Once, ERPScan team was conducting a penetration test in a large manufacturing organization. The task was not so ordinary and easy because the number of systems in the scope was huge and little time was allotted. That’s why it was necessary to perform Threat Modelling before diving into the process of hacking. Here we decided to describe this case study in detail. This series of articles is intended to explain what SAP Penetration testing is. The first step of every successful penetration testing is Threat Modelling. At this stage, a cybersecurity professional gets an understanding of business processes of a typical manufacturing company, identifies the most critical assets and associated risks. The gathered information helps a penetration tester to decide what to focus on. Before reading this article, I also recommend learning what SAP Security is. Manufacturing companies are an attractive target for different kind of cyber attackers (state-sponsored hackers, hacktivists, terrorists, malicious insiders). Such companies are responsible for a great part of some countries’ economy. Any interference in their work can stop processes and, as a result, deprive company and country of revenue. Just to give you an insight, in 2015, the United States exported approximately 2.6 million vehicles valued at $65 billion. The manufacturing industry is on the radar of cyber criminals indeed. For example, the cyberattack against a steel mill in Germany [1] hit the headlines in 2015, as it has caused confirmed physical damage. In case of cyberattack, a manufacturing company may face the following consequences:
Plant Sabotage/Shutdown Equipment damage Production Disruption (Stop or pause production) Product Quality (Quality degradation) Compliance violation (Such as pollution) Safety violation (Death or injury)
When we know what are the most important risks for manufacturing industry, the next step is to get to know whether it is possible to cause these risks by accessing SAP systems and that exactly an attacker should exploit to cause them. SAP systems are widely used in the Manufacturing industry, and there are even specific SAP modules for Manufacturing. Cyberattacks on SAP systems (regardless of the industry) can be critical itself, as they can lead to espionage, sabotage or fraud. However, they are even more lethal for the Manufacturing because of trust connections in SAP systems that are responsible for asset management and technology networks (e.g. plant floor). A typical manufacturing company’s infrastructure consists of multiple business applications and industry-specific modules. Primarily, it’s ERP, but there are also others. Here is an incomplete list of the applications which are most frequently can be found in typical manufacturing company:
Enterprise Resource Planning (ERP) Manufacturing Execution system (MES) Asset Lifecycle Management (ALM) Manufacturing Integration (xMII) Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM
Some of those systems such as xMII or ALM can be connected with Industrial Control Systems or plant floor, so a single vulnerability there may pose the risk for the entire company. SAP systems can be based on different platforms. Basically, it’s ABAP, JAVA, and HANA. The main SAP platform is SAP NetWeaver, the enabling foundation for SAP and non-SAP applications. The first version of SAP NetWeaver saw the release in 2004. After that, SAP has introduced several new versions of the platform and new modules to extend functionality. As of today, the latest version is SAP NetWeaver 7.5 (the first release in October 2015). One of the main parts of SAP NetWeaver is SAP NetWeaver Application Server (AS). SAP NetWeaver AS includes the application server ABAP and JAVA. As its name implies, the main programming language for SAP NetWeaver AS ABAP platform is ABAP and for SAP NetWeaver AS JAVA is JAVA programming language. Returning to our case, the most critical application which is linked to the production network is SAP xMII (SAP xApp Manufacturing Integration and Intelligence). It is based on the JAVA platform. SAP xMII is often used in industrial enterprises to manage and automate the processes. This module extends the functionality of SAP NetWeaver AS JAVA to use it in production. SAP xMII provides a direct connection between shop-floor systems and business operations. It ensures that all data related to manufacturing is visible in real time. SAP customers can also link their enterprise processes and master data to manufacturing processes to run their business based on a single version. Vulnerabilities in SAP xMII are particularly hazardous because this solution is a kind of a bridge between ERP (Enterprise Resource Planning), other enterprise applications and plant floor as well as OT (Operational Technology) devices. Any vulnerability affecting SAP xMII can be used as a starting point of a multi-stage attack aiming to get control over plant devices and manufacturing systems. A brief look at public sources indicates that there are a couple of notable vulnerabilities in the SAP xMII component (e.g. Reflected XSS vulnerability [2] and directory traversal vulnerability [3]. Sounds great, now we know what the risks are, which systems are the most important and what platform we need to analyze regarding security first of all. The final preparation step is to find out the most important vulnerabilities in this platform, how common are them, and what versions are the most widespread. All these factors influence on chances of successfully performing a penetration test. Such analysis will show us if we need to add additional resources to the team such as researchers who will look for 0-day vulnerabilities in the platforms in case if information about those SAP systems is not available (this situation is rather common when we deal with SAP Pentesting). According to information from our latest SAP Cybersecurity in figures report, 3662 vulnerabilities in different SAP products were fixed in total (as for mid-2016). 548 of them affect JAVA stack and 2585 ABAP. We have scanned the entire range of IP addresses on the Internet and revealed that an overwhelming number of SAP servers available on the Internet have version 7.3 (7.3 – 626, 7.3 EHP 1 – 851) and 7.4. So, it means that we will likely meet these versions while conducting penetration testing. These versions are more secure; there are not any old security issues of the 7.2 version. Thus, we will need to find 0-day vulnerabilities. Well, the task isn’t simple anymore.
Since we are almost sure that we will need to find some new vulnerabilities, let’s look at the most common types of issues patched in SAP Netweaver JAVA platform. This information, as well as other interesting details, are available in our latest SAP Cybersecurity Threat Report
From the graph above you can see that the most common vulnerability type is XSS, but we rarely exploit them during pentests as it is lame. Most probably, we will need to find information disclosure or configuration issue to break into the system. Theoretically, such large number of the vulnerabilities in JAVA platform allows considering that conducting a penetration test is not a difficult task. In most cases, it is so; usually, it doesn’t take a lot of time to break an SAP system as companies don’t even implement patches for 3-years old vulnerabilities. But not this time, otherwise there would be no use to write this article. During our pentest, we faced some difficulties and uncommon tasks. So, if you want to learn more about SAP Penetration testing and its features, we strongly recommend that you read this series. To see all new articles of the series, subscribe to our news or follow us on Twitter, Facebook, and LinkedIn.
https://www.wired.com/2015/01/german-steel-mill-hack-destruction/ https://erpscan.com/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/ https://erpscan.com/advisories/erpscan-16-009-sap-xmii-directory-traversal-vulnerability/