Embed Size (px)
Citation preview
Security Advisory in the Context of the
European SAP Harmonization at General
Motors Markus Seibel, Adam Opel AG &
Dr. Markus Schumacher, Virtual Forge GmbH
Pa
ge
2
Company Overview
SAP CCoE at Adam Opel AG / Vauxhall
SAP-CCoE (certified since 2005)
Responsible for GM / Opel SAP Implementations in Europe
Leading model and part of future global GM SAP CCoE
Virtual Forge GmbH
Gartner: „Cool vendor in the SAP ecosystem 2011“
Vendor of CodeProfiler, leading ABAP analysis solution
Program Focus Rel. Users
New ERP Opel / Vauxhall and Chevy Europe ECC 6 (EHP4)
BI (NW7 EHP1) 11.500
OSV * Opel Special Vehicles GmbH R/3 4.7 350
GSF GM Springhill Plant (Tenessee/USA) ECC 5.0 DIMP,
SRM 5.0, BI 7.0 470
HR-BPO HR Business Process Outsourcing (O/V SAP-CCoE has only coordination resp.)
R/3 4.7 2.500
GMSA * GM South Africa (O/V SAP-CCoE has only coordination resp.)
R/3 4.6C, BW 3.1,
APO 3.1, WAS 6.10 1.200
Pa
ge
3
Project presentation
O/V SAP newERP Harmonization
Opel/Vauxhall SAP „newERP“ Harmonization Program
Data center relocation and unicode conversion of R/3 4.7 MDMP system
(code pages: Western Europe, Eastern Europe, Cyrillic) => new ERP
Feb. 2011
Release Upgrade of BW 3.5 to BI 7 (EHP1) incl. UC conversion
Mar. 2011
Release Upgrade of the new ERP system from R/3 4.7 to ECC 6 (EHP4)
April 2011
Migration of GSF System (Opel & Chevrolet National Sales Companies) into new
ERP and leaving GSF „Springhill offspin“ for DC relocation to US
September 2011
Migration of „Formula 1“ System (Opel Powertrain) into newERP
February 2012
Migration of „OSV“ System into newERP – ongoing
Build of interim 3-client archive system – ongoing
Deployment of Chevy Sales Companies on new ERP – ongoing
O/V SAP newERP Harmonization
Outcome / Lessons Learned
Programming/Code issues needed to be overcome by workarounds
until they got fixed
Data migration run through more iterations as expected
Execution in time and quality
95 processes for Manufacturing, Powertrain and Sales Companies are
running for approximate 12000 Users in one environment
Enablement for ongoing Vehicle and Powertrain processes optimization
i.e. DataWarehouse, Product Costing or PPO.
Solution can be adopted for Chevy Europe and leveraged within GM
Se
ite
4
Pa
ge
5
Agenda
Security & Compliance – a question of perception
Security Trends
Evolution of attackers: from “script kiddies” to professionals
Companies as targets of attacks
Attack surface of SAP®-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Pa
ge
6
Agenda
Security & Compliance – a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP®-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Pa
ge
7
ABAP Development from a Compliance View
Click to edit text ICS Structure in ERP Environment
ITGC - IT General Controls
Change Management
ABAP Code
Business Process Risks
Completeness Privileges
Correctness Traceability
Segregation of Duties Data Protection
Pa
ge
8
(Wrong) Focus on Transactions (only)
SE 80
Function Module ZFB1
INSERT REPORT
It‘s the ABAP commands, not the transactions, that are dangerous.
SE 38
Example: Creation of ABAP programs
Business Server Page ZBSP
Web Dynpro Applications ZWD
Transaction ZTRANS1
REPORT ZREP
Function Module ZFB2 Transaction ZTRANS2
Risk
Risk
Risk
Risk
Risk
Risk
Risk
Pa
ge
9
Entering Your SAP System
(Web Application) Firewall
User Interfaces
SAP GUI
BSP
ITS
WebDynpro ABAP
Indirect
User Interfaces
Java-Applications
Java EE/Portal
WebDynpro Java
External Systems
Standalone ITS
SAP-System
Non-SAP-System
ABAP-System
Database
Files
RFC
PI
Web-Services
Pa
ge
10
Resulting Risks
Unauthorized execution of business logic
Unauthorized access to business and system data
Unauthorized change of business and system data
Loss of system availability
Loss of accountability
Identity theft
Pa
ge
11
General project challenges
Goals of the project / implementation team:
Project budget and go-live date
Delivered product must work at point in time of hand-over
Satisfy the „direct customers“ (e.g. new site)
Minimize coordination effort where ever possible
(with the customer as well as team-/supplier internally)
Minimize regression tests
Scope reductions (classic “not part of our job / contract” discussions)
Goals of customer / system owner / CCoE:
Long term maintainability
Harmonized processes and “templates”
Avoiding redundancies
Low operating costs
Secure environment
Pa
ge
12
General project challenges
Goals of the project / implementation team:
Project budget and go-live date
Delivered product must work at point in time of hand-over
Satisfy the „direct customers“ (e.g. new site)
Minimize coordination effort where ever possible
(with the customer as well as team-/supplier internally)
Minimize regression tests
Scope reductions (classic “not part of our job / contract” discussions)
Goals of customer / system owner / CCoE:
Long term maintainability
Harmonized processes and “templates”
Avoiding redundancies
Low operating costs
Secure environment
Approaches
• Clone existing ABAP code instead of extending or
reusing existing functionality
• Ignore template, rather clone legacy system where
ever possible
• Quick & dirty, hard-coded
• Cheap resources instead of experienced staff
• Delay progress in order to force customer to accept
unsatisfactory solutions to keep time line
• …
Have you ever wondered, where all the vulnerabilities
are coming from?
