Third-party solutions can significantly enhance business operations by providing specialized tools, applications, or services that integrate with SAP systems. However, they also introduce several cyber security risks. This blog post describes real life risks related to SAP third-party solutions.
Almost all SAP customers rely on Add-ons from a large pool of SAP Partner solutions. Some Add-Ons have been in use for more than a decade at companies. However, others may even have fallen into oblivion after they had fulfilled their purpose. But all of them require security updates. This is why the analysis of third-party solutions is a mandatory practice in SAP security operations.
Transparency
A pre-requisite to third-party solution analysis is a current list of all installed Add-ons. Such a list is required because in SAP, the analysis of code requires knowledge of the so-called namespaces of the programs in scope. For example, solutions from CAIBERP are implemented in the namespace "/CAIBERP". Since SAP and SAP partners share these "slash" namespaces, a precise list is important to identify all third-party code among the thousands of SAP applications in this namespace.
Unfortunately, not all companies have such a list at hand. But this is vital. Whenever new vulnerabilities in SAP Add-ons become known, SAP administrators should be able to immediately assess whether any of their SAP systems are affected. If they don't know that a given Add-on is installed, they can't patch it.
As a general recommendation, a list of third-party Add-ons should at the very least contain:
- The names of the solutions
- The names of the vendors as well as contact information, especially the vendor's incident response team
- The namespace of the solutions
- A list of the SAP servers where the solutions are installed along with the specific versions
- Planned End of Life, if known
- Clear steps how to remove the Add-On when it reaches its End of Life
Proactivity
When new third-party solutions are to be acquired, they should be subjected to a cyber risk assessment prior to their productive use. While third-party solutions might be certified by SAP, this certification does not mean they are secure. We have seen too many of them.
As a general recommendation, SAP Add-ons should be analyzed at least for:
- Critical ABAP cyber security vulnerabilities, such as Command Injections
- Common ABAP compliance issues, such as hard-coded passwords
- Backdoors, such as automated remote updates
- Design Risks, such as inbound connections
Due Care
In case security issues are found, coordination with third parties can be complex, potentially delaying response times or complicating recovery efforts. Not all vendors respond positively to vulnerability reports. Some even argue that the vulnerabilities are in fact none, or promote them as "features". Others point out that fixing vulnerabilities is not covered by the Service Level Agreement. Ideally the security company or test team that found such vulnerabilities should engage in the responsible disclosure process with the vendor, as this can involve lengthy technical discussions.
As a general recommendation, contracts with third-party solution providers should at least cover:
- Commitment by the third-party to fix issues in a timely manner
- Clear steps how potential issues are to be reported
- A time frame how fast corresponding patches are to be provided
- A contact for such security incidents
Soundness
But addressing potential Supply Chain Attacks requires further work. After the initial deployment, vendors frequently provide their customers with updates, upgrades or patches. And most companies import the corresponding transports on one of their systems, test them and roll them out. But in case the vendor gets hacked and their software infected by malware, such malware would immediately become active upon installation and starts its destructive work. Therefore, external ABAP transports should be inspected for malware before they are imported, or installed on a completely isolated sandbox system and thoroughly inspected from an isolated client.
As a general recommendation, all updates, upgrades or patches from third-party solution providers should:
- Be transferred through a secure channel
- Be checked for the presence of ABAP malware before installation
or
- Be tested in a completely isolated sandbox environment
Since our solution Relevan-C also scans third-party code, CAIBERP is in contact with a number of vendors to track the status of their currently open issues.
Statistics
To give the reader a brief overview of our vulnerability database:
43 vulnerable SAP Add-ons are listed, including two solutions from security companies.
The most common types of issues are
- ABAP Command Injection
- Hard-coded User Accounts or Passwords
- Generic Read Access to Database Tables
- Poor Cryptographic Functions
- Directory Traversal
- OS Command Execution
This is the first article in our SAP Add-on series that provides you with insights into risks related to running third-party solutions as well as defensive strategies.
If you'd like to know more about SAP Add-on risks, please contact us. Understanding these risks helps in making informed decisions about which third-party solutions to adopt and how to manage them securely.