BIZEC APP/11 and BIZEC TEC/11

Welcome 

BIZEC Roundtable @ IT Defense, Berlin 

SAP Security 

BIZEC APP/11 Version 2.0 

BIZEC TEC/11 Version 2.0 

February 1, 2013 

Andreas Wiegenstein 

CTO, Virtual Forge

2 

SAP Security 

SAP security is a complex discipline. It must be addressed holistically: 

• SoD controls (user roles and profiles) are necessary, but they are not enough. 

• As covered by BIZEC APP/11, code-level security is a clear example of this. Reviewing the 

security of ABAP custom developments is critical. 

• Another weak link: The SAP technical layer (NetWeaver/BASIS). 

• Base framework in charge of critical tasks such as authentication, authorization, 

encryption, interfacing, auditing, logging, etc. 

• Can be susceptible of security vulnerabilities that, if exploited, can lead to 

espionage, sabotage and fraud attacks to the business information.

3 

BIZEC APP/11 

BIZEC APP/11 Version 2.0 

(Content and research contributed by Virtual Forge, Germany)

4 

What is BIZEC APP/11 ? 

The BIZEC APP/11 standard comprises the most critical and the most common 

security defects in SAP ABAP applications. 

Its purpose is to give companies that plan to conduct ABAP code audits 

guidance which types of security defects should be covered at minimum by an 

audit.

5 

Why (yet) another standard? 

Existing standards 

• Cover risks that don‘t exist in ABAP 

• Buffer overflows 

• Authentication issues 

• … 

• Don‘t cover risks that are specific to ABAP 

• Authorization-related risks 

• Client concept 

• … 

• Have a different scope 

• Web-specific (WASC, OWASP) 

• Generic (SANS CWE) 

Facit: Other application security standards are not applicable to ERP systems.

6 

Why we revised the APP/11 list 

• New threat profile 

• Research yielded new risks like Native SQL Injection 

• New SAP technologies mitigate certain risks 

• Substantial increase of analyzed code base 

• More than 100 Mio lines of code 

• More than 50 companies contributed code 

• More contributors 

• SAP security researchers 

• SAP experts from the industry

7 

Results of code analysis 

• Priority based on „Critical Findings“, not „Total Findings“ 

• New items: SQL Injection (Native), Direct Database Modifications, Hidden ABAP Code 

• Dropped items: File Upload (Malware), Cross-Site Request Forgery, Unmanaged SQL

8 

BIZEC Protection goals for ERP Systems (#1) 

PG-1 Confidentiality of Business Data 

• The confidentiality of business data must be protected. This is a key requirement in 

data protection laws and compliance standards, like e.g. PCI/DSS. Any read access to 

(sensitive) business data must be properly authorized. 

PG-2 Integrity of Business Data 

• The integrity of all business data must be guaranteed. This is a key requirement for 

compliance and financial audits. Any (authorized) change of business data must also 

be accountable. 

PG-3 Privileges to execute Business Logic 

• Execution of Business Logic must be protected by proper authorization controls. 

ABAP coding must duly enforce the required authorizations and must not bypass the 

authorization concept of the Business Runtime. 

Cascading effect: PG-1 and PG-2 will also be violated. 

PG-4 Accountability of the Business Logic 

• All (authorized) actions performed by the Business Logic must be accountable. ABAP 

coding must not bypass the accountability features provided by the Business 

Runtime.

9 

BIZEC Protection goals for ERP Systems (#2) 

PG-5 Integrity of the Business Logic 

• The Integrity of the business logic must be protected in order to prevent 

manipulation. ABAP coding must neither accidentally nor intentionally 

bypass/undermine security features of the Business Runtime. 

Cascading effect: PG-1, PG-2, PG-3 and PG-4 will also be violated. 

PG-6 Availability of the Business Runtime 

• The Business Runtime is the base platform for the execution of the Business Logic 

and Business Data layers. Therefore, the availability of the Business Runtime is a 

critical requirement for the overall operational health of the system. Successful DOS 

attacks to the components in this layer will result in unexpected downtimes, 

preventing the Organization's users or systems from using the entire SAP system. 

PG-7 Integrity of the Business Runtime 

• The integrity of the components in this layer must be enforced and controlled, as any 

unauthorized modification in them imply high-level risks to the confidentiality, 

integrity and availability of the information used by the Business Data and Business 

layers. 

Cascading effect: All other protection goals will also be violated.

10 

BIZEC APP/11 2012 in detail (#1) 

APP-01 ABAP Command Injection Critical 

Coding that dynamically creates and executes ABAP programs based on user input on a 

productive system, bypassing SE80 and the concept of a three-tier-system landscape. 

Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7 

Exemplary SAP Note: 1589919 

APP-02 OS Command Injection Critical 

Coding that executes arbitrary (input-based) commands on the operating system, bypassing 

the allowed commands specified in SM49/SM69 and S_LOG_COM authorizations. 

