This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.

1. Invest
in
security
to
secure
investments
5
real
ways
to
destroy
business
by
breaking
SAP
applica8ons
Alexander
Polyakov.
CTO,
ERPScan

2. About
ERPScan
• The
only
360-­‐degree
SAP
security
soluBon:
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgments
from
SAP
(
150+
)
• 60+
presenta8ons
at
key
security
conferences
worldwide
• 25
awards
and
nomina8ons
• Research
team
–
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2

3. Large
enterprise
sectors
• Oil
&
Gas
• Manufacturing
• LogisBcs
• Finance
• Nuclear
Power
• Retail
• TelecommunicaBon
• etc.
3

4. • The
role
of
business
applicaBons
in
a
typical
work
environment
• The
need
to
control
them
to
opBmize
business
processes
• Scope
for
enormous
reducBon
in
resource
overheads
and
other
direct
monetary
impact
• PotenBal
problems
that
one
can’t
overlook
• The
need
to
reflect
on
security
aspects
–
is
it
overstated?
• Why
is
it
a
REAL
and
existent
risk?
4
Business
applica8ons

5. • Espionage
– The]
of
financial
informaBon
– Corporate
secret
and
informaBon
the]
– Supplier
and
customer
list
the]
– HR
data
the]
• Sabotage
– Denial
of
service
– Tampering
of
financial
records
and
accounBng
data
– Access
to
technology
network
(SCADA)
by
trust
relaBons
• Fraud
– False
transacBons
– ModificaBon
of
master
data
5
What
can
the
implica8ons
be?

6. SAP
Вставьте
рисунок
на
слайд,
скруглите
верхний
левый
и
нижний
правый
угол
(Формат
–
Формат
рисунка),
добавьте
контур
(оранжевый,
толщина
–
3)
6
• The
most
popular
business
applicaBon
• More
than
263000
customers
worldwide
• 83%
Forbes
500
companies
run
SAP
• Main
system
–
ERP
• Main
pla|orms
‒ SAP
NetWeaver
ABAP
‒ SAP
NetWeaver
J2EE
‒ SAP
BusinessObjects
‒ SAP
HANA
‒ SAP
Mobile
Pla|orm
(SUP)

7. SAP
Security
• Complexity
Complexity
kills
security.
Many
different
vulnerabiliBes
in
all
levels,
from
network
to
applicaBon
• Customiza8on
Cannot
be
installed
out
of
the
box.
A
lot
of
(up
to
50
%)
custom
code
and
business
logic
• Risky
Rarely
updated
because
administrators
are
scared
of
crashes
and
downBme
• Unknown
Mostly
available
inside
the
company
(closed
world)
h‚p://erpscan.com/wp-­‐content/uploads/pres/Forgo‚en%20World%20-­‐%20Corporate%20Business%20ApplicaBon%20Systems%20Whitepaper.pdf
7

8. Risk
1:
Credit
card
data
theQ
• Risk:
credit
card
data
theQ
• Affects:
Companies
storing
and
processing
PCI
data:
Banks,
Processing,
Merchants,
Payment
Gateways,
Retail
• Type:
Espionage
• Module:
SD
(Sales
and
DistribuBon)
–
part
of
ERP
• A‚acker
can
get
access
to
mulBple
tables
that
store
credit
card
data:
VCKUN,
VCNUM,
CCARDEC,
about
50
other
tables.
Credit
card
data
the]
means
direct
monetary
and
reputaBon
loss
8

9. Risk
1:
Credit
card
data
theQ
• There
are
mulBple
ways
for
an
a‚acker
to
access
CC
data
• Even
if
it’s
encrypted,
one
can:
– Use
FM
to
decrypt
it
–
CCARD_DENVELOPE
– Use
report
to
get
decrypted
– Or
use
another
report
to
find
some
info:
RV20A003
• SoluBon:
ConfiguraBon
Checks,
Patch
Management,
Access
Control,
Code
Scanning
• Defense
– DecrypBon
of
credit
card
data
in
SD
–
SAP
Note
766703
– DecrypBon
of
credit
card
data
for
the
whole
ERP
–
SAP
Note
1032588
– Credit
card
data
in
report
RV20A003
–
SAP
Note
836079
9

