SAP Security for Professionals: How to Safely Upload Files into Your SAP System

This post is the second in our two-part series on how to protect your SAP systems against file-based attacks. Read the first post: SAP Security for Beginners: How to Safely Upload Files into Your SAP System.

Malware in file uploads wreaks havoc on your entire SAP systems.

As an SAP security professional, you know you have a problem. Here’s what’s at stake, and what you can do to protect your SAP systems against file-based attacks.

File-based Attacks and Unstructured Content

Malware that arrives at your organization buried inside files is a type of content-based attack. Hackers perform content-based attacks using one of two vectors: unstructured content, and structured content.

Unstructured content is content that an SAP application cannot predict. Emails, memos, spreadsheets and documents fall into this category. Unstructured content is contained in files, such as Outlook emails, Word documents and Excel spreadsheets.

The two primary attack vectors for unstructured content attacks—that is to say, file-based attacks—are the SAP GUI and web-based interfaces.

1. SAP GUI: The SAP GUI is an internal interface that works with SAP applications. The SAP GUI operates as a web-based GUI and as a standard (non-web-based) GUI.
2. Web-based interfaces: Web-based interfaces include Dynpros, BSP, UI5 Fiori applications and OData. These interfaces give access to SAP applications and systems through the internet.

The 5 Types of File-based Attacks

File-based attacks go well beyond simple viruses and malware embedded in email attachments and file uploads. You must protect your enterprise against five types of attacks:

1. Viruses and malware

• Typically delivered via email attachments and file uploads
• Typically don’t affect SAP applications because these applications don’t process the content of the information
• Typically present a considerable threat to networks and SAP systems, the true target of attacks

2. File-type filter evasion

• Targets SAP applications by circumventing existing file-type filters
• Embeds malware in executable files (.exe files) that are then disguised as innocent-looking files, such as .pdf files
• Circumvents SAP’s MIMETYPES-table, which maps every file extension to a MIME type based on file name extension, not on file type

3. Active content

• Usually embedded in files that trigger an action whenever the file is displayed (macros, for example)
• Gaining popularity as a way to deliver Locky, WannaCry, Ryuk and other ransomware
• Requires considerable social engineering to persuade victims to activate macros
• Other types of active content (besides macros) are malicious JavaScript and Java embedded in PDFs, SVG files (vector graphic files), HTML documents and XML spreadsheets.

4. Chameleon/polyglot files

• Satisfy the identification criteria of two or more file types
• GIFAR files, for example, combine a GIF image (benign) with a Java archive (malicious)
• If you call a GIFAR file using “Java -jar” or reference it with an APPLET tag, an EMBED tag or an OBJECT tag, the default Java classes will be executed

5. SAP archive attacks

• Potent threat vector for malware and file-based directory traversal attacks because virus scanners cannot analyze the content of SAPCAR archives
• SAP admins tend to trust SAPCAR files over zip archives and files from external sources, making these files particularly effective for delivering malware

How to Protect Against File-based Attacks

The bad news is that standard anti-virus solutions cannot protect you against malware, cross-site scripting attacks and active content cybersecurity vulnerabilities within SAP applications.

The good news is that SAP supplies some protection, and third-part solutions (like bowbridge software) provide protection.

Here’s how to protect yourself from the five types of file-based attacks on SAP systems:

Viruses and malware

• Install and run a VSI 2.x-compliant virus scanner in your SAP landscape
• Enable all pre-delivered scan profiles
• Scan at download time to catch virus signatures that are updated since upload
• Make your allowlist should be as restrictive as possible. Delete surplus types from the template list. Your allowlist must strike a balance between between security and functionality
• Install and run Anti-Virus for SAP Solutions from bowbridge, the only content-security software built solely for SAP applications. Works seamlessly in the background to secure ABAP and Java-based SAP applications as well as SAP Business Objects and new solutions built on SAP HANA and UI5/FIORI

File-type filter evasion

• Create two customer profiles: ZBASIC (basic scanning profile) and ZEXTENDED (checks for MIME-type detection)
• For ZEXTENDED, use the following settings:
  • CUST_ACTIVE_CONTENT = 1
  • CUST_CHECK_MIME_TYPE = 1
  • CUST_MIME_TYPES_ARE_BLACKLIST = 0. This setting indicates 'allowlisting,' which indicates entities that are OK
  • These settings tell the virus scanner to scan for active content and check MIME types according to the specified allowlist of file types

Active content

• Use SAP WebDispatcher or Internet Communication Manager (ICM) to protect against malicious active content being executed at the front end
• Create two customer profiles: ZBASIC (basic scanning profile) and ZEXTENDED (checks for active content)
• Follow SAP best practices and add these two headers:
  • SetResponseHeader X-Content-Type-Options “nosniff”
    This tells the browser not to try reading the attached file with the assumed MIME type
  • SetResponseHeader X-XSS-Protection "1; mode=block"
    This prevents cross-site scripting
• Block macros and other active content in numerous file formats (and deploy policy-managed detection) with Anti-Virus for SAP Solutions from bowbridge

Chameleon/polyglot files

• Block the upload of files with active content to the server
• Block execution on the client of active content for files downloaded from the server
• Use the virus scan interface to block active content on the SAP NetWeaver Application Server
• Install and run bowbridge Anti-Virus for SAP Solutions, which analyzes beyond the simple file extension to determine the file’s actual content

SAP archive attacks

• Install and run bowbridge Anti-Virus for SAP Solutions, which has full access to SAPCAR archives and ensures no malicious content can be transferred from archives to your SAP system

SAP Security Requires Protection From File-based Attacks

One thing to remember about file-based attacks is that they typically involve humans. Candidates upload their resumes to your HR portal. Suppliers upload invoices to your AP portal. Hackers email you attachments with malware embedded in them.

You must also address the human element through onboarding, recurrent cybersecurity training and penetration testing.

However. Even the best-trained humans slip up—and let’s face it, not every employee is going to be as vigilant about cybersecurity as those of us who are neck-deep in it. That’s why you have technology at your disposal, and it’s why you must implement as many layers of safeguards as possible. We highly recommend you read our guide on Protecting SAP Applications from Content-based Attacks.