An SAP CCoE has to combine two contradicting
goals to make a project really successful:
• Support and manage the project
• “Defend” the system against the project team (!)
Pa
ge
13
Agenda
Security & Compliance – a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP®-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Pa
ge
14
Evolution of Attackers
Script kiddie
Minor knowledge
Works with „copy & paste“ and uses public information, programs, tools, etc. in
order to attack / damage computer systems
Random targets
Motivation: usually reputation
Pa
ge
15
Evolution of Attackers
Professional Attacker
Highly skilled
Almost unlimited time and money resources
Targeted attacks (e.g. Stuxnet)
Often internal attackers
Motivation: industrial espionage, sabotage, competitive advantage
Pa
ge
16
Companies as Target
Source: Best Practice, Das
Kundenmagazin von T-Systems,
Ausgabe 4 | 2011, S. 44.
Pa
ge
17
Hackers aiming at SAP – Unreported Cases?
Source: DSAG Technologietage,
Bernd Reske, SAP AG, „SAP im Fokus der Hacker!?“
Pa
ge
18
Agenda
Security & Compliance – a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP®-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Common Misunderstandings...
SE38 – ABAP Editor
Q: Which authorizations and settings are necessary to edit a repository
object like e.g. an ABAP program?
A: Part I, „official“ answer:
An „open system“, a developer key, object S_DEVELOP with
respective access, one valid AWB entry transaction
(The transaction code does not matter! – see next slides)
A: Part II, the “creative” approach:
Applications like e.g. query builder or LSMW offer sections to include
own ABAP code, if S_DEVELOP is granted respectively – even
without developer key and in a closed system!
A: Part III, “hacker‘s favourite”:
A code injection vulnerability (no authority and no special system
setting required)
Common Misunderstandings...
Common Misunderstandings...
Common Misunderstandings...
Pa
ge
23
Transaction secure, but …
Dynamic code generation still possible
Potentially dangerous ABAP commands …
INSERT REPORT GENERATE SUBROUTINE POOL
Source: BlackHat Briefings 2011, Andreas Wiegenstein,
„The ABAP Underverse“
Pa
ge
24
Execute OS Commands
Q: Which access is needed to execute an operating system command?
A: Part I – official answer
- Access to transaction SM49
- Object S_RZL_ADM (ACTVT=01 or 03)
- Object S_LOG_COM for the command itself
A: Part II – creative approach
- Access to transactions SM36/SM37
- Object S_BTCH_ADM
- Object S_RZL_ADM (ACTVT=01)
A: Part III – alternatives
- the right ABAP statement
- requires however still access to S_DATASET or S_C_FUNCT
Pa
ge
25
SM49 – Execute OS Commands
Bypassing SM49 / SM69 restrictions
CALL 'SYSTEM' ...
OPEN DATASET ... FILTER 'format c:'
Controlled Operating System (OS) Command Execution
OS
SM49 / SM69SM49 / SM69
Command Program
LIST ls
PING ping
X_PYTHON x_python
ABAP OS Call
'LIST'
OS Command
'ls'
© 2010 Virtual Forge GmbH. All rights reserved.
Roles & Authorizations
ASSET
OK
Failed
AUTHORITY
CHECK
© 2010 Virtual Forge GmbH. All rights reserved.
Missing authority checks
CALL TRANSACTION
RFC enabled functions
Reports
Authority Checks without check of return code
Authority Checks with incomplete checks
Hard-coded user names
IF SY-UNAME = ‘SCHUMACHERM'.
Pa
ge
26
Authorizations Broken / Missing
Pa
ge
27
… or simply the WRONG checks!
Custom material consumption report per cost center
Authority check requirement to restrict display per cost center was
implemented using object A_S_KOSTL (asset master maintenance)
Audit comment : Missing authority checks in reports
A new „Z“-Object with one field (BUKRS) was created and put into all
custom developed code delivered by the project team – it did not at all
matter whether it was write or read access and which module was
affected (FI, CO, MM)
„Star values" for unknown or optional auth. objects
The profile generator suggests it, so it seems to make sense. Before
wasting time and investigate, lets click on the yellow traffic light…
Hard-coded authority checks were copied from legacy SAP system
pointing to non-existent org. elements
Pa
ge
28
Agenda
Security & Compliance – a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP®-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Pa
ge
29
Key Take Aways
All authority requirements must be coordinated with security team
Uncoordinated process changes appear often „camouflaged“ as
„authorization issues“
Close dependency between customizing and SAP security
Negative requirements to be specified in advance
Security requirements must be part of development guidelines
Tool based enforcement of security requirements
Pa
ge
30
Enforced Check
Since a couple of years, Opel / GM is using a custom developed solution
for change and transport management (similar functionality and
„philosophy“ like ChaRM)
Part of this solution is the check of transports during release (in case of a
finding, release is stopped)
Kernel and operating system calls
Repository and ABAP Commend Injection
Native SQL
SY-UNAME/SYSID/MANDT in IF / CASE / CHECK
Cross-client SQL
Missing generic XSS prevention in Business Server Pages
Direct updates to critical tables
Missing evidence of authority checks
Consistency and rules check for security roles
Roadmap
Se
ite
31
Pa
ge
32
Your Turn: Questions?
Markus Seibel
GM IT Business Services
Adam Opel AG | IPC 15-03 | 65423 Ruesselsheim
Dr. Markus Schumacher
Virtual Forge GmbH | Speyerer Str. 6 | 69115 Heidelberg
Weiterführende Informationen
Artikel „Sicherheitslücken und Hintertüren im ABAP-Code“ (Link)
Artikel „Mit Schwachstellen umgehen und sie unter Kontrolle halten“ (Link)
