Supply chain vulnerability allows attackers to manipulate SAP transportation system

A supply chain vulnerability in the SAP transport system that allows attackers to infiltrate the change management or software deployment process has been identified by a Germany-based cybersecurity vendor. A hotfix has been released by SAP SE to address the issue that threatens all SAP environments that share a single transport directory.

SAP transport system vulnerable to malicious interference

SAP software products are used by companies around the world, many of which provide critical infrastructure, food, energy and medical supplies. The internal SAP development supply chain is used by customers to request additional features and internal developments to the SAP standard, with changes provided through various staging systems from the respective SAP landscape with SAP transport requests. These requests should not be modified after being exported from the central transport directory and released.

However, in October 2021, SecurityBridge identified a method that allowed insider attackers without privileged permissions to infiltrate the SAP change management or software deployment process undetected. “After export and before import into the production system, threat actors have a window of time to include malicious objects. A dishonest employee with the proper permissions has the ability to change the status of the version from “published” to “editable”. SecurityBridge wrote in a blog post.

This makes it possible to modify transport requests despite passing quality barriers in the change management process. “Attackers can introduce malicious code into the SAP development phase, invisibly, even into requests that have already been imported into the test phase,” SecurityBridge added. Attackers can then modify the content of the transport request just before the promotion to production, which can lead to code execution. “These attacks are very effective and all SAP environments are vulnerable if the different SAP staging levels share a single transport directory.”

Fixed SAP transport management system vulnerability

Organizations using SAP software products should apply the patch that addresses the vulnerability (CVE-2021-38178), as published by SAP in the security advisory NOTE 3097887. This protects the file system from manipulation. SAP customers should also check their transport log for tampering before production import, SecurityBridge added. “In this document, the described attack method becomes visible.”

Copyright © 2022 IDG Communications, Inc.