Ensuring SAP File Format Integrity: MIME Type Checks
Nov 23, '17 by Joerg Schneider-Simon
Part of what makes SAP so convenient is the ability for external users, like suppliers or job applicants, to upload files. This feature, however, can be a double-edged sword: While legitimate users can upload purchase orders and resumes, cyberattackers can upload files laden with malware.
One way in which cyberattackers disguise malicious files is by changing the file extension. It’s a simple trick, but a surprisingly effective one, considering that SAP’s built-in file-type filtering relies solely on the extension of the filename.
As our research uncovered, even when SAP’s filter rules are set up to use MIME types instead of filename extensions, the filter doesn’t look at the actual content of the file. It simply maps the file name extension to MIME types. In fact, 60% of the systems we tested allowed uploading of arbitrary files as soon as the extension was changed to one on the list of allowed extensions.
For bowbridge customers who use Anti-Virus for SAP Solutions, there is a way to identify and block any wolves in sheep’s clothing. (And if you don’t currently have Anti-Virus for SAP Solutions, consider this a sneak preview to how it works.)
How to Activate MIME Type Integrity Checks
To activate this feature, login to your application client on the SAP system and open the Virus Scan Profile you wish to edit. If your profiles reference the “Default” profile, then open that one for editing.
In the Dialogue Structure Pane, open to the “Profile Configuration Parameters” folder, activate changes, and create a new entry.
Open the Sub-Menu in the Parameters column and select the “CUST_CHECK_MIME_TYPE” entry from the list:
Set the Value to “1” for the newly created entry.
Before saving the changes, make sure you activate the parameter by checking the “Evaluate Profile Configuration Param.” checkbox.
To test the filter, just change the extension of a file to a different type.
For example, you could copy notepad.exe and rename it to notepad.pdf.
Upon uploading this file into your application (or in transaction VSCANTEST) the file will be blocked:
Customizing the Mappings table
Bowbridge’s MIME integrity checks are based on a customizable list of mappings.
This list is stored in the file “mime_ext_map” in the default bowbridge installation folder.
The file already contains an extensive list of common mappings, but is meant to be edited as customers see fit.
To add or remove a specific entry, simply stick to the simple syntax:
Extension -> MIME-type, for example “.pdf -> application/pdf”
Mappings don’t have to be unique. You may map multiple extensions to the same MIME type and have one extension mapped to multiple MIME-types, as long as you add them one per line:
If this process is overwhelming, fear not. Our support staff is happy to help.
A MIME type that doesn’t match the extension is a strong indicator that a file is malicious. By properly setting up your MIME type filters, however, Anti-Virus for SAP Solutions will conveniently and efficiently do the screening for you, blocking those malicious files before they can do any damage.
For more ways to configure bowbridge Anti-Virus for maximum performance and efficiency, be sure to check out our helpful videos.