13 real ways to destroy business by breaking company’s SAP applications

Invest in security to secure investments

13 Real ways to destroy business by breaking company’s SAP Applica<ons and a guide to avoid them Alexander Polyakov CTO ERPScan, President EAS-‐SEC

13 Real ways to destroy business by breaking company’s SAP Applica<ons and a guide to avoid them

About ERPScan

•  The only 360-‐degree SAP Security solu<on -‐ ERPScan Security Monitoring Suite for SAP

•  Leader by the number of acknowledgements from SAP ( 150+ ) •  60+ presenta<ons key security conferences worldwide •  25 Awards and nomina<ons •  Research team -‐ 20 experts with experience in different areas

of security •  Headquarters in Palo Alto (US) and Amsterdam (EU)

2

SAP

•  Most of my work has focused on SAP Security •  Things that will be discussed can be applied to every system •  Since I enjoy a closer familiarity with SAP, most examples will be

SAP relevant. •  Then again all ideas, aTacks, risks can be applied to every

system •  This talk is not really a faulUinding exercise with SAP, as can be

easily misperceived. •  This talk is about the ‘need to know’ things, ones you can’t

afford to ignore aXer implementa<on of any business applica<on processing cri<cal data

•  So, let’s go!

3

Big companies

•  Oil and Gas •  Manufacturing •  Logis<cs •  Finance •  Nuclear Power •  Retail •  Telecommunica<on •  etc.

4

Business Applica<ons

•  Business applica<ons can make your life easier •  The need to harness them to op<mize business-‐processes •  Scope for enormous reduc<ons in resource overheads and

other direct monetary benefits. •  Poten<al problems that one can’t disregard •  The need to consider security, can it be overstated! •  Why is it REAL and Existent Risk?

5

•  Espionage –  TheX of Financial Informa<on –  Corporate Secret and informa<on theX –  Supplier and Customer list theX –  HR data theX

•  Sabotage –  Denial of service –  Tampering with financial records –  Access to technology network (SCADA) by trust rela<ons

•  Fraud –  False transac<ons – Modifica<on of master data

6

What can happen

•  Risk: credit card data theN •  Affects: Companies storing and processing PCI data: Banks,

Processing, Merchants, Payment Gateways, Retail. •  Type: Espionage •  Module: SD ( Sales and Distribu<on) – part of ERP •  ATacker can get access to tables that store credit card data.

There are mul<ple tables in SAP where this data is stored. Tables such as VCKUN, VCNUM ,CCARDEC and also about 50 other tables. Credit card data theX is a direct monetary and reputa<on loss.

7

Risk 1: Stealing credit card data

•  There are mul<ple ways how an aTacker can access the CC Data •  Even if it’s encrypted you can:

–  use FM to decrypt it -‐ CCARD_DENVELOPE –  Use Report to get decrypted –  Or use another report to find some info RV20A003

•  DEMO •  Solu<on: Configura<on checks, Patch Management, Access

Control, Code scanning •  Defense

–  Decryp<on of credit card data in SD -‐ notes 766703 –  Decryp<on of credit card data for the whole ERP -‐ note 1032588 –  Credit Card data in report RV20A003 -‐ note 836079

8


9


•  Risk: Compromising compe<tor’s bidding informa<on •  Affects: Companies using SRM for bidding •  Type: Espionage •  Module: SRM •  Compe1tors intelligence (Espionage) •  Access to the SAP SRM systems is available through the Internet

and could give unfair compe<tors an opportunity to access privileged pricing informa<on and allow them to propose compe<<ve pricing, thus helping in wining a tender by unfair means.

10

Risk 2: Compe<<ve intelligence

•  SAP Cfolders applica<on for document exchange is a part of SRM and has some vulnerabili<es and unsecure configura<on problems, which could help in availing access to official pricing informa<on.

•  This means that the compe<tor’s documents could be completely removed from the systems, or the informa<on might be manipulated to win a tender.

