-
2012 Onapsis, Inc. All Rights Reserved.
SAP Security In-DepthSecuring the Gates to the Kingdom: Auditing
the SAProuter
by Nahuel Sanchez
Vol. 06 / Sep 2012
Abstract
The SAProuter is one of the most critical components of any SAP
platform. Working as an
application-level gateway, it is usually connected to untrusted
networks and restricts
access to the backend SAP systems.
If not properly secured, remote attacks on an SAProuter
implementation could result in
malicious parties accessing the SAP platform and other systems
in the organization's
internal network.
This issue provides an introduction to the SAProuter, followed
by an analysis of security
threats and obscure attack vectors on such components.
Each of the described risks is presented with countermeasures
and protection strategies,
to effectively mitigate it and increase the protection of the
organization's SAP platform
against cyber-attacks.
-
Copyright Onapsis, Inc. 2012 - All rights reserved.
No portion of this document may be reproduced in whole or in
part without the prior written permission of Onapsis, Inc.
Onapsis offers no specific guarantee regarding the accuracy or
completeness of the information presented, but the professional
staff of Onapsis makes every reasonable effort to present the most
reliable information available to it and to meet or exceed any
applicable industry standards.
This publication contains references to the products of SAP AG.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign,
SAP Business ByDesign, and other SAP products and services
mentioned herein are trademarks or registered trademarks of SAP AG
in Germany and in several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and
other Business Objects products and services mentioned herein are
trademarks or registered trademarks of Business Objects in the
United States and/or other countries.
SAP AG is neither the author nor the publisher of this
publication and is not responsible for its content, and SAP Group
shall not be liable for errors or omissions with respect to the
materials.
-
What is the SAP Security In-Depth Publication?
Until 2007, SAP security was regarded as a synonym for
Segregation of Duties (SoD) by the majority of the Information
Security community. While this aspect of security is mandatory and
of absolute importance, many threats which entail much higher
levels of business risks, have so far been omitted from Auditing
and Information Security practices.
The technological components of these business-critical
solutions introduce many specific security concerns that, if not
addressed appropriately, can be the source of information security
attacks on the confidentiality, integrity and/or availability of
the critical business information processed. Therefore, failing to
properly protect these components can leave business information at
risk of espionage, fraud and sabotage attacks. SAP Security
In-Depth is a publication led by the Onapsis Research Labs with the
purpose of providing specialized information about current and
future risks in this area, allowing different actors (financial
managers, information security managers, SAP administrators,
auditors, consultants and others) to better understand the risks
involved and the techniques and tools available to assess and
mitigate them.
-
TABLE OF CONTENTS
1.
INTRODUCTION..............................................................................................62.
THREATS &
COUNTERMEASURES.............................................................133.
ATTACK
VECTORS........................................................................................154.
CONCLUSIONS..............................................................................................205.
REFERENCES...............................................................................................21
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
EXECUTIVE SUMMARY
While the SAP Security In-Depth publication delves into complex
technical security aspects of these platforms, we consider it
important to provide an executive summary, using a non-technical
language, to highlight outstanding concepts and risks presented in
this volume.
Key concepts analyzed in this edition:
SAP provides different technologies to enable remote access to
the company's business applications.
Each of these technologies features complex and different
security architectures, which must be holistically understood in
order to be properly evaluated.
This publication analyzes the current risks affecting these
components and the necessary measures that must be taken in order
to mitigate them.
Key findings and risks:
2012 Onapsis, Inc 5
Certain features of the SAProuter are only supposed to be used
by SAP AG for remote support. However, if not properly secured,
attackers may abuse them to access systems in the organization's
internal network (File Servers, Intranets, etc.).
If an attacker is able to exploit security vulnerabilities in
misconfigured SAProuters, there is a high probability that he will
be able to access the backend SAP systems.
Many organizations are currently exposing their backend SAP
systems to the Internet through SAProuters. Remote attackers can
easily discover these backend SAP systems by scanning the
network.
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
1. INTRODUCTION
1.1. What is a SAProuter?In a typical network environment, the
organization's SAP Systems are located behind several perimeter
security devices such as proxies or firewalls. The following
diagram illustrates a typical network infrastructure, showing the
different network-related components and hosts:
Image 0. Typical network environment.
