Help
Fortinet for SAP Knowledge Base
MattCzwi
Staff
Staff

Created on ‎01-31-2023 07:42 AM Edited on ‎07-11-2023 06:28 AM By Staff

Article Id 263373

How SAP Systems Are Being Attacked?

High-Level Summary

 

Securing SAP systems is becoming more and more relevant in today’s world. The threat landscape is constantly expanding, and it does not stop at SAP systems. It exposes companies of all sizes and industries to the risk of cyberattacks with severe consequences such as data leaks or damage to the company’s reputation.


Some of the vulnerabilities of SAP systems have been given well-known codenames such as RECON or 10KBLAZE. Besides these known vulnerabilities, easy-to-use exploits are found on the internet and used by threat actors without much knowledge of SAP.


Every month, SAP publishes security advisories about current vulnerabilities or bugs that could endanger the entire SAP landscape. These notes should be implemented in the SAP systems at regular intervals to ensure secure operation and often requires system downtime.


This section discusses how SAP systems are being attacked, the type of data that is exposed, and how modern architecture can prevent attacks on SAP systems.

 

Overview of Published SAP Security Updates

 

Due to the size and complexity of SAP software, SAP carries out numerous tests, validations, and checks for compliance with programming guidelines before a new software component is released.

Nevertheless, there are always vulnerabilities, without knowing where and which ones are currently in the SAP code. These vulnerabilities exist among other large software providers that offer complex software. It is similar, for example, with Microsoft Windows or even Linux as a representative of the open-source community.


Let’s take a closer look at the SAP Security Updates. The chart below shows the number of vulnerabilities that SAP8 has closed per month between May 2019 and May 2020.

 

SAP SECURITY NOTES
12-MONTH PERIOD

 

sap_security_notes_over_one_year.png

 

 

During this period, a total of 182 vulnerabilities were closed. The vulnerabilities are divided into four different types of SAP Security Notes, based on their Common Vulnerability Scoring System (CVSS) score:

 

sap_security_note_cvss_translation.png

 

Analysis of Published SAP Security Updates

 

Related to the period from May 2019 to May 2020, Figure 6 shows that most vulnerabilities are rated medium. They are usually fixed during the regular import of new SAP Support Package Stacks along with those of type Low, High, and Hot News.

 

SAP Security Notes of type Hot News should always be imported immediately since they impose a serious threat to the system. With notes of type High, you must weigh the advantages of applying them as quickly as possible versus importing them with

 

attack_vectors_sap_security_note_march_2021.pngsap_vulnerability_ranking_march_2020_to_march_2021.png

 

the next SAP Support Package Stack, based on the system landscape and vulnerability exposure. Thus, an SAP system directly accessed from the internet must be patched with a higher priority due to its higher exposure to potential attacks

 

Figure 5 above shows the attack vectors. One of the main vulnerabilities is the disclosure of information, which could help an attacker find the right tool or attack point. Also, SQL injections allow an attacker to read parts of the database and view data that is not intended for that user. Another possibility is to inject code into the SAP system, which could lead to a remote code execution.

 

A Closer Look Into Two Current SAP Threats

 

In this chapter, we now dive into two SAP threats, one of them codenamed 10KBLAZE, the other is a SQL injection. Both had very high attention because the vulnerabilities were emerging, simple, and presented high threats to SAP data and systems.

 

The first example under codename 10KBLAZE is a threat that contains a chain of multiple vulnerabilities. One of them is an unauthenticated remote code execution in the SAP RFC Gateway. The second example is an SQL injection in the SAP UDDI (Universal Description, Discovery, and Integration) Service application of the SAP NetWeaver Java.

 

By exploiting these vulnerabilities, an internal or external attacker can escalate their privileges and obtain sensitive technical and business-related information stored in the vulnerable SAP system.