•  This aTack was successfully simulated during penetra<on tests. •  Some program vulnerabili<es allow aTacker to do that:

–  hTp://erpscan.com/advisories/dsecrg-‐09-‐014-‐sap-‐cfolders-‐mul<ple-‐stored-‐xss-‐vulnerabilies/ –  hTp://erpscan.com/advisories/dsecrg-‐09-‐021-‐sap-‐cfolders-‐mul<ple-‐linked-‐xss-‐vulnerabili<es/

•  Defense: SAP Notes 1284360 ,1292875

11

Risk 2: Compe<<ve intelligence

•  Risk: Crea<ng defects in products inten<onally (Sabotage) •  Affects: Manufacturing sector such as Avia<on, Aerospace

Automo<ve, Transporta<on, Consumer Products, Electronics, Semiconductor, Industrial Machinery and Equipment

•  Type: Sabotage •  Module: SAP PLM •  Access to SAP PLM systems could cause unauthorized changes

in product crea<on schema<cs, because usually SAP PLM is integrated into CAD. This means that only one small change could result in produc<on of a defec<ve batch of products, causing serious financial and reputa<onal losses and some<mes even casual<es.

12

Risk 3: Crea<ng defects in products inten<onally

•  FDA recalled the whole produc<on batch of 1200 tracheostomical devices because of three deaths which were caused by technical problems

•  IKEA had to recall the en<re batch of 10000 beds with steel rods, claiming it to be a designer’s mistake [8], that had caused physical trauma to kids.

•  Toyota was obligated to recall 3 large batches of passenger cars totaling up to 500000 each <me because of wide ranging construc<on problems, with airbags, throTle and other parts of the car not working properly.[9]

•  USA sta<s<cs from FDA [10] tells us about such recalls occurring frequently. The same situa<on can also be observed with consumer products

The financial losses, caused by different traumas is about one trillion dollars per year. * those examples are not caused by misusing SAP!

13

Risk 3: Crea<ng defects in products inten<onally

•  Risk: Salary data: unauthorized modifica<ons •  Affects: Every company •  Type: Fraud •  Module: HCM •  Access to the SAP HR system also allows insiders to manipulate

the wage amounts. Since the direct change can be easily detected, the risk lies in the manipula<on poten<al of number of addi<onal working hours to be processed, which affects the amount payable as wages. In such a case, the fraud is extremely difficult to detect.

14

Risk 4: Salary data unauthorized modifica<ons

•  User can find out a colleague’s salary details (PA30 transac<on)-‐> Demo<va<on

•  Also, aTacker may do this by direct table PA0008, PA0014, PA0015 access

•  DEMO (PA30)

15


•  User can modify own salary –  Transac<on PA30 Is responsible for salary access –  ATacker can change number of hours by using this transac<on

•  DEMO

16


•  Risk: Delayed Salary payout (Sabotage) •  Affects: Every company •  Type: Sabotage •  Module: HCM •  Denial of service on the HR system, for e.g. on a payday could

lead to holding up of salary payouts resul<ng in employee disgruntlement, thereby nega<vely impac<ng produc<vity. The implementa<on of this aTack with a certain periodicity in case of a difficult economic situa<on for the company or the geopoli<cal situa<on could even poten<ally lead to work strikes

17

Risk 5: Delayed Salary payout (Sabotage)

•  2% (~60) of vulnerabili<es in SAP can be exploited for DOS aTacks –  Most of services are vulnerable:

•  SAP Gateway •  SAP Message Server •  SAP Router •  SAP Dispatcher •  SAP MMC •  SAP Portal

•  Some<mes you do not need a vulnerability •  You can execute some heavy func<onality

18

Risk 5: Delayed Salary payout (Sabotage)

•  Risk: Falsifica<on of business-‐cri<cal data to allocate more than needed or simply unneeded expenditure.

