firewalls, IDSes and antivirus gateways are performing as intended and effectively safeguarding the network.
A penetration test will help assess the risks related to any uncovered vulnerabilities and how best to mitigate them. They also evaluate the relationships between services, determine if access points to the data can withstand attempts to exploit them, and measure the ability of network defenses to successfully detect and respond to the tests. A penetration test mimics the role of a potential attacker and is the most realistic security test that can be performed. ERPScan has released a new penetration testing tool called ERPScan Security Scanner for SAP specifically aimed at identifying SAP deployments that could be vulnerable.
Defending SAP is not optional
SAP software will remain a vital element in the operation of many of the world's largest enterprises for many years to come, and attacks against SAP will continue as well. Simply put, organizations have no choice but to defend their SAP implementations rigorously. The server-side request forgery attack demonstrated by Polyakov should serve as a reminder of just how real and harrowing SAP attacks can be. Fortunately, sound SAP security is achievable as long as organizations take the right precautions.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.
This was first published in November 2012