Supply chain vulnerability identified in SAP transport system
SecurityBridge has identified a methodology that allows internal attackers without privileged rights to intervene undetected in the SAP software distribution process.
Supply chain attacks are a new threat that targets software development departments and vendors. The vulnerability discovered by SecurityBridge was reported to SAP in October 2021, and the corresponding patch has already been published or deployed to the customer's SAP system.
Customers can request additional functionality and in-house developments to the SAP standard by using the internal SAP development supply chain. These coding and repository changes are made possible through the various staging systems of the respective SAP landscape with SAP transport requests.
The transport files are needed to physically deploy changes from development to the next staging level. SecurityBridge says these requests should not be modified after they have been exported from the central transport directory (which is usually shared by development, test, and integration instances) and released.
Toward the end of 2021, SecurityBridge discovered a method using its SAP Security Platform allowing internal attackers without privileged authorisations to penetrate the SAP software supply chain. Immediately after exporting a transport request (containing the new development) and before importing it into the subsequent staging system, there was a window of opportunity where someone with fraudulent intent and sufficient rights could have changed the status of the transport request from "released" to "modifiable".
They would then be able to inject malicious code into the SAP development phase, even into transport requests that had already been imported into the test system. The content of the transport request could be changed unnoticed shortly before being imported into production to enable code execution.
"Such attacks are very efficient, especially when the various SAP staging systems share a single transport directory," says SecurityBridge CTO, Ivan Mans. "This makes it very easy to attack the SAP development supply chain."
SAP has issued the patch in security advisory SNOTE 3097887– [CVE-2021-38178]. This protects the file system from manipulation. Only the account on which the SAP NetWeaver or S/4HANA application is also running will be granted access.
SecurityBridge says SAP customers should check the transport log for tampering before production import. In it, the described attack method becomes visible. It says those who have implemented the CVSS 9.1 hint are on the safe side now.