Strictly speaking, the SAProuter is an SAP program that tunnels
or routes ingoing and outgoing connections to the organization's
SAP systems, from other systems in the Local Area Network, from
partners or from SAP AG(typically in situations where the company
requires support). In other words, the SAProuter acts as a
controlled gate to the organization's SAP systems. [1]
2012 Onapsis, Inc 6
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
1.2. Why should you use a SAProuter?SAProuter has the following
capabilities, among others:
Control and log connections to organization's SAP systems.
Solve network address conflicts between network systems.
Improve overall security allowing connections only from trusted
addresses.
Enforce the use of Secure Network Communications (SNC).
From a security point of view, the SAProuter is useful as it can
be used to add an extra layer of security by logging the
connections to the SAP platform and enforcing SAP protocol-level
controls, such as SNC encryption and the use of connection
passwords.
SAP system connections without SAProuterThe next diagram shows a
network topology without the use of SAProuter.
Image 1. Connections without SAProuter
In this scenario, it is possible to note that the access
management to the SAP platforms is managed at the network firewall.
For each new connection that is required, new exceptions in the
firewall policy need to be created.
2012 Onapsis, Inc 7
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
SAP system connections implementing SAProuterThe following
picture shows the network topology when SAProuter is
implemented.
Image 2. Connections through SAProuter
In this case only one exception in the firewall is needed,
client systems to the target SAProuter. The SAProuter restricts
access to the backend SAP systems through its Route Permission
Table. [2]
IMPORTANT SECURITY NOTE: SAProuter does NOT replace firewalls or
other network security devices, but complements them.It is critical
to understand this concept - the SAProuter was not designed to stop
attacks like firewalls or packet filters do. Additionally, if the
SAPRouter is exposed without a firewall, all the Operating System
services and ports will be accessible from the untrusted
network.
1.3. How does it work?SAProuter's behavior is driven by a
configuration file called the Route Permission Table.This file
comprises a set of rules allowing or denying access to specific
hosts and services. The Route Permission Table contains the host
names and port numbers of the predecessor and successor points of
route (from SAPRouter's point of view) as well as the passwords
required to set up the connection (if configured). [2].
2012 Onapsis, Inc 8
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
Using this access control list, the SAProuter decides which
connections should be allowed and which shouldn't. Also it is
possible to use SNC connections with SAPRouter (for further
information refer to the section SAProuter and Secure Network
Communications).Clients connecting through a SAProuter must first
configure a Route String, which will be explained into details at
the end of this section.
Configuring the Route Permission TableThe Route Permission Table
file, by default called saprouttab, is a text-file containing a set
of lines, each having the following format:
P / S / D
The first letter is the command. There are three options for the
command, which are:[P]ermit: SAProuter grants the
connections.Including a number after the P is also possible,
specifying the maximum number of hops allowed for this
route.[S]ecure: Only allows connections using the SAP Protocol,
connections with other protocols are not allowed.Including a number
after the S is also possible, specifying the maximum number of hops
allowed for this route.[D]eny: Prevents the connections from being
set up. It is a straightforward denial of the connection.
Following the command, there are three other mandatory options
that should be configured for every entry:: Source host of the
connection to the SAProuter. This option can be configured as a
Host Name, an IP address or an IP Subnetwork.: Destination host
that the connection is connecting to. This option can be configured
as a Host Name, an IP address or an IP Subnetwork.: (TCP) Service
that the connection is pointing to. This is the TCP port and can be
configured as a single TCP port (IE 3200), as a service name (IE
sapgw00) or as a port range, separated by . (dot) (IE:
3200.3299).
NOTE: The SAProuter follows the First Match, Deny on No-Match
criteria. Therefore, if there is an entry in the saprouttab that
matches for the connection,
2012 Onapsis, Inc 9
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
then the SAProuter acts according to the entry (Permit/Deny). If
there is no entry matching the connection, then the connection is
automatically denied.
Examples of regular (non-SNC) entries in the Route Permission
Table:
SAProuter and Secure Network CommunicationsSAProuter allows its
users to increase the overall level of communication security
(network level) using SNC. The SAP Secure Network Communications
protocol provides authentication and encryption to data that needs
to be transferred over unreliable networks such as the Internet.
[4]
The following are the prerequisites to use SNC with
SAProuter:
SAProuter's version must be 30 or higher.
The Source and Destination's SAProuter need be started with the
-K option. (to get further information, please refer to [1])
There must be a KT entry in the source and in the destination
SAProuter's permission tables. These type of entries define the use
of SNC.