 

Example 1: 10KBLAZE - Remote Code Execution via SAP RFC Gateway

 

This vulnerability, also known as 10KBLAZE, is a current threat for SAP systems, taken up by various computer magazines.9 It discovered vulnerable SAP applications could be compromised by a remote, unauthenticated attacker who only had network access to the system (without requiring a valid SAP user ID and password). For example, this could be the visibility of a port on the internet. The attacker can gain unrestricted access to SAP systems, enabling them to compromise the platform with all its information, change or extract this information, or shut down the system.

 

A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with insecure configurations exposed to the internet. In one of the sessions, it showed that more than 3,280 SAP Gateways were exposed to the internet on Port 3300 and 3301 TCP. Also, more than 9,209 SAP Router and 1,981 Message Server with Port 39xx should only be intended for internal use.10

 

example_sap_communication_diagram.png

 

 

The SAP Gateway (GW), the SAP Router, and the SAP Message Server (MS) were not optimally configured in security or deployed at a suboptimal location.

 

The SAP Gateway and the SAP Message Server are part of every SAP system and were insecurely configured in the past by many administrators for purposes of convenience. The SAP Gateway handles communication between SAP and non-SAP applications; SAP Message Server handles communication between SAP application servers and their users.

 

An SAP Router is required to provide SAP Enterprise Support access to SAP customer systems for support purposes, allowing customers to access and implement SAP notes or obtain the latest security information from SAP. In other words, the SAP Router is a program that helps to connect SAP systems with external networks. The SAP Router requires internet access and, therefore, is exposed to potential attackers.

 

In combination, Fortinet provides higher security to protect SAP Router and SAP components on the network layer (Environment Layer on Secure Operations Map) before an attacker can access the SAP system.

 

How 10KBLAZE compromises SAP components to gain access and control

 

There are two possibilities to attack SAP systems under this 10KBLAZE threat. Either use an upstream SAP Router or access the SAP Message Server monitor port.

 

In the first case regarding an attack via the SAP Router, a configuration vulnerability is used. This vulnerability allows the SAP Router to be used as a proxy to access the SAP system. It occurs when the SAP Router is either deployed locally on the SAP system or a system belonging to the SAP systems in the internal corporate network. In most configurations of SAP systems, the SAP Router has direct access to the SAP RFC Gateway. Under these conditions, attackers can misuse the SAP Router as a proxy. The attackers’ requests then appear to the gateway as if they were coming directly from the SAP Router and should be allowed to pass through. In this case, attackers bypass any access control lists (ACLs).

 

In the second case, attackers require access to an unprotected monitor port (39xx) of an SAP Message Server. Attackers can add a malicious system to the SAP System’s trust list—without the requirement to log in with a password or other proper authentication. The tampered trust list allows attackers to bypass the gateway ACL from their system and access the gateway directly.

 

Having exploited either one of the above vulnerabilities, further known attacks against the SAP Gateway can be carried out. For example, sending operation system (OS) commands to start compromising the entire system.

 

How remote code execution works

 

The SAP RFC Gateway can execute OS commands on the server where its own OS process is running, and this is an intended functionality and not a vulnerability. One reason is the “tp” command that can be called from any other server within the SAP transport landscape. In a typical scenario, the SAP System Administrator would execute predefined remote commands only, via Transaction SM49 or SM69.


An ACL file controls the executions and validates if the program is allowed to be executed by the user from the specific user host in the request. The ACL file is the only “authentication” for the RFC Gateway. Often, the ACL file contains a very vague or a blank configuration so that an attacker can fake an internal system to bypass this ACL and execute any command they want. This scenario will lead to unauthenticated remote code execution.


The first solution was to configure the security mechanisms implemented by SAP many years ago so that they could also fulfill their function as protection against unauthorized access. But not only the SAP systems as such can protect against threats. Another possibility to prevent future attacks is to connect a firewall in front of the SAP ports, which are connected to the internet to run corresponding intrusion detection system (IDS) and intrusion prevention system (IPS) rules to detect and block an attack before it is passed on to SAP. An IPS/IDS also provides security before the software vendor provides a patch for a vulnerability. Also, a patch does not resolve all security-related problems. Often a misconfiguration of an ACL file will cause access to a system.

