Security Advisory in the Context of the

European SAP Harmonization at General

Motors Markus Seibel, Adam Opel AG &
Dr. Markus Schumacher, Virtual Forge GmbH
 Company Overview
SAP CCoE at Adam Opel AG / Vauxhall
SAP-CCoE (certified since 2005)
Responsible for GM / Opel SAP Implementations in Europe
Leading model and part of future global GM SAP CCoE

Program Focus Rel. Users

New ERP Opel / Vauxhall and Chevy Europe ECC 6 (EHP4) 11.500
BI (NW7 EHP1)

OSV * Opel Special Vehicles GmbH R/3 4.7 350

GSF GM Springhill Plant (Tenessee/USA) ECC 5.0 DIMP, 470
SRM 5.0, BI 7.0
HR-BPO HR Business Process Outsourcing R/3 4.7 2.500
(O/V SAP-CCoE has only coordination resp.)

GMSA * GM South Africa R/3 4.6C, BW 3.1, 1.200

(O/V SAP-CCoE has only coordination resp.) APO 3.1, WAS 6.10

Virtual Forge GmbH

Gartner: Cool vendor in the SAP ecosystem 2011
Vendor of CodeProfiler, leading ABAP analysis solution
Page 2
 Project presentation
O/V SAP newERP Harmonization
Opel/Vauxhall SAP newERP Harmonization Program
Data center relocation and unicode conversion of R/3 4.7 MDMP system
(code pages: Western Europe, Eastern Europe, Cyrillic) => new ERP
Feb. 2011
Release Upgrade of BW 3.5 to BI 7 (EHP1) incl. UC conversion
Mar. 2011
Release Upgrade of the new ERP system from R/3 4.7 to ECC 6 (EHP4)
April 2011
Migration of GSF System (Opel & Chevrolet National Sales Companies) into new
ERP and leaving GSF Springhill offspin for DC relocation to US
September 2011
Migration of Formula 1 System (Opel Powertrain) into newERP
February 2012

Migration of OSV System into newERP ongoing

Build of interim 3-client archive system ongoing
Deployment of Chevy Sales Companies on new ERP ongoing
Page 3
 O/V SAP newERP Harmonization
Outcome / Lessons Learned

Programming/Code issues needed to be overcome by workarounds

until they got fixed
Data migration run through more iterations as expected

Execution in time and quality

95 processes for Manufacturing, Powertrain and Sales Companies are
running for approximate 12000 Users in one environment
Enablement for ongoing Vehicle and Powertrain processes optimization
i.e. DataWarehouse, Product Costing or PPO.
Solution can be adopted for Chevy Europe and leveraged within GM
Seite 4
 Agenda
Security & Compliance a question of perception
Security Trends
Evolution of attackers: from script kiddies to professionals

Companies as targets of attacks

Attack surface of SAP-landscapes

Field observation: what goes wrong

Compliance beyond GRC checks: Broken/missing authority checks

Calling arbitrary RFC function modules

Executing Operating System commands

SE38

Towards a holistic view on SAP Security & Compliance

Page 5
 Agenda
Security & Compliance a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals

Companies as targets of attacks

Attack surface of SAP-landscapes

Field observation: what goes wrong

Compliance beyond GRC checks: Broken/missing authority checks

Calling arbitrary RFC function modules

Executing Operating System commands

SE38

Towards a holistic view on SAP Security & Compliance

Page 6
 ABAP Development from a Compliance View
Click
ICS Structure in ERP
to edit textEnvironment

ITGC - IT General Controls

Change Management

ABAP Code
Business Process Risks
Completeness Privileges
Correctness Traceability
Segregation of Duties Data Protection
Page 7
 (Wrong) Focus on Transactions (only)
Its the ABAP commands, not the transactions, that are dangerous.