Violates: PG-6, PG-7 


APP-03 Native SQL Injection Critical 

Coding that executes arbitrary (input-based) native SQL commands on the SAP database, 

bypassing any Open SQL restriction. 

Violates: PG-1, PG-2, PG-4, PG-6, PG-7 

Exemplary SAP Note: 1456569

11 


APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic) Common 

Coding that does not (properly) perform authorization checks based on the SAP standard for 

critical operations. Improper Authorization includes semantically incorrect authority checks, 

generic authority checks, missing as well as proprietary authorization checks. 

Violates: PG-3 (implicitly PG-1, PG-2) 


APP-05 Directory Traversal Common 

Coding that performs server-side file/directory read/write access, where a file name or path 

is (partially) based on unvalidated user input. Such coding gives attackers read/write access 

to restricted files, e.g. OS configuration, SAP configuration and temporarily stored business 

data. 

Violates: PG-1, PG-6, PG-7 


12 


APP-06 Direct Database Modifications Common 

Coding that directly modifies (restricted SAP standard) database tables without proper 

authorizations, bypassing S_TABU_DIS, S_TABU_NAM and S_TABU_CLI authorizations. 

Violates: PG-2 

Exemplary SAP Note: not known. Problem specific to custom code. 

APP-07 Cross-Client Database Access Common 

Coding that accesses business data on a different client, bypassing the SAP client separation 

mechanism. 

Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4) 

Exemplary SAP Note: not known

13 


APP-08 Open SQL Injection Common 

Coding that makes use of dynamic Open SQL, where part of such a query is based on input. 

This defect enables malicious users to alter the SQL query in order to access restricted data 

without authorization. 

Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4) 


APP-09 Generic Module Execution Common 

Coding that allows uncontrolled execution of SAP standard business modules. The SAP 

standard provides a large number of business modules in the basis as well as the business 

suite. Execution of these business modules is restricted by SAP standard security features, 

e.g. SE37, SE38/SA38 and SE80. 

Violates: PG-3 (implicitly PG-1, PG-2) 


14 


APP-10 Cross-Site Scripting Common 

(BSP) Coding that does not properly encode data before rendering it as HTML. Cross-Site 

Scripting (XSS) attacks are targeted at users that run business applications in Web browsers. 

An XSS vulnerability compromises the security of the attacked user's client system, affecting 

any active SAP sessions. 

Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7 


APP-11 Obscure ABAP Code Common 

Any coding that uses stealth techniques in order to obscure its true purpose. 

Violates: PG-4 

Exemplary SAP Note: not known. Problem specific to custom code.

15 

BIZEC TEC/11 

BIZEC TEC/11 Version 2.0 

(Content and research contributed by Onapsis, USA)

16 

BIZEC TEC/11 (2012) 

The BIZEC TEC/11 project lists the most common and critical security defects and 

threats affecting the technical layer of SAP platforms. 

• Several of the presented threats can be exploited by attackers who do not even 

have a valid SAP user in the system! 

• Because of the technical layer being the foundation of the business logic, a 

successful exploitation of several of these vulnerabilities would usually result in a 

complete compromise of the business information and processes (SAP_ALL 

privileges or equivalent). 

• Several affect both SAP ABAP and Java-based solutions. 

• The first list was presented on May 2010, and it has been updated, after two 

additional years of real-world SAP security assessments and knowledge exchange 

with other experts.

17 


The BIZEC TEC/11 

• BIZEC TEC-01: Missing SAP Security Notes 

• BIZEC TEC-02: Standard SAP Users with Default Passwords 

• BIZEC TEC-03: Dangerous SAP Web Applications 

• BIZEC TEC-04: Unsecured SAP Gateway 

• BIZEC TEC-05: Unsecured SAP/Oracle authentication 

• BIZEC TEC-06: Insecure SAP RFC interfaces 

• BIZEC TEC-07: Unsecured SAP Message Server 

• BIZEC TEC-08: Insecure SAP Administration and Monitoring Services 

• BIZEC TEC-09: Insecure SAP Network Filtering 

• BIZEC TEC-10: Insecure SAProuter Implementation 

• BIZEC TEC-11: Unencrypted SAP Communications

18 


BIZEC TEC-01: Missing SAP Security Patches 

Risk 

The SAP platform is running based on technological components whose 

versions are affected by reported security vulnerabilities and the 

respective SAP Security Notes have not been applied. 

Business Impact 

Attackers would be able to exploit reported security vulnerabilities and 

perform unauthorized activities over the business information processed 

by the affected SAP system.

19 


BIZEC TEC-01: Missing SAP Security Patches

20 


BIZEC TEC-02: Standard Users with Default Passwords 

Risk 

Users created automatically during the SAP system installation, or other 

administrative procedures, are configured with default, publicly known 

passwords. 


