From On-Premises to Cloud: A Comprehensive Analysis of SAP Security Issues

During in minutes 45 min
Start 2:45 pm
address 28 avenue George V 75008 Paris

Arpine Maghakyan Arpine Maghakyan

Vahagn Vardanian Vahagn Vardanian

The SAP landscape is complex and highly customized, with numerous systems such as SAP HANA, SAP Solman, SAP Cloud Connector, and SAP ME. Many companies use cloud solutions provided by SAP, such as Cloud SAP HANA and SAP BTP. Those can exchange data with on-premise solutions. The vulnerabilities or misconfigurations in any of these systems can potentially lead to a compromisation of the entire landscape.

In this research, we will discuss the various combinations of security issues and misconfigurations that we discovered last year, which can be exploited by remote attackers or insider users to fully compromise the SAP landscape, both on-premises and in the cloud. We will examine how vulnerabilities and misconfigurations in areas such as password storage and access controls can be exploited to gain unauthorized access to systems and sensitive data. By understanding these vulnerabilities and misconfigurations, companies can take action to improve their security and protect against successful attacks on their SAP landscape.

During this research, we will examine several security issues that can potentially be exploited to compromise the SAP landscape. These issues include:

  • Remote Command Execution on SAP ME (CVE-2022-39802): This vulnerability allows attackers to execute arbitrary commands on SAP ME systems, potentially allowing them to gain unauthorized access to sensitive data and disrupt critical business operations.
  • SAP LPE using SAP HostControl: This issue involves a privilege escalation vulnerability in SAP HostControl that allows an attacker to gain higher privileges on the system (SYSTEM user on Windows machines), potentially allowing them to access sensitive data or perform unauthorized actions.
  • Decrypt passwords from SAP Cloud Connector SSFS by the available export function of a shared library: This feature allows an attacker to decrypt passwords stored in the system without having deep knowledge of encryption algorithms and used keys.
    SAP LPE using incorrect S_DEVELOP, S_TRANSPRT, etc., roles on production: This issue involves a privilege escalation vulnerability when the incorrect role is assigned to a user. This allows the user to gain higher privileges on the system, potentially allowing them to access sensitive data or execute commands on the system.

Attack Vector #1

The vulnerabilities and misconfigurations combinations were discovered during the security assessment taking place at a real company: CVE-2022-39802 is a directory traversal vulnerability that allows an attacker to read any file on the system. By exploiting this vulnerability, it is possible to read the SAP secure storage and decrypt it to obtain the SAP admin username and password. Then this can be used to deploy a malicious application containing a web shell, allowing the attacker to execute commands on the system.
Using the SAP HostControl vulnerability (CVE-2023-0012), it is possible to gain SYSTEM user permissions. To access other SAP systems in the landscape, it may be necessary to bypass Microsoft Defender AV. The method for bypassing this antivirus will be demonstrated during the presentation.
Once access has been gained to the SAP CC server via SSH, it is possible to dump the LSASS process and extract credentials. The SAP CC has an SSFS (Secure Storage File System) that contains sensitive information, such as the

  1. SCIM SERVICE USER PASSWORD
  2. LDAP SERVICE USER PASSWORD
  3. JAVA KEYSTORE PASSWORD
  4. KERBEROS KEYTAB

All of them are stored in encrypted form. By deep analyzing the libraries, it is possible to find a shared library with an exported function that can be called to obtain this sensitive information in decrypted form.
With this information, it is possible to create an admin user in the SAP cloud using the SCIM Service user, giving access to the SAP Cloud landscape.

Attack Vector #2.

There are numerous roles in SAP ABAP, and best practice recommendations for segregation of duties (SOD) suggest that users on production servers should not have roles such as S_DEVELOP and S_TRANSPRT. But, having a decade of experience in SAP audit, we can surely state that almost every company has a user with S_DEVELOP and S_TRANSPRT roles. In some cases, SAP administrators may restrict these roles in order to prevent the execution of critical transactions.
However, users with the S_DEVELOP, S_TRANSPRT roles can bypass these limitations and execute critical transactions with the highest privilege SAP_ALL role. This scenario can be demonstrated during the presentation, highlighting the importance of properly configuring SAP roles and enforcing SOD to prevent unauthorized access to critical transactions.