a holistic view on sap security why securing production systems is not enough
TRANSCRIPT
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
March 12th, 2013
BIZEC Workshop
Mariano Nunez [email protected]
@marianonunezdc
Juan Perez-Etchegoyen [email protected]
@jp_pereze
2 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Disclaimer
This publication is copyright 2013 Onapsis Inc. – All rights reserved.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions,
Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are
trademarks or registered trademarks of Business Objects in the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,
and SAP Group shall not be liable for errors or omissions with respect to the materials.
3 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
A Cyber-criminal & SAP systems
● If an attacker is after an SAP system, he’s probably looking
forward to perform:
ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.
SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc.
FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
4 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
What is his goal?
The SAP Production System
SALES
PRODUCTION
FINANCIAL PLANNING
INVOICING
PROCUREMENT
TREASURY
LOGISTICS
PAYROLL
BILLING
HUMAN RESOURCES
5 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Where an attacker would probably hit…
• SAP systems are built upon several layers.
• Segregation of Duties (SoD) controls apply at the Business Logic
layer.
• The SAP Application Layer (NetWeaver/BASIS) is common to most
modern SAP solutions, serving as the base technological framework.
Operating System
Database
SAP Business Logic
SAP Application Layer SAP Solution
Base Infrastructure
On October 30th 2012, Anonymous
claimed intent to exploit SAP systems
They claimed to have broken into the Greek Ministry of Finance
(to be confirmed) and mentioned:
"We have new guns in our arsenal. A sweet 0day
SAP exploit is in our hands and oh boy we're gonna
sploit the hell out of it."
So we know that the SAP Application
Layer is the weak spot and where the
attacker will hit.
But… which system will he attack first?
9 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications
Forensics on
SAP systems
QAS?
10 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications
Forensics on
SAP systems
DEV?
11 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Why attacking DEV?
● Production systems usually fall under the scope of
internal/external audits they are more “secure”.
● Development systems are not considered security-
sensitive.
● Access controls and security settings are relaxed high chances of
exploiting SAP application-layer vulnerabilities.
● No Security Auditing features enabled low chances of being detected.
● They usually have explicit and implicit relationships with
target systems they are the perfect “pivot”.
12 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
DEV – Explicit Relationships
● Injection of backdoors / rootkits in ABAP programs that get to
PRD.
● Abuse of insecure RFC destinations.
© SAP
13 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
DEV – Implicit Relationships
● Password Cracking & Shared Passwords
● SAP Administrators passwords tend to be the same
across several systems.
● Once inside DEV, he would:
1. Access the USR02 table
2. Obtain the passwords hashes for users with SAP_ALL
privileges
3. Crack the password hashes with John The Ripper
4. Login to SAP PRD simply using SAPGUI!
14 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
Securing PRD Holistically
● Regular audits focus on:
● The Production System:
● Production Client
● Central Instance
● But.. what about the “other” clients?
000
001
066
400
Default Clients
Production Client
15 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved
D
Securing PRD Holistically
● And... what about the “other” instances?
D D D
CI
PRD
16 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications
Conclusions
17 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications
Conclusions
● Real-world attackers would likely not target the Production system
directly, but rather go after the weakest link in the chain.
● Even “compliant” and “secure” Production systems can be
compromised if the security of the platform has not been thought
holistically.
● In order to do so, we have to think like a potential attacker and mitigate
the vulnerabilities with the highest risk (easiest to exploit & resulting in
high privileges).
● Holistic security at the SAP Application Layer involves every
landscape, every system and every instance and client.
18 www.onapsis.com – © 2013 Onapsis, Inc. – All rights reserved Attacks to SAP Web Applications
Questions?
Stay tuned!
@onapsis
@marianonunezdc
@jp_pereze