10. Risk
1:
Credit
card
data
theQ
(DEMO)
10

11. Risk
2:
Compe88ve
intelligence
• Risk:
Compromise
of
bidding
informa8on
• Affects:
Companies
using
SRM
for
bidding
• Type:
Espionage
• Module:
SRM
• Compe1tors’
intelligence
(Espionage)
• SAP
SRM
systems
are
accessible
through
the
Internet.
So
unfair
compeBtors
have
a
sufficient
loophole
to
spy
privileged
pricing
informaBon
and
propose
compeBBve
pricing
to
win
a
tender
11

12. Risk
2:
Compe88ve
intelligence
• SAP
Cfolders
applicaBon
for
document
exchange
is
a
part
of
SRM.
It
has
some
vulnerabiliBes
and
insecure
configuraBon
problems,
resulBng
in
access
to
official
pricing
informaBon
• This
means
that
the
compeBtor’s
documents
could
be
completely
removed
from
the
systems,
or
the
informaBon
might
be
manipulated
to
win
a
tender
• A‚ack
successfully
simulated
during
penetraBon
tests
• Program
vulnerabiliBes
that
can
aid
an
a‚acker:
– h‚p://erpscan.com/advisories/dsecrg-­‐09-­‐014-­‐sap-­‐cfolders-­‐mulBple-­‐stored-­‐xss-­‐vulnerabilies/
– h‚p://erpscan.com/advisories/dsecrg-­‐09-­‐021-­‐sap-­‐cfolders-­‐mulBple-­‐linked-­‐xss-­‐vulnerabiliBes/
• Defense:
SAP
Notes
1284360,
1292875
12

13. Risk
3:
Inten8onally
causing
manufacturing
defects
• Risk:
Inten8onally
causing
manufacturing
defects
(Sabotage)
• Affects:
Manufacturing
sector
such
as
AviaBon,
Aerospace
AutomoBve,
TransportaBon,
Consumer
Products,
Electronics,
Semiconductor,
Industrial
Machinery
and
Equipment
• Type:
Sabotage
• Module:
SAP
PLM
• Access
to
SAP
PLM
systems
could
allow
unauthorized
changes
in
product
creaBon
schemaBcs,
as
SAP
PLM
is
usually
integrated
into
CAD.
One
small
change
could
result
in
a
defecBve
batch
of
products,
causing
serious
financial
and
reputaBonal
losses
and,
someBmes,
harm
to
life
and
limb
13

14. • FDA
recalled
the
whole
batch
of
1200
tracheostomical
devices
because
of
3
deaths
caused
by
technical
problems
• IKEA
had
to
recall
the
enBre
batch
of
10000
beds
with
steel
rods
that
had
caused
physical
trauma
to
kids,
claiming
it
to
be
a
designer’s
mistake
• Toyota
was
forced
to
recall
3
large
batches
of
passenger
cars
of
up
to
500000
each
because
of
wide
ranging
construcBon
problems
with
airbags,
thro‚le,
and
other
parts
of
the
car
• US
staBsBcs
from
FDA
reveal
such
recalls
occurring
frequently.
A
similar
situaBon
can
also
be
observed
with
consumer
products
Financial
losses
caused
by
traumas
reach
one
trillion
dollars
a
year
*
Those
examples
are
not
caused
by
misusing
SAP!
14
Risk
3:
Crea8ng
defects
in
products
inten8onally

15. • Risk:
Salary
data:
unauthorized
data
manipula8on
• Affects:
Every
company
• Type:
Fraud
• Module:
HCM
• Access
to
the
SAP
HR
system
allows
insiders
to
manipulate
wage
figures.
The
direct
change
can
be
easily
detected,
but
the
risk
lies
in
the
potenBal
manipulaBon
of
the
number
of
addiBonal
working
hours
to
be
processed,
which,
in
turn,
affect
the
wages.
This
fraud
is
extremely
difficult
to
detect
15
Risk
4:
Salary
data
unauthorized
access

16. • Users
can
find
out
a
colleague’s
salary
details
(PA30
transacBon)
→
DemoBvaBon
• Also,
an
a‚acker
may
do
this
by
direct
access
to
the
tables
PA0008,
PA0014,
PA0015
• DEMO
(PA30)
16
Risk
4:
Salary
data
unauthorized
access