Attackers would be able to login to the affected SAP system using a 

standard SAP user account. As these accounts are usually highly 

privileged, the business information would be exposed to espionage, 

sabotage and fraud attacks.

21 


BIZEC TEC-03: Dangerous SAP Web Applications 

Risk 

The SAP Application Server is providing Web applications with reported 

security vulnerabilities or sensitive functionality (XSS, SQL Injection, 

Invoker Servlet detour, Verb Tampering, XXE Tunneling, etc.) 


Attackers would be able to exploit vulnerabilities in SAP Web applications, 

enabling them to perform unauthorized activities over the business 

information processed by the affected SAP system. 

Should these SAP Web Applications be accessible from untrusted 

networks, such as the Internet, the probability of attacks is highly 

increased.

23 


BIZEC TEC-04: Unsecured SAP Gateway 

Risk 

The SAP Application Server’s Gateway is not restricting the starting, 

registration and/or cancellation of external RFC servers. 


Attackers would be able to obtain full control of the SAP system. 

Furthermore, they would be able to intercept and manipulate RFC 

interfaces used for transmitting sensitive business information.

24 


BIZEC TEC-05: Unsecured SAP/Oracle authentication 

Risk 

The SAP ABAP Application Server authenticates to the Oracle database 

through the external OS authentication scheme, and the Oracle’s listener 

has not been secured. 


Attackers would be able to obtain full control of the affected SAP system’s 

database, enabling them to create, visualize, modify and/or delete any 

business information processed by the system.

25 


BIZEC TEC-06: Insecure SAP RFC interfaces 

Risk 

The SAP environment is using insecure RFC connections from systems of 

lower security-classification level to systems with higher securityclassification 

levels (i.e. from Development to Production). 


Attackers would be able to perform RFC pivoting attacks, by first 

compromising an SAP system with low security-classification and, 

subsequently, abusing existing insecure RFC interfaces to compromise 

SAP systems with higher security-classification levels.

26 


BIZEC TEC-06: Insecure SAP RFC interfaces

27 


BIZEC TEC-07: Unsecured SAP Message Server 

Risk 

The SAP System’s Message Server is not restricting the registration of 

SAP Application Servers, therefore allowing access to unauthorized 

systems. 


Attackers would be able to register malicious SAP Application Servers and 

perform man-in-the-middle attacks, being able to obtain valid user access 

credentials and sensitive business information. Attacks against the SAP 

system's user workstations would also be possible.

28 


BIZEC TEC-08: Insecure SAP Administration and Monitoring Services 

Risk 

The SAP platform is not protected against unauthorized access to 

sensitive administration or monitoring services, such as the SAP 

Management Console, the P4 interface, SDM, Solution Manager, Transport 

Management System, etc. 


Attackers would be able to access sensitive functionality of the SAP 

system, which could lead to unauthorized activities over the business 

information processed by the affected SAP system.

29 


BIZEC TEC-09: Insecure SAP Network Filtering 

Risk 

The SAP platform network is not properly isolated from untrusted 

networks, both external and internal, and intrusion detection/prevention 

systems have not been implemented. 


Attackers would be able to access administration or monitoring services 

and perform unauthorized activities over the affected SAP components, 

possibly leading to a full compromise of the SAP system. Due to the lack 

of IDS/IPS solutions, these attacks could stay undetected.

30 


BIZEC TEC-10: Insecure SAProuter Implementation 

Risk 

The SAProuter Route Permission Table is not properly configured to allow 

connections only from/to authorized systems, restricting the use of native 

protocols and/or logging features are not properly configured. 


Attackers would be able to access SAP (and possibly non-SAP) systems 

located in the Company's network.

31 


BIZEC TEC-10: Insecure SAProuter Implementation

32 


BIZEC TEC-11: Unencrypted SAP Communications 

Risk 

The confidentiality and integrity of communications in the SAP landscape 

is not enforced. These communications comprise SAP-to-SAP connections 

as well as interactions between SAP servers and external systems, such 

as user workstations and third-party systems. 


Attackers would be able to access sensitive technical and business 

information being transferred to/from the SAP environment.

33 

Thank you for your feedback 

We are looking forward to meeting you at our next event. 

Further information on BIZEC and BIZEC events: 

http://bizec.org.

34 

Disclaimer 

• SAP, ABAP and other named SAP products and services and their respective logos 

are trademarks or registered trademarks of SAP AG in Germany and other countries 

worldwide. All other names of products and services are trademarks of their 

respective companies / owners. 

• Information contained in this publication is not binding and serves information 

purposes only. All information can be changed without notice.

BIZEC APP/11 and BIZEC TEC/11 - Virtual Forge

Transform your PDFs into Flipbooks and boost your revenue!

BIZEC APP/11 and BIZEC TEC/11 - Virtual Forge

Transform your PDFs into Flipbooks and boost your revenue!

Delete template?

Save as template ?