The situation with vulnerable SAP add-ons continues to be alarming. We see this in every customer project. This blog post is a brief preview of the talk we will give at this years’ Area41 conference.
Our statistical analysis of vulnerabilities in third-party solutions clearly shows that ABAP security is not a key competence of solution vendors. While many don’t seem to perform any kind of code analysis / scan prior to new releases, others fully rely on the capabilities of their scanner. However, static code analysis is highly challenging. We already discussed why scanners have inherent blind spots in our blog post “ABAP code scanners : True shields or false confidence?”. Unfortunately blind spots in scanners cause security risks at two ends: third-party vendors can’t find all security risks in the new release they are about to ship and their customers can’t catch them either, if they only rely on scanners. These blind spots are not only related to accidental coding mistakes like Command Injections, but especially to backdoors and malware, as already discussed in our article “Third-party solutions: from bugs to backdoors”.
Based on our statistics, we must conclude that with few exceptions practically all companies running SAP would not spot malware or clever backdoors in add-ons installed in their systems. That makes third-party vendors an attractive target for Initial Access Brokers, a type of cybercriminal who specializes in gaining and selling access to computer networks. Finding the right candidates is nowadays pretty easy, as most of them list their customers on their homepage. A simple prompt like “Please list all vendors of SAP add-ons that mention COMPANY as a customer on their website” for the GPT solution of choice provides results within seconds.
The next step would be to compromise one of the listed third-party vendors. Many of them are small to mid-sized companies and have very limited, if any, budget for cybersecurity. Especially those vendors that already have several severe vulnerabilities in their solutions are an excellent starting point. Who would spot yet another vulnerability among the ones that have already been overlooked? And the same is true for their customers. If they did not notice the existing vulnerabilities in an add-on how would they find an additional one coming via the next update? This is especially concerning, given that this additional vulnerability would likely rely on stealth to evade detection.
Once such an update is deployed on an SAP system, it can immediately start infecting other systems. We have covered this attack potential in a series of blog posts, starting with “Five SAP design decisions that make ABAP Malware so powerful (Part 1)”.
The way we see it is that this kind of attack would catch more than 95% of companies running SAP completely off guard, resulting in devastating damages.
Companies running SAP should therefore implement sound security measures to find and prevent cyber risks in their software supply chain. Not just to comply with NIS2, but to protect their reputation, their customer data and their crown jewels. And these measures must go far beyond buying a shiny code scanner and running it against imported code. The money not spent for such defense is a wager. But the odds aren’t looking good in this game.
We had a thorough discussion on adequate measures during this year’s SAP Cyber Defense Round Table in Frankfurt. Such awareness workshops can also be offered onsite for interested companies.