 

Example 2: SQL Injection Vulnerability

 

SQL injection vulnerability means that code includes an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can be used to gain additional data from the database or modify data in the database.

 

How SQL injection compromises SAP systems

 

For example, CVE 2016-2386, which is an SQL injection for SAP NetWeaver AS Java.

 

This vulnerability affects SAP UDDI, which is one of the most used applications in SAP deployments. Thus, the SAP NetWeaver versions 7.11 – 7.50 are susceptible to this threat. To exploit the vulnerability, an attacker merely sends an HTTP query of the following type:

 

attack_http_query.png

 

 

The vulnerability is contained in permissionId that can keep any SQL command. When the SAP application receives the code,

 

sql_query_launched_by_cve_2016_2386.png

 

it will execute it. For example, an SAP server will execute this SQL command and return a count of rows from the BC_UDV3_EL8EM_KEY table

 

By exploiting this vulnerability, attackers can obtain the hash of user passwords from the UME_STRINGS table. After that, they will need to get passwords from the hash, which they can achieve by:

 

  • Using a brute-force attack
  • Finding another vulnerability in the password crypto algorithm

How can we protect the SAP system from such attacks to avoid data exploits and a compromised system? Generic protection for threats such as SQL injections or cross-site scripting is a web application firewall (WAF).

 

Expanding the SAP Threat Landscape

 

The SAP world is moving in the cloud direction and the new front end, SAP Fiori, for end-users. Fiori is a modern user web interface to access SAP applications, which is HTML5 based, and is about to replace the traditional fat client SAP GUI. With SAP Fiori , SAP applications now have usability comparable to consumer apps. In the past, using the SAP GUI, SAP interfaces were overloaded with many functions that most users would never use. Users needed long training periods and had difficulty finding their way around in the GUI. Today, (different) SAP applications offer the same range of functions, but the interfaces are clear and tidy. They are tailored to the end-user’s respective role (e.g., accounting) and only show the functions needed by the end-user. SAP Fiori creates a consistent, role-specific, and intuitive user experience across the various enterprise applications— independent of the endpoint devices used.

 

Compromised SAP System in the Cloud

 

In addition to classical on-premises solutions, SAP also offers its customers additional cloud or hybrid solutions. SAP does not limit itself to SAP HANA Enterprise Cloud (HEC) and enables operations of SAP solutions in AWS, Microsoft Azure, and Google Cloud.


As a result, SAP systems are no longer available only internally within company boundaries but can also be externally accessed. Hybrid deployments are deployments where SAP is partly available in the cloud as well as on-premises. As described in 6.5.2 below, even more emphasis must be placed on security-driven networking to avoid attacks like 10KBLAZE or the latest RECON hack.


In the future, HTTPS or similar connections coming from outside of an SAP landscape should be scanned for any known threats by using a WAF in combination with an IDS and an IPS. So far, SAP security is often not yet taken seriously enough by companies, opening doors to attackers and risking the loss of valuable data and unrestorable reputation.

 

Smart Devices Connected To SAP Systems Are Exposed To Attackers

evb_energy_smart_meter11.png

 

Companies such as energy suppliers are supported by SAP and offer more customer-friendly digital services. These include the deployment of smart electricity meters that automatically send consumption data to the utility provider or corresponding self-service portals for customers to enter the meter reading themselves or look at their consumption hourly. In the future, such self-service portals will be based on SAP Fiori and are therefore also targets for attacks as they can easily be reached from any internet browser. The transmission of consumption data from smart electricity meters to systems such as SAP Leonardo must also be protected against manipulating the data.

 

 

Fortinet secures the Intelligent Enterprise running SAP—by protecting all SAP data generated by edge devices, endpoint systems, users, AI, applications, databases, third-party systems in multi-cloud environments, and on-premises.

Labels:
2771
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.