•  Affects: Every company with asset management •  Type: Sabotage/Fraud •  Module: EAS •  If an aTacker can get access to these systems he can modify

data about some equipment condi<ons in different ways. For example, he may change data passing from CMB (Condi<on Based Maintenance ) in such way that there is a need to replace different elements of facili<es. Such an act will thus force the company to spend money and <me on new equipment when it is not needed.

19

Risk 6: Falsifica<on of business-‐cri<cal data

•  For beTer op<miza<on of Business Processes EAM systems some<mes are integrated with CBM where the state of the equipment is observed and monitored con<nually on a real-‐<me basis.

•  Devia<ons from a standard range or tolerance will cause some form of alarm and iden<fica<on of the need for a maintenance interven<on.

•  So, if an aTacker can get access to those systems he can modify data about some equipment health in different ways.

•  ATack on EAM, ATack on CBM, ATack between systems.

20

Risk 6: Falsifica<on of business-‐cri<cal data

•  Risk: Industrial sabotage and Disaster •  Affects: Every company with ICS/Technology network. Oil and

Gas, U<li<es, Manufacturing •  Type: Sabotage/Fraud •  Module: SAP EAM / SAP XMII •  SAP EAM system can have technical connec<ons to facility

managements systems thus, by breaking into EAM system it may be possible to hack facility management/SCADA/Smart Home/Smart Grid systems as well. So, if hacker can get access to SAP EAM he can more easily get access to facility management and industrial systems and he can actually change some cri<cal parameters like heat or pressure which can lead to disaster and poten<al loss of life.

21

Risk 7: Industrial Sabotage

•  Usually technology systems are not secure and based on obsolete opera<on systems and the only security for them is firewall, which totally isolates them from corporate network

•  except for those systems with which there should be connec<on for data transfer such as SAP EAM.

•  How they aTack: –  RFC Connec<ons –  Shared Database or other resource –  Same passwords for OS/DB/Applica<on –  Same domain –  Simply exploit ICS vulnerabili<es

22

Risk 7: Industrial Sabotage

•  Risk: Unauthorized tampering with Financial Reports •  Affects: Every company with Business Objects BI •  Type: Sabotage •  Module: SAP BI

–  Financial reports: unauthorized data modifica1on -‐ divert the aTen<on of management causing problems with the auditors and leading to drying up of investment return on projects.

–  Tangible and intangible resources unauthorized data modifica1on -‐improper es<mates from the incorrect data on the spending of resources and workload of employees. This could lead to the misuse of funds and cause direct and indirect losses.

–  Sales reports unauthorized data modifica1on -‐ wrong conclusions about pricing strategy and policies

23

Risk 8: Modifica<on of reports

•  SAP BI system is based on SAP Business Objects plaaorm •  Around 80 vulnerabili<es were found in this plaaorm •  The number of vulnerabili<es is growing

24

Risk 8: Modifica<on of reports

•  Risk: Illegal updated upload •  Affects: Every company •  Type: Sabotage/Fraud •  Module: Solu<on Manager •  SAP Solu<on Manager is a plaUorm which allows SAP Basis team

to remotely control, monitor, and update other SAP Solu<ons. Thus, by obtaining access to Solu<on Manager it is possible to upload any backdoor code on each SAP System in disguised as a legal update.

25

Risk 9: Remote Illegal updates upload

•  What's more dangerous is that aTack can be exploited –  Remotely (Via SAP Router) –  Almost without any trace

•  SAP Router is used to obtain updates from SAP before sending them to SAP Solu<on Manager

•  ATacker can exploit SAP Router’s Heap overflow issue –  hTp://erpscan.com/advisories/dsecrg-‐13-‐013-‐saprouter-‐heap-‐overflow/

•  AXer that, he can change updates on a fly •  There is no way to iden<fy this aTack •  Defense: SAP Security note 1820666

26

Risk 9: Remote Illegal updates upload

•  Risk: Customer Portal denial of service •  Affects: Every company with public portal on SAP •  Type: Sabotage •  Module: SAP Enterprise portal •  Denial of service vulnerabili<es in SAP EP which can be exposed

to internet can lead to down<me with portal opera<ons. If it is a customer portal, company may have huge monetary and reputa<on losses. Such aTack was performed against Nvidia company.

27

Risk 10: Portal Denial of service

•  SAP Portal has about 600 Vulnerabili<es (In PlaUorm and Applica<ons)

•  Some of them can be exploited without any authen<ca<on •  Most cri<cal issues such as Verb Tampering can also be used to

obtain full control on a system –  Create users –  Assign roles –  Execute OS commands

28

Risk 10: Portal Denial of service

•  Risk: Access to company’s internal resources •  Affec<ng: Every company with public portal on SAP •  Type: Espionage •  Module: SAP Enterprise portal •  Different vulnerabili<es in SAP EP which can be exposed to

internet can lead to unauthorized access not only to SAP Portal itself but also to internal resources of company.

29

Risk 11: Aback from Internet

•  SAP Portal usually can be accessed via Internet •  More than 1000 SAP Portals exist in Internet •  Using vulnerabili<es in portal aTacker can

–  Use Single-‐Sign-‐On and login into any internal system –  ATack internal systems using SSRF vulnerability –  Search for passwords stored in Portal KM

30

Risk 11: Aback from Internet

•  Risk: misappropria<on of material resources •  Affects: Every company with Warehouse, Or natural resources

mining •  Type: Insider Fraud •  Module: MM(Material Management) – part of ECC •  ATacker can manipulate data about quan<ty of material

resources in stock or delivery, pilfer from warehouses at <mes in collusion with the very employees entrusted with the stock taking responsibili<es.

31

Risk 12: misappropria<on of material resources

•  Exploit by direct table access •  Not so hard if you can google for it

32

Risk 12: misappropria<on of material resources

•  Risk: Changing bank account data •  Affects: Every company •  Type: Insider Fraud •  Module: ERP •  ATacker can manipulate data about bank Account number of

any company in database and transfer money to a chosen account number.

33

Risk 13: Changing bank account data

•  3000+ Vulnerabili<es in all SAP Products •  2368 Vulnerabili<es were found in SAP NetWeaver ABAP based

systems •  1050 Vulnerabili<es were found in basic components which are

the same for every system •  About 350 Vulnerabili<es were found in ECC modules.

34

1 1 13 10 10 27 14 77

130

833 731

641

364

161

322

0

200

400

600

800

1000

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

SAP Vulnerabili<es

35

Public examples

36

SAP Abacks

•  Price of vulnerability is low •  Patching is nightmare •  Crea<on of exploit is easy •  Interconnec<on is high •  Availability via internet

37

36%

23%

19%

11%

6% 5%

NetWeaver ABAP versions by popularity

7.0 EHP 0 (Nov 2005)

7.0 EHP 2 (Apr 2010)

7.0 EHP 1 (Oct 2008)

7.3 (Jun 2011)

6.2 (Dec 2003)

6.4 (Mar 2004)

0

5

10

15

20

25

30

35

SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hTpd

SAP Message Server

SAP Router

Exposed services 2011 Exposed services 2013

Ease of development

Defense

•  EAS-‐SEC: Recourse which combines –  Guidelines for assessing enterprise applica<on security –  Guidelines for assessing custom code –  Surveys about enterprise applica<on security

38

1.  Lack of patch management 2.  Default passwords 3.  Unnecessary enabled func<onality 4.  Remotely enabled administra<ve services 5.  Insecure configura<on 6.  Unencrypted communica<ons 7.  Internal access control and SoD 8.  Insecure trust rela<ons 9.  Monitoring of security events hTp://erpscan.com/publica<ons/the-‐sap-‐netweaver-‐abap-‐plaUorm-‐vulnerability-‐assessment-‐guide/

39

EAS-‐SEC Guidelines

•  Cri<cal networks are complex •  System is as secure as its most insecure component •  Holis<c approach •  Check eas-‐sec.org

40

Conclusion

Software

13 real ways to destroy business by breaking company’s SAP applications