Example: Creation of ABAP programs

SE 80 SE 38
Risk Risk
Transaction ZTRANS1 Function Module ZFB1

INSERT REPORT
Risk Risk
Transaction ZTRANS2 Function Module ZFB2

Risk Risk
REPORT ZREP Business Server Page ZBSP
Risk
Web Dynpro Applications ZWD
Page 8
 Entering Your SAP System
User Interfaces External Systems

SAP GUI Standalone ITS

BSP SAP-System
ITS Non-SAP-System
WebDynpro ABAP

Indirect ABAP-System
User Interfaces
Database
Java-Applications Files
Java EE/Portal (Web Application) Firewall RFC
WebDynpro Java PI
Web-Services
Page 9
 Resulting Risks
Unauthorized execution of business logic

Unauthorized access to business and system data

Unauthorized change of business and system data

Loss of system availability

Loss of accountability

Identity theft
Page 10
 General project challenges
Goals of the project / implementation team:
Project budget and go-live date
Delivered product must work at point in time of hand-over
Satisfy the direct customers (e.g. new site)
Minimize coordination effort where ever possible
(with the customer as well as team-/supplier internally)
Minimize regression tests
Scope reductions (classic not part of our job / contract discussions)

Goals of customer / system owner / CCoE:

Long term maintainability
Harmonized processes and templates
Avoiding redundancies
Low operating costs
Secure environment
Page 11
 General project challenges
Goals of the project / implementation team:
Project budget and go-liveApproaches
date
Clone
Delivered product must work existing
at point ABAP
in time code instead of extending or
of hand-over
reusing existing functionality
Satisfy the direct customers (e.g. new site)
Ignore template, rather clone legacy system where
Minimize coordination effort ever
where ever possible
possible
(with the customer as well as team-/supplier
Quick internally)
& dirty, hard-coded
Minimize regression tests Cheap resources instead of experienced staff
Scope reductions (classic not partprogress
Delay of our jobin/order
contract discussions)
to force customer to accept
unsatisfactory solutions to keep time line

Goals of customer / system Have you owner / CCoE: where all the vulnerabilities
ever wondered,
Long term maintainabilityare coming from?
Harmonized processes and templates
Avoiding redundancies An SAP CCoE has to combine two contradicting
Low operating costs goals to make a project really successful:
Secure environment Support and manage the project
Defend the system against the project team (!)
Page 12
 Agenda
Security & Compliance a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks

Calling arbitrary RFC function modules

Executing Operating System commands

SE38

Towards a holistic view on SAP Security & Compliance

Page 13
 Evolution of Attackers
Script kiddie

Minor knowledge

Works with copy & paste and uses public information, programs, tools, etc. in
order to attack / damage computer systems

Random targets

Motivation: usually reputation

Page 14
 Evolution of Attackers
Professional Attacker

Highly skilled

Almost unlimited time and money resources

Targeted attacks (e.g. Stuxnet)

Often internal attackers

Motivation: industrial espionage, sabotage, competitive advantage

Page 15
 Companies as Target

Source: Best Practice, Das

Kundenmagazin von T-Systems,
Ausgabe 4 | 2011, S. 44.
Page 16
 Hackers aiming at SAP Unreported Cases?
Page 17

Source: DSAG Technologietage,

Bernd Reske, SAP AG, SAP im Fokus der Hacker!?
 Agenda
Security & Compliance a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Page 18
Common Misunderstandings...
SE38 ABAP Editor
Q: Which authorizations and settings are necessary to edit a repository
object like e.g. an ABAP program?
A: Part I, official answer:
An open system, a developer key, object S_DEVELOP with
respective access, one valid AWB entry transaction
(The transaction code does not matter! see next slides)
A: Part II, the creative approach:
Applications like e.g. query builder or LSMW offer sections to include
own ABAP code, if S_DEVELOP is granted respectively even
without developer key and in a closed system!
A: Part III, hackers favourite:
A code injection vulnerability (no authority and no special system
setting required)
Common Misunderstandings...
Common Misunderstandings...
Common Misunderstandings...
 Transaction secure, but
Dynamic code generation still possible
Potentially dangerous ABAP commands