There must be a KP entry in the source and in the destination
SAProuter's permission tables. These entries allow the SNC
connection.
Entries in the Route Permission Table to use SNCThe SNC routes
start with K. Entries can be of two types:
1. KT entries: These entries define which connections are to be
encrypted using SNC. Connections can be ingoing or outgoing.
2. KD, KP and KS entries: Follow the syntax K . This format is
equivalent to the format used for normal connections, but adding a
K at the beginning of the entry.
2012 Onapsis, Inc 10
D 192.168.1.10 192.168.3.100 3200P 192.168.1.5 * 5000.5010
s3cr3tP 192.168.1.6 192.168.3.101 sapdp00
#Comment
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
Examples of SNC entries on the Route Permission Table:
Route String configurationRoute Strings are connections strings
which define the path that clients must follow to reach the SAP
systems through SAProuters.These connections strings have the
following syntax:
(/H/host/S/serv/W/pass)*
Where:
/H/ = next hop host. /S/ = next hop port/service. /W/ = next hop
connection password (optional).
Example of a valid Route String:
Where:
192.168.0.150 = SAProuter's IP address.
3299 = SAProuter's TCP listening port.
192.168.3.100 = SAP system IP address.
3200 = SAP system TCP listening port.
Note: SAProuters can be chained.
2012 Onapsis, Inc 11
#Connectionstoandfromsaprouter02shouldbeSNCKTp:CN=saprouter02,OU=Test,O=Company,C=JM10.20.30.40
*
#Connectionstoandfromsaprouter03shouldbeSNCKTp:CN=saprouter03,OU=Test,O=Company,C=JM10.20.30.50
*
#AllowSNCconnectionsfromsaprouter02withpasswordKPp:CN=saprouter02,OU=Test,O=Company,C=JM172.16.1.13200pwd321
/H/192.168.0.150/S/3299/H/192.168.3.100/S/3200/W/secret
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
SAP Network Interface (SAP NI Protocol)The SAProuter implements
the Network Interface protocol (NI protocol). This protocol has
been designed to support a platform-independent interface and is
used to communicate between different components and services of
the SAP systems. [3]NI protocol can work in three different
modes:
1. NI_RAW_IO The NI_RAW_IO mode is used to communicate between
SAP
applications. Furthermore, this mode is used for native protocol
routing.
2. NI_MESG_IO Primarily used for communication between SAP
applications, this
mode is also known as SAP Protocol. This communication mode
supports three different types of special messages: NI_PING,
NI_PONG and NI_RTERR used for keepalive, test and error messages
respectively.
3. NI_ROUTE_IO Similar to NI_MESG_IO but keepalive responses are
ignored. Most
common message used by the SAProuter.
2012 Onapsis, Inc 12
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
2. THREATS & COUNTERMEASURESThis section outlines some of
the most important threats affecting SAProuter implementations,
along with key concepts on how to mitigate them.
2.1. Vulnerable SAProuter versionAs any other program, the
SAProuter can be prone to software security vulnerabilities, such
as memory corruption issues, that would enable an attacker to
perform unauthorized activities over the SAProuter system.
2.2. Permissive Route Permission TablesThe Route Permission
Table is probably the most critical aspect of the SAProuter's
security, as it defines which connections are the allowed/denied.It
is possible to configure wildcards for the entry fields of the
Route Permission Table, which would match any value for that
specific parameter. It is very common to find SAProuters configured
with vulnerable tables, having wildcards in many fields. A typical
example of misconfiguration found in real-world assessments
performed by Onapsis, is shown in the following excerpt:
The last rule defines a Permit command with a wildcard in every
field. Therefore, the SAProuter will allow any incoming connection
and attempt to establish it with the target system specified by the
client.
2012 Onapsis, Inc 13
P 192.168.0.* sapserver013200P * sapserver02 3201P * * *
#PERMITALL
Ensure that the latest available version of the SAProuter
provided by SAP AG is being used. Keep the SAProuter binary updated
with security patches released by SAP.
Protection / Countermeasures
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
2012 Onapsis, Inc 14
Only allow the necessary connections through the SAProuter. The
Route Permission Table entries should be as restrictive as
possible. Specifically:- Avoid the use of wildcards in the and
fields as much as possible.- If only SAP-protocol connections are
being used, use S instead of P to prevent the routing of native
protocols.- Ensure that there are no rules that allow connections
to the SAProuter host and service themselves from unauthorized
sources, as they can be abused to perform Information Requests.-
Set D * * * * as the last entry of the file. While probably
redundant today, it may be useful to prevent future attacks or
changes in the SAProuter evaluation policy.
