Protocol leaves SAP apps vulnerable
SAP graphic user interface (GUI) applications are as vulnerable to attack as traditional Web applications.
This is according to Ian de Villiers, SensePost security analyst, who will speak at the 7th annual ITWeb Security Summit, taking place at the Sandton Convention Centre between 15 and 17 May.
“It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.”
According to De Villiers, most of these methods have been time-consuming, convoluted and have focused more on obtaining sensitive information, such as credentials, than a thorough understanding of the protocol used by SAP GUI.
De Villiers will demonstrate a toolset, released in the UK last year, to assist security professionals in understanding this protocol. It will also show them how this protocol makes SAP applications potentially vulnerable to a wide range of attacks that have plagued Web applications for years.
“The largest security challenge is that the protocol is insecure by default and SAP has relied on the obscurity of the compression in order to provide some level of security,” explained De Villiers.
“Encryption for SAP GUI has been available for a number of years in the form of Secure Network Communication (SNC) libraries, but have not been provided by SAP for communication between client and server components until fairly recently.”
SNC is a library that is configured within