Penetration testing

Perfect SAP Penetration Testing: Threat Modeling

Alexander Polyakov
September 15, 2016 by
Alexander Polyakov

A penetration test is the practice of attacking an IT infrastructure to evaluate its security and determine whether malicious actions are possible. Although it's a typical task, the nature and methodology of a penetration test is largely dependent on the scope, aims, specifics of a client company, and many other factors.

Once, ERPScan team was conducting a penetration test in a large manufacturing organization. The task was not so ordinary and easy because the number of systems in the scope was huge and little time was allotted. That's why it was necessary to perform Threat Modelling before diving into the process of hacking. Here we decided to describe this case study in detail. This series of articles is intended to explain what SAP Penetration testing is.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The first step of every successful penetration testing is Threat Modelling. At this stage, a cybersecurity professional gets an understanding of business processes of a typical manufacturing company, identifies the most critical assets and associated risks. The gathered information helps a penetration tester to decide what to focus on. Before reading this article, I also recommend learning what SAP Security is.

Analyzing Risks for manufacturing industry

Manufacturing companies are an attractive target for different kind of cyber attackers (state-sponsored hackers, hacktivists, terrorists, malicious insiders). Such companies are responsible for a great part of some countries' economy. Any interference in their work can stop processes and, as a result, deprive company and country of revenue. Just to give you an insight, in 2015, the United States exported approximately 2.6 million vehicles valued at $65 billion.

The manufacturing industry is on the radar of cyber criminals indeed. For example, the cyberattack against a steel mill in Germany [1] hit the headlines in 2015, as it has caused confirmed physical damage.

In case of cyberattack, a manufacturing company may face the following consequences:

  • Plant Sabotage/Shutdown
  • Equipment damage
  • Production Disruption (Stop or pause production)
  • Product Quality (Quality degradation)
  • Compliance violation (Such as pollution)
  • Safety violation (Death or injury)

When we know what are the most important risks for manufacturing industry, the next step is to get to know whether it is possible to cause these risks by accessing SAP systems and that exactly an attacker should exploit to cause them.

SAP systems are widely used in the Manufacturing industry, and there are even specific SAP modules for Manufacturing. Cyberattacks on SAP systems (regardless of the industry) can be critical itself, as they can lead to espionage, sabotage or fraud. However, they are even more lethal for the Manufacturing because of trust connections in SAP systems that are responsible for asset management and technology networks (e.g. plant floor).

Identifying the most important assets in SAP landscape

A typical manufacturing company's infrastructure consists of multiple business applications and industry-specific modules. Primarily, it's ERP, but there are also others. Here is an incomplete list of the applications which are most frequently can be found in typical manufacturing company:

  • Enterprise Resource Planning (ERP)
  • Manufacturing Execution system (MES)
  • Asset Lifecycle Management (ALM)
  • Manufacturing Integration (xMII)
  • Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM

Some of those systems such as xMII or ALM can be connected with Industrial Control Systems or plant floor, so a single vulnerability there may pose the risk for the entire company.

Uncovering SAP Platforms for the most critical assets

SAP systems can be based on different platforms. Basically, it's ABAP, JAVA, and HANA.

The main SAP platform is SAP NetWeaver, the enabling foundation for SAP and non-SAP applications. The first version of SAP NetWeaver saw the release in 2004. After that, SAP has introduced several new versions of the platform and new modules to extend functionality. As of today, the latest version is SAP NetWeaver 7.5 (the first release in October 2015).

One of the main parts of SAP NetWeaver is SAP NetWeaver Application Server (AS). SAP NetWeaver AS includes the application server ABAP and JAVA. As its name implies, the main programming language for SAP NetWeaver AS ABAP platform is ABAP and for SAP NetWeaver AS JAVA is JAVA programming language.

Returning to our case, the most critical application which is linked to the production network is SAP xMII (SAP xApp Manufacturing Integration and Intelligence). It is based on the JAVA platform.

SAP xMII is often used in industrial enterprises to manage and automate the processes. This module extends the functionality of SAP NetWeaver AS JAVA to use it in production. SAP xMII provides a direct connection between shop-floor systems and business operations. It ensures that all data related to manufacturing is visible in real time. SAP customers can also link their enterprise processes and master data to manufacturing processes to run their business based on a single version.

Vulnerabilities in SAP xMII are particularly hazardous because this solution is a kind of a bridge between ERP (Enterprise Resource Planning), other enterprise applications and plant floor as well as OT (Operational Technology) devices. Any vulnerability affecting SAP xMII can be used as a starting point of a multi-stage attack aiming to get control over plant devices and manufacturing systems.

A brief look at public sources indicates that there are a couple of notable vulnerabilities in the SAP xMII component (e.g. Reflected XSS vulnerability [2] and directory traversal vulnerability [3].

Sounds great, now we know what the risks are, which systems are the most important and what platform we need to analyze regarding security first of all.

The final preparation step is to find out the most important vulnerabilities in this platform, how common are them, and what versions are the most widespread. All these factors influence on chances of successfully performing a penetration test. Such analysis will show us if we need to add additional resources to the team such as researchers who will look for 0-day vulnerabilities in the platforms in case if information about those SAP systems is not available (this situation is rather common when we deal with SAP Pentesting).

How vulnerable are these platforms?

According to information from our latest SAP Cybersecurity in figures report, 3662 vulnerabilities in different SAP products were fixed in total (as for mid-2016). 548 of them affect JAVA stack and 2585 ABAP.

We have scanned the entire range of IP addresses on the Internet and revealed that an overwhelming number of SAP servers available on the Internet have version 7.3 (7.3 - 626, 7.3 EHP 1 - 851) and 7.4. So, it means that we will likely meet these versions while conducting penetration testing. These versions are more secure; there are not any old security issues of the 7.2 version. Thus, we will need to find 0-day vulnerabilities. Well, the task isn't simple anymore.

Since we are almost sure that we will need to find some new vulnerabilities, let's look at the most common types of issues patched in SAP Netweaver JAVA platform. This information, as well as other interesting details, are available in our latest SAP Cybersecurity Threat Report

From the graph above you can see that the most common vulnerability type is XSS, but we rarely exploit them during pentests as it is lame. Most probably, we will need to find information disclosure or configuration issue to break into the system.

Theoretically, such large number of the vulnerabilities in JAVA platform allows considering that conducting a penetration test is not a difficult task. In most cases, it is so; usually, it doesn't take a lot of time to break an SAP system as companies don't even implement patches for 3-years old vulnerabilities. But not this time, otherwise there would be no use to write this article. During our pentest, we faced some difficulties and uncommon tasks. So, if you want to learn more about SAP Penetration testing and its features, we strongly recommend that you read this series.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

To see all new articles of the series, subscribe to our news or follow us on Twitter, Facebook, and LinkedIn.

Links

  1. https://www.wired.com/2015/01/german-steel-mill-hack-destruction/
  2. https://erpscan.com/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/
  3. https://erpscan.com/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/
Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.