Protection / Countermeasures
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
3. ATTACK VECTORSThis section describes possible attack vectors
over vulnerable SAProuters.The presented techniques that can be
used to perform security assessments over SAProuters in a blackbox
approach. These vulnerability assessment and exploitation
techniques can be used to detect unsafe configurations and to
illustrate the risks that unprotected SAProuters could pose to the
SAP infrastructure, as well as to other systems of the
organization.
3.1. SAProuter Connection Table RetrievalIf connections from
unauthorized hosts to the SAProuter itself are permitted, an
attacker would be able to obtain valuable information such as
details about connected clients, SAP servers and services being
used.To retrieve the information provided by the SAProuter, using
the SAProuter executable itself, the following command should be
executed:
saprouter -l -H
The results of the execution of the information retrieval
command are shown in the following image. Performing this attack, a
malicious party would be able to obtain the following
information:
Currently established connections
Allowed clients
Internal network IP addresses
Services use
Version of SAProuter
Version of NI protocol
SAProuter's Operating System flavor (Windows/Unix)
2012 Onapsis, Inc 15
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
Image 4. Information retrieved from a remote SAProuter.
Note: Onapsis Bizploit's getSAPRouterInfo module [5], available
in version 1.5, can help you perform this type of assessment to
evaluate whether your SAProuter is properly protected.
3.2. Internal Network Port-scanning through SAProuterAnother
interesting attack vector that takes advantage of misconfigured
Route Permission Tables is the possibility of discovering systems
in the organization's Internal Network proxying portscans through a
SAProuter.Using the error messages produced by the SAProuter if a
connection cannot be established, an attacker can determine if a
port in a remote host is open or closed.Therefore, by sending
simple connection requests (NI_ROUTE_IO packets) to specific IP
addresses and ports, it is feasible to discover live (and
reachable) systems behind the SAProuter.
2012 Onapsis, Inc 16
Do not allow connections from unauthorized systems to the
SAProuter's IP address and service (or any superset that would
imply so).
Please check Protection measures outlined in section 2.2.
Protection / Countermeasures
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
For example, take the following diagram:
Image 7. Attacker guessing open ports in Server A
The SAProuter's Route Permission Table is configured as
following:
In this scenario, the attacker can identify all the open ports
in Server A or any other servers reachable by the SAProuter.
Note: Onapsis Bizploit's saprouterSpy module [5], available in
version 1.00, can help you perform this type of assessment to
evaluate whether your SAProuter is properly protected.
3.3. SAProuter Native Protocol RoutingSomewhat an obscure
feature, the SAProuter has the ability to proxy non-SAP protocols
such as SSH, TELNET, FTP and HTTP. SAP refers to them as native
protocols. This feature can be spotted in the existence of both the
P and S commands to allow connections in the Route Permission
Table. If an S command is used, then native protocols cannot be
used for that connection.
2012 Onapsis, Inc 17
P * * * *
Only allow the necessary connections through the SAProuter. The
Route Permission Table entries should be as restrictive as
possible.
Please check Protection measures outlined in section 2.2.
Protection / Countermeasures
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
This feature uses the NI_RAW_IO communication mode, described in
the SAP Network Interface section. For more detailed information,
refer to the appropriate link in the references section. [3]The P
(Permit) option allows users to establish connections with any
protocol (depending on the entries configured for the specified
host and system in the Route Permission Table file, as wildcards
are only valid for SAP protocols in newer versions).Therefore, if
the Route Permission Table is not properly configured, an attacker
would be able to connect to ANY internal system and service in the
organization's internal network, such as File Servers, Web
Intranets, SSH servers, etc. In the following image it is possible
see a common network topology using SAProuter:
Image 5. Common network topology in Company's LAN
For illustration purposes, analyze the following Route
Permission Table:
2012 Onapsis, Inc 18
P * sapserverA 3389P * * 22
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
In this scenario, the attacker would be able to access the
Remote Desktop service of the system sapserverA, tunneling the
connection through a SAProuter.
Image 6. Attacker connected to SSH server through SAProuter.
Furthermore, abusing the presented Route Permission Table, the
attacker would be also capable of accessing an internal SSH server
hosted in a different, non-SAP system in the internal network.