INSERT REPORT GENERATE SUBROUTINE POOL

Source: BlackHat Briefings 2011, Andreas Wiegenstein,

The ABAP Underverse
Page 23
 Execute OS Commands
Q: Which access is needed to execute an operating system command?
A: Part I official answer
- Access to transaction SM49
- Object S_RZL_ADM (ACTVT=01 or 03)
- Object S_LOG_COM for the command itself

A: Part II creative approach

- Access to transactions SM36/SM37
- Object S_BTCH_ADM
- Object S_RZL_ADM (ACTVT=01)

A: Part III alternatives

- the right ABAP statement
- requires however still access to S_DATASET or S_C_FUNCT
Page 24
 SM49 Execute OS Commands

Controlled Operating System (OS) Command Execution

SM49 / SM69
ABAP OS Call OS Command
Command Program
LIST ls
'LIST' 'ls'
PING ping
X_PYTHON x_python
OS
2010 Virtual Forge GmbH. All rights reserved.

Bypassing SM49 / SM69 restrictions

CALL 'SYSTEM' ...

OPEN DATASET ... FILTER 'format c:'
Page 25
 Authorizations Broken / Missing
Missing authority checks Roles & Authorizations
CALL TRANSACTION
AUTHORITY
RFC enabled functions CHECK

Reports

OK
Authority Checks without check of return code
ASSET
Failed
2010 Virtual Forge GmbH. All rights reserved.

Authority Checks with incomplete checks

Hard-coded user names

IF SY-UNAME = SCHUMACHERM'.
Page 26
 or simply the WRONG checks!
Custom material consumption report per cost center
Authority check requirement to restrict display per cost center was
implemented using object A_S_KOSTL (asset master maintenance)

Audit comment : Missing authority checks in reports

A new Z-Object with one field (BUKRS) was created and put into all
custom developed code delivered by the project team it did not at all
matter whether it was write or read access and which module was
affected (FI, CO, MM)

Star values" for unknown or optional auth. objects

The profile generator suggests it, so it seems to make sense. Before
wasting time and investigate, lets click on the yellow traffic light

Hard-coded authority checks were copied from legacy SAP system

pointing to non-existent org. elements
Page 27
 Agenda
Security & Compliance a question of perception
Security Trends
Evolution of attackers: from skriptkiddies to professionals
Companies as targets of attacks
Attack surface of SAP-landscapes
Field observation: what goes wrong
Compliance beyond GRC checks: Broken/missing authority checks
Calling arbitrary RFC function modules
Executing Operating System commands
SE38
Towards a holistic view on SAP Security & Compliance
Page 28
 Key Take Aways
All authority requirements must be coordinated with security team
Uncoordinated process changes appear often camouflaged as
authorization issues
Close dependency between customizing and SAP security
Negative requirements to be specified in advance
Security requirements must be part of development guidelines
Tool based enforcement of security requirements
Page 29
 Enforced Check
Since a couple of years, Opel / GM is using a custom developed solution
for change and transport management (similar functionality and
philosophy like ChaRM)

Part of this solution is the check of transports during release (in case of a
finding, release is stopped)
Kernel and operating system calls
Repository and ABAP Commend Injection
Native SQL
SY-UNAME/SYSID/MANDT in IF / CASE / CHECK
Cross-client SQL
Missing generic XSS prevention in Business Server Pages
Direct updates to critical tables
Missing evidence of authority checks
Consistency and rules check for security roles
Page 30
Seite 31

Roadmap
 Your Turn: Questions?
Markus Seibel
GM IT Business Services
Adam Opel AG | IPC 15-03 | 65423 Ruesselsheim
markus.seibel@de.opel.com

Dr. Markus Schumacher

Virtual Forge GmbH | Speyerer Str. 6 | 69115 Heidelberg
markus.schumacher@virtualforge.com

Weiterfhrende Informationen

Artikel Sicherheitslcken und Hintertren im ABAP-Code (Link)

Artikel Mit Schwachstellen umgehen und sie unter Kontrolle halten (Link)
Page 32
 Current SUGEN Members
Last Page