Lateral movement through SAP Router

mbensimon · ‎01-05-2022

By: Moshe Ben Simon & Julian Petersohn

Summary

Every SAP customer has a minimum of one SAPRouter Instance running within the infrastructure. In addition, these instances are often directly accessible through the Internet.

Figure 1: Overview of Countries where the SAP Router was found[1]

What is SAPRouter

SAPRouter is a standalone program that protects your SAP network against unauthorized access.
SAPRouter is an application gateway that acts as a network connection proxy between SAP systems or between SAP systems and external networks.
The SAPRouter port serves as a gateway, and you can specify the connections you want to allow in a route permission table.
SAPRouter can control and log incoming connections to the SAP system.
SAPRouter can improve network security by applying a password and a layer of encryption across any network access Connections and SAP data.
Customers need to set up and configure access to SAPRouter for SAP to receive technical Support from SAP Engineers.

As the SAPRouter is a network-level component routing SAP-specific traffic, the network team would be responsible for the SAPRouter. As it is an SAP proprietary solution, the SAP Application team is responsible for this component.

Due to the unclear responsibilities, SAP Customers often do not configure SAP Router properly and leave it exposed to the public in an insecure mode.

The below graphic shows a network connection with SAProuter:

Figure 2: Example Diagram of SAPRouter deployment

The next sections will walk through a scenario where SAP Router was left vulnerable to the Internet and how a threat actor can compromise it.

Vulnerable Scenario

An administrator has deployed a new Cloud VM to install the SAP Router service on it. The Administrator does not recognize that he did not unselect the creation of a Public IP address.

After the deployment, the Administrator updated the security configuration of the VM to allow inbound traffic to Port 3299/TCP, which is the default port of the SAP Router application, and Port 22/TCP for remote administration. In addition, the Administrator configured a Port forwarding on the FortiGate Firewall Instance to allow external access to the Virtual Machine, as intended.

After the installation of the SAP Router application on the Server, the Administrator faced some trouble to establishing a connection between SAP and the internal SAP Systems, so the Administrator decided after spending time on troubleshooting to keep the last working configuration of SAPROUTTAB, which is shown as follow:

Figure 3: Example SAPROUTTAB

The first permit rule allows access to every SAP port/protocol within the 10.0.0.0/16 network range from everywhere.

The second permit rule allows access to the SSH Ports (22/TCP) to every System within the 10.0.0.0/16 network range from everywhere.

The last rule denies every other traffic that the two rules do not allow.

Conclusions of the Configuration

SAP Router Port (3299/TCP) and SSH Port (22/TCP) is exposed to the Internet without any security configuration via the forgotten Public IP
SAP Router configuration allows access to any SAP related Ports (32nn, 33nn, etc.) to any Server within the 10.0.0.0/16 network
SSH access to any Server within the 10.0.0.0/16 network is allowed through SAP Router.

Attack

The Administrator noticed that some Servers had a higher load not long after the deployment than usual. This behavior could have many different reasons, so he did not investigate further.

After some time, the Administrator received a message from the Cloud provider regarding some suspicious server activity. The Administrator started a more detailed analysis of the Server and noticed many login tries via SSH coming from the SAPRouter Server. The last login of the chain was successful, and based on the history of the executed commands, the Administrator found an executed bash script that acted as a stage for further payloads. On the SAPRouter Server itself, the Administrator could not find any indicator of a compromise of the Server, allowing the Attacker to start an SSH Brute Force attack against the internal Server.

But how could the hacker gain access to the Servers? Through mass Port scanning for port 3299 (TCP), the hacker found the forgotten Public IP of the SAP Router.

The SAPRouter, depending on the configuration, is not only able to handle SAP NI traffic (SAP own Network protocol stack). SAPRouter can also handle classic TCP/IP protocols like SSH or Telnet.

As the Administrator has prepared the SAPRouter for possible further Support Sessions with SAP, he allows SSH communication to his internal Server in the SAPRouter ACL file.

Based on the combination of the access to the exposed Public IP interface of the SAPRouter and the insecure ACL file, the Attacker set up SSH communication to the internal servers.

The Attacker did a simple SSH Brute force through the SAP Router to find a weak password configured System. After they found a system with a weak password, the hacker executed the bash script, with which they installed a crypto concurrency miner on the System.

How to Secure

In the last chapter, we talked about a scenario where an administrator configured an SAP Router System and left it vulnerable open to the Internet. This chapter will give you some possible ways to set up a secure SAP Router installation.

1. Strong Passwords

First of all, it is very important to set up a strong authentication for SSH access to all servers, e.g., use strong and secure passwords or set up multi-factor SSH authentication. This is an important step whether the Server is only accessible from the internal network or exposed to the public.

2. Publish Services only through FortiGate Firewall
The Server should never be accessed directly from any public network. Setup a FortiGate Firewall in the perimeter to control inbound and outbound communication of the Server. Set a Segmentation between your Servers, e.g., SAPRouter and SAP Systems, to control the FortiGate Firewall level, to which Server SAPRouter can communicate with which protocol.

3. Implement Firewall Security Mechanism before and after SAP Router
In addition to the previous recommendation, controlling ports and communication paths between the servers, set up FortiGate Application Control to allow only, e.g., the SAPRouter protocol for inbound communication to the SAPRouter Server.

On the outgoing side of SAP Router allow only used protocols like SAP DIAG or SAP SNC to communicate to other Systems from SAP Router.

In addition to FortiGate Application Control, enable the FortiGate Intrusion Prevention System to prevent explosive or Brute force attacks against systems reachable through SAP Router. An Example Signature to prevent SSH Brute force attacks can be found here[2]

Figure 4: FortiGate AppControl detection example of SSH and SAP Router traffic

Figure 5: FortiGate IPS Log example dropping SSH Brute force

4. Use Deception technology for detection and response

Using deception technology like FortiDeceptor helps to detect this type of attack. You can deploy a Decoy that acts like a normal Linux Server and provides an SSH service or act like an SAP System. If the Attacker does a port scan, he will find the Decoys and start the attack against them. The attack will get detected by the FortiDeceptor and trigger a mitigation response action using the Fortinet Security Fabric like blocking the IP Address on the FortiGate, sending Threat Indicators to FortiSIEM, etc.

5. Only use secure SAPROUTTAB

We highly recommend NEVER using wildcards (*) within SAPROUTTAB. SAP implemented fallback security features that prevent allowing ports like SSH and telnet with a wildcard in the Service section. Only SAP-specific ports like 33nn, 32nn are allowed with a service wildcard. Ports like SSH and telnet need to be specified explicitly but sometimes required by SAP Support.

Also, it is important to specify a target IP and not a network range to avoid possible access to other systems like the intended.

To establish only secure connections through SAP Router, configure SNC between SAP Router and the SAP Systems and only allow encrypted communication through SAP Router.

6. Further Links and Guidelines

SAP provides some guidelines and helps to secure the SAPRouter Application itself. This section will find some SAP Notes, which provide the necessary information.