Note: Onapsis Bizploit's saprouterNative module [5], available
in version 1.5, can help you perform this type of assessment to
evaluate whether your SAProuter is properly protected.
2012 Onapsis, Inc 19
The routing of native protocols is mainly used by SAP AG in
order to access non-SAP services during remote support services.
Therefore, there should not be many cases where user/partner
connections of this type are required.
If this type of connections is not necessary, it is recommended
to use S instead of P for all the entries defining allowed
connections.
Additionally, please check Protection measures outlined in
section 2.2.
Protection / Countermeasures
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
4. CONCLUSIONSThe SAProuter is a critical component of any SAP
platform. Since it is usually connected to untrusted networks such
as the Internet or external providers, the probability of attacks
by malicious parties is increased.As presented in this document,
successful attacks on this component could lead to a full
compromise of the SAP platform and others systems in the
organization's internal network. Following the recommendations
outlined, network administrators and security officers can protect
and secure their SAProuter implementations, effectively increasing
the security level of the entire platform. Lastly, it is strongly
recommended to perform periodic technical security assessments of
SAProuters, reducing information security risks and effectively
protecting the business.
For further information into this subject or to request
specialized assistance, feel free to contact Onapsis at
[email protected]
2012 Onapsis, Inc 20
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
5. REFERENCES[1] SAP Library SAProuter
http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d65446d11d189700000e8322d00/frameset.htm
[2] SAProuter (BC-CST-NI)
http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCCSTROUT/BCCSTROUT.pdf
[3] SAP Library NI Protocol Communication modes
http://help.sap.com/saphelp_nw70/helpdata/en/f8/bb960899d743378ccb8372215bb767/content.htm
[4] SAP Library SNC Connections
http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d65446d11d189700000e8322d00/content.htm
[5] Onapsis Bizploit
http://www.onapsis.com/bizploit
2012 Onapsis, Inc 21
-
SAP Security In-Depth Vol.6Securing the Gates to the Kingdom:
Auditing the SAProuter
About Onapsis X1
Onapsis X1TM is the industry's first comprehensive solution for
the security assessment of ERP systems, currently supporting SAP
NetWeaverTM and R/3 business solutions. Perform continuous and
automated IT Security & Compliance Audits, Vulnerability
Assessments and Penetration Tests over your SAP platform. Using
Onapsis X1 you can decrease financial fraud risks, enforce
compliance requirements and reduce audit costs significantly.Being
the first-and-only SAP-certified solution of its kind, Onapsis X1
allows you to automatically and continuously detect:
Insecure ABAP and Java instance configurations
Missing SAP Security Notes and patches
Dangerous user authorizations Insecure interfaces between
your
systems
Following the product's detailed mitigation procedures, you can
increase the security level of your platform to stay protected
against cyber-attacks.
Get more information at www.onapsis.com/x1.
2012 Onapsis, Inc 22
Onapsis X1 Enterprise 2 is
-
About Onapsis, Inc.
Onapsis provides innovative security software solutions to
protect ERP systems from cyber-attacks. Through unmatched ERP
security, compliance and continuous monitoring products, Onapsis
secures the business-critical infrastructure of its global
customers against espionage, sabotage and financial fraud
threats.
Onapsis X1, the company's flagship product, is the industry's
first comprehensive solution for the automated security assessment
of SAP platforms. Being the first and only SAP-certified solution
of its kind, Onapsis X1 allows customers to perform automated
Vulnerability Assessments, Security & Compliance Audits and
Penetration Tests over their entire SAP platform.
Onapsis is backed by the Onapsis Research Labs, a world-renowned
team of SAP & ERP security experts who are continuously invited
to lecture at the leading IT security conferences, such as RSA and
BlackHat, and featured by mainstream media such as CNN, Reuters,
IDG and New York Times.
For further information about our solutions, please contact us
at [email protected] and visit our website at www.onapsis.com.
www.onapsis.com
2012 Onapsis, Inc. All Rights Reserved.
Subject to Terms of Use available at
http://www.onapsis.com/legal/terms-of-use.html
The Onapsis and Onapsis Securing Business Essentials names and
logos and all other names, logos, and slogans identifying Onapsis's
products and services are trademarks and service marks or
registered trademarks and service marks of Onapsis, Inc. All other
trademarks and service marks are the property of their respective
owners.