17. • Users
can
modify
their
own
salary
– TransacBon
PA30
is
responsible
for
salary
access
– A‚acker
can
change
the
number
of
hours
using
this
transacBon
• DEMO
17
Risk
4:
Salary
data
unauthorized
access

18. • Risk:
Industrial
sabotage
and
disaster
• Affects:
Every
company
with
ICS/technology
network.
Oil
and
Gas,
UBliBes,
Manufacturing
• Type:
Sabotage/Fraud
• Module:
SAP
EAM
/
SAP
XMII
• SAP
EAM
system
can
have
technical
connecBons
to
facility
managements
systems.
By
accessing
EAM,
one
can
hack
facility
management/SCADA/Smart
Home/Smart
Grid
systems
as
well
and
actually
change
criBcal
parameters,
like
heat
or
pressure,
which
can
lead
to
disaster
and
potenBal
death
18
Risk
5:
Industrial
sabotage

19. • Technology
systems
are
usually
insecure
and
based
on
obsolete
operaBon
systems.
The
only
security
for
them
is
a
firewall,
which
totally
isolates
them
from
corporate
network
• Except
for
those
systems
which
need
connecBon
for
data
transfer,
such
as
SAP
EAM
• How
they
a‚ack:
– RFC
connecBons
– Shared
database
or
other
resources
– Same
passwords
for
OS/DB/ApplicaBon
– Same
domain
– Simply
exploit
ICS
vulnerabiliBes
19
Risk
5:
Industrial
Sabotage

20. • Risk
6:
Delayed
salary
payout
in
HR
• Risk
7:
Forgery
of
business-­‐criBcal
data
(Asset
management)
• Risk
8:
MisappropriaBon
of
material
resources
in
MM
• Risk
9:
Tampering
with
banking
informaBon
data
• Risk
10:
ModificaBon
of
reports
in
BI
• Risk
11:
Remote
illegal
updates
upload
• Risk
12:
A‚ack
from
the
Internet
• Risk
13:
Remote
Denial
of
Service
via
Portal
20
Bonus

21. • 3000+
vulnerabiliBes
in
all
SAP
products
• 2368
vulnerabiliBes
in
SAP
NetWeaver
ABAP
based
systems
• 1050
vulnerabiliBes
in
basic
components,
which
are
the
same
for
every
system
• About
350
vulnerabiliBes
in
ECC
modules
21
1
1
13
10
10
27
14
77
130
833
731
641
364
161
322
0
200
400
600
800
1000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
How
they
can
do
this?

22. SAP
NetWeaver
ABAP
–
Sta8s8cs
2363
22
2363
vulnerabili8es

23. SAP
NetWeaver
J2EE
–
Sta8s8cs
23
513
vulnerabili8es

24.
24
76
vulnerabili8es
SAP
BusinessObjects
–
Sta8s8cs

25. 25
14
vulnerabili8es
SAP
HANA
–
Sta8s8cs

26. 26
SAP
a`acks

27. • EAS-­‐SEC:
Recourse
which
combines
– Guidelines
for
assessing
enterprise
applicaBon
security
– Guidelines
for
assessing
custom
code
– Surveys
about
enterprise
applicaBon
security
27
Defense

28. • CriBcal
networks
are
complex
• System
is
as
secure
as
its
most
insecure
component
• HolisBc
approach
• Check
out
eas-­‐sec.org
• Check
out
erpscan.com
28
Conclusion

29. We
devote
a=en>on
to
the
requirements
of
our
customers
and
prospects,
and
constantly
improve
our
product.
If
you
presume
that
our
scanner
lacks
a
par>cular
func>on,
you
can
e-­‐mail
us
or
give
us
a
call.
We
will
be
glad
to
consider
your
sugges>ons
for
the
next
releases
or
monthly
updates.
29
About
228
Hamilton
Avenue,
Fl.
3,
Palo
Alto,
CA.
94301
USA
HQ
Luna
ArenA
238
Herikerbergweg,
1101
CM
Amsterdam
EU
HQ
www.erpscan.com
info@erpscan.com