When it comes to SAP security, many companies think they just need to assign the right set of roles and authorizations to user accounts and all is well. However, a growing number of companies is beginning to understand that they also need to address SAP cyber security topics such as patch management, system hardening and custom code security in order to protect their SAP installations from attacks. But practically no one realizes that an SAP installation can itself be used as a cyber weapon against the companies and organizations that run it.
In order to understand how and why SAP can be used as a cyber weapon, it's necessary to take a closer look at some features of SAP products. The most important and most widely used SAP application servers are based on ABAP. These are Netweaver Application Server ABAP, S/4HANA and SAP RISE installations. Practically all SAP business solutions are written in ABAP.
Let's discuss some characteristics of ABAP applications and the ABAP runtime environment.
First of all, ABAP applications are always shipped as source code. No matter whether they come from SAP, from 3rd party solution providers or from internal or external developers who write custom applications. And all of that source code is stored in the SAP database, i.e. in the same database as all business data.
ABAP itself is a very powerful language. Besides the capability to read/write arbitrary data from/to the SAP database, a couple of other commands/capabilities deserve attention:
There are built-in commands to read/write files from/to the SAP server that hosts the ABAP program. File content, file names and directories to read from / write to can be freely specified by the ABAP program.
And ABAP can do more.
SAP's proprietary client SAP GUI has the technical capability to read/write files from/to the client computers that connect to an SAP ABAP server. File content, file names and directories to read from / write to can be freely specified by an ABAP program running on the SAP server.
And ABAP can do more.
There are also built-in commands to execute arbitrary operating system commands on the SAP server hosting the ABAP program. Curiously there are actually several technically different ways to execute such server-side OS commands.
And ABAP can do more.
SAP's proprietary client SAP GUI has the technical capability to execute arbitrary OS commands on the client computers that connect to an SAP ABAP server. And these OS commands can again be initiated from an ABAP program running on the SAP server. These commands run with the privileges of the local users.
But ABAP can do even more.
There are also commands in ABAP that allow an ABAP program to read, create, change, write, compile and execute ABAP code on the SAP server that hosts the ABAP program. Considering that SAP's entire basis functionality & business logic of an ABAP server is written in ABAP and available as source code, this feature provides (malicious) ABAP programs with the power to modify the entire installation arbitrarily. In other words: if an SAP system is infected by ABAP malware none of its business or security functions written in ABAP can be trusted any longer.
And one more thing.
There is no way to (reliable) restrict any of the above features/powers of an ABAP program.
What does that mean?
A malware written in ABAP has the potential to not only do massive damage to all business data as well as the business software itself, but it could also be used to attack the operating systems of all SAP ABAP servers in the landscape as well as all computers running a connected SAP GUI client. In other words, a malware written in ABAP can turn the SAP installation into a cyber weapon and attack the company's IT systems with SAP's built-in features.
Since most of SAP's solutions are proprietary and the data transmission between SAP solutions is encrypted (following best practices), there is no way for conventional security software to prevent or even detect such an attack.
This is the first article in our malware series that provides you with insights into ABAP malware research, ABAP malware capabilities and ABAP malware defensive strategies.
If you'd like to know more about ABAP malware risks, please contact us.