What can happen (Typical attack vectors)
To illustrate typical attack, and architecture issues, we will provide examples of SAP ERP solution, as it’s the most widespread one installed in 85% of Fortune 2000 companies.
The risks of insecure configuration of ERP systems and other business applications are as follows.
1. Attacks via vulnerable services
Most of the ERP systems have dozens and even hundreds of services installed by default. They include typical as well as web-based services. Some of them are responsible for different administrative functions. For example, SAP Management Console, or SAPControl, allows a remote control over SAP systems. Its main functions are remote start and stop, to perform which one requires to know username and password.
Nonetheless, there are some functions, which can be used remotely without authentication. Most of them allow reading different logs and traces and sometimes system parameters.
2. Privilege escalation by insiders
When users connect to the server via a client application such as SAP GUI, they can execute different functions. If they want to execute some functionality, say, create payment order or a new user or fill up any form, they need to enter the particular transaction name in SAP menu. The system will open a dialog window where a user can specify different parameters. For instance, if users execute the transaction SU01 to create new users in the system, they will see a screen where they need to fill in all details about the newly-made user and then click on the “Create” button. If data is correct, the new user will be created in the system.
However, connecting via SAP GUI and running transactions are not the only way to perform SAP functionality. SAP systems are complex and one action can be performed by multiple ways. For example, the other ways to execute functionality in SAP system include:
- running background job using RFC (like RPC in Windows);
- calling the same function via a SOAP interface – a web-based interface to run RFC programs remotely;
- executing Web Dynpro application. Web Dynpro is a web-based frontend for SAP System that can be used if workers do not have a client application and only have a web browser.
As you can see, all of these methods require a different approach for protection.
3. Malicious developers
Programs written in ABAP language (SAP proprietary language intended to extend functionality of SAP Systems) may have vulnerabilities and, what is more important, this language can also be used for writing backdoors that can provide malicious functionality such as sending details of every transaction to a 3rd party via email or even publishing them on Twitter.
Unfortunately, development inside the company is almost uncontrolled. You can monitor the occurrence of new programs in the system and potentially find a developer but can not detect what exactly every new program is doing unless you read every single string of the source code. Thus, without using additional solutions, nobody knows what exactly developers perform in the system. There are no control measures at all, they can develop insecure code, miss adding access control checks in the program, send money to their bank accounts, and nobody will be able to find it out unless one looks at their source code. Thus, lack of control over developers makes them a kind of the god of SAP, and their actions should be analyzed.
4. Insecure connections
You have to connect different applications to automate business processes. For example, if you want to generate an invoice in SAP System automatically and send money to a particular banking account via the banking system, you need to connect ERP and Banking system. Business Application Systems are connected to each other like a spider web. In reality, there are dozens of similar connections and all of them can be critical in terms of security. For example, these connections may store usernames and passwords. Moreover, the systems are intertwined not only inside the corporate network but also with partner networks via the Internet or with other providers such as banks or insurance companies. Some of the systems are connected directly to ICS/SCADA network via particular SAP Systems such as SAP xMII (Manufacturing Integration and Intelligence) or SAP PCo (SAP Plant Connectivity).
Technically, this process is managed by RFC (Remote Function Call) and other connections between SAP Systems, which usually store credentials to access a satellite system. RFC connections are developed by SAP to transfer data between two SAP systems. ERPScan’s research has revealed that the average number of connections in a typical SAP system is about 50, and 30% of them usually store credentials. Once attackers break into the weakest SAP module, they can easily get access to connected systems, from them to others. Therefore, reviewing all kinds of connections between SAP systems is very important. For example it is possible to get access to OT infrastructure of an Oil and Gas company and steal oil using a chain of vulnerabilities and connections between systems exploiting an SAP vulnerability as a starting point.
In next article we will focus on the protection of ERP systems.