Use MIME-Type Checks to Ensure SAP File Format Integrity
Apr 14, '20 by Joerg Schneider-Simon
Editor's Note: We recently updated this previously published post with new insights. Enjoy!
Want to protect your SAP applications against file-based attacks? Use MIME-Type checks.
One way that cyber attackers attempt to compromise SAP systems is by uploading files laden with malware or malicious active content. But the hackers don’t upload these malicious files in plain sight. They disguise them first by changing the file extension.
It’s a simple trick, but a surprisingly effective one, because SAP’s built-in file-type filtering relies solely on the extension of the filename.
Part of what makes many SAP applications so convenient is the ability for external users (think suppliers and job applicants, to attach files to transactions. But this convenient feature has a fatal flaw. While legitimate users can upload purchase orders and resumes, cyber attackers can also upload files with malicious active content and malware.
As our research shows, even when SAP’s built-in filter rules are set up to use MIME types instead of filename extensions, the filter doesn’t look at the content of the file. It simply maps the file name extension to MIME types.
In fact, 60% of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to one on the list of allowed extensions. In our tests of 120 SAP E-Recruiting installations, 52% of systems did not prevent us from uploading a test malware file.
For bowbridge customers who use Anti-Virus for SAP Solutions, there is a way to identify and block any wolves in sheep’s clothing. And if you don’t currently have Anti-Virus for SAP Solutions, consider this a sneak preview to how it works.
How to Activate MIME-Type Integrity Checks
To activate this feature, login to your application client on the SAP system and open the Virus Scan Profile you wish to edit. If your profiles reference the “Default” profile, then open that one for editing.
In the Dialogue Structure Pane, open to the “Profile Configuration Parameters” folder, activate changes, and create a new entry.
Open the Sub-Menu in the Parameters column and select the “CUST_CHECK_MIME_TYPE” entry from the list:
Set the Value to “1” for the newly created entry.
Before saving the changes, make sure you activate the parameter by checking the “Evaluate Profile Configuration Param” checkbox.
To test the filter, just change the extension of a file to a different type.
For example, copy notepad.exe and rename it to notepad.pdf.
Upload this file into your application.
Upon uploading this file into your application (or in transaction VSCANTEST) the file will be blocked:
Customizing the Mappings Table
Bowbridge’s MIME integrity checks are based on a customizable list of mappings.
This list is stored in the file “mime_ext_map” in the default bowbridge installation folder.
The file already contains an extensive list of common mappings, but is meant to be edited as customers see fit.
To add or remove a specific entry, simply stick to the simple syntax:
Extension -> MIME-type, for example “.pdf -> application/pdf”
Mappings don’t have to be unique. You may map multiple extensions to the same MIME-Type and have one extension mapped to multiple MIME-types, as long as you add them one per line:
If this process is overwhelming, fear not. Our support staff are happy to help.
A MIME-Type that doesn’t match the extension is a strong indicator that a file is malicious. By properly setting up your MIME-Type filters, however, Anti-Virus for SAP Solutions will conveniently and efficiently do the screening for you, blocking these malicious files before they do any damage.
For more ways to configure bowbridge Anti-Virus for maximum performance and efficiency, be sure to check out our helpful videos.