Understand SAP’s File Transfer Security Gap

Understand SAP’s File Transfer Security Gap

Dec 15, '22 by Joerg Schneider-Simon

Hackers know there is an open door into SAP. They exploit users and the application layer by introducing malicious files. This attack vector is in the application’s critical path, as attaching supporting documents to transactions is a common requirement in business processes backed by SAP applications.

Many SAP customers presume the Endpoint Detection and Response (EDR) software deployed at the OS layer will protect the SAP applications, but this is not the case.

File uploads into SAP applications bypass these OS-layer security tools. They present a significant threat to internal and external users. These uploads also threaten the security and integrity of the SAP application and the mission-critical data stored and processed by it.

And they bypass any anti-malware or EDR solution installed at the OS-layer of the SAP system.

But malware is just one (albeit smaller) part of this gap. Malware may be stored inside the SAP datastore and passing it on to internal or external users may wreak havoc on their systems. Other file-based threats, however, have the potential to compromise the SAP application itself. Some examples of such attack are:

  • File-Type Filter Evasion – SAP’s built-in file type filters are limited and only consider the extension of a file. A potentially malicious executable renamed with a .PDF extension is processed as if it was a PDF. Hackers use this limitation to place executables in/on the system.
  • Chameleon/Polyglot Files – These files ultimately satisfy the identification criteria of two or more file types. For example, they could be identified as benign GIFs and at the same time be a valid Java-archive containing the attacker’s malicious payload.
  • Active Content – This content is usually embedded in files and triggers some action whenever the file is displayed. These malicious actions include script types, embedded executables or macros, which have regained popularity as a prevalent way to propagate ransomware (such as Locky, WannaCry, Ryuk). When downloaded from an SAP application, these potentially malicious active components even inherit the same access privileges to the SAP application as the user who downloaded the file.
  • SAPCAR-Based Attacks – In the SAP context, the proprietary SAPCAR archive format is inherently trusted by administrators. Virus scanners cannot analyze the content of SAPCAR archives, making them a potent threat vector.
  • File-based Cross-Site Scripting With a cross-site scripting (XSS) attack, hackers insert code, typically JavaScript, into the application markup rendered by the user’s browser.

What makes this gap so dangerous is that none of these threats are identified or blocked by a standard anti-malware solution.

Why not?

Because, by definition, they are not malware. They are perfectly legitimate features—but extremely dangerous in the context of a mission-critical application.

Mind the gap

Because standard anti-virus solutions cannot protect against malware or active content within SAP applications, SAP created NW-VSI, a virus-scanning and content-security interface embedded directly in the application infrastructure. When combined with an SAP-certified anti-malware and content-security solution, it provides protection against malware and SAP-specific file-based threats.

SAP administrators can define granular policies to control what types of files they want to accept into the SAP application. File transfers violating these policies are blocked and detailed logs are created in SAP’s own Security Audit Log.

Find the gap

SAP deployments are inherently complex. With a mix of standard code delivered by SAP and custom code, modifications or add-ons introduced by the customers, it is often difficult to even detect file uploads and alert administrators that they pose a threat.

Long-time SAP partners SecurityBridge and bowbridge Software worked with SAP’s NW-VSI developer team on finding a solution for this. It is now available in the form of the new event class “FU9” in SAP’s Security Audit Log. Whenever a file is uploaded that was not subject to a security scan (for example, by bowbridge’s security solutions for SAP), a warning message is generated. SecurityBridge now also ingests and processes these messages and proactively alerts administrators of this potential security bypass in real-time.

Close the gap

Cybercriminals are breaching business systems with ease. According to Dark Reading, “Businesses suffered 50% more cyberattack attempts per week in 2021.” Front-page vulnerabilities such as RECON and PayDay allow cyber criminals to compromise applications through the SAP application layer.

Cybercriminals are targeting SAP because its applications store a wealth of business intelligence. From financial payment information to employee names and social security numbers, the door is wide open due to a lack of process for monitoring uploaded files.

The solution to the SAP file vulnerability gap is implementing a certified SAP anti-virus solution, complimented by a real-time, threat-monitoring solution with anomaly detection. By identifying and highlighting file-upload vulnerabilities, it points administrators to the systems where SAP-certified anti-malware solutions should be deployed.

With this level of cybersecurity in place, no matter how often hackers change their attack vectors, the anomaly is detected, reported, and triaged.

With real-time alerts and reports, SAP administrators will be able to understand specific vulnerabilities to content-based attacks and prevent users from unknowingly executing viruses that unleash devastation deep into mission-critical business systems.

Learn more about Protecting SAP Applications from Content-Based Attacks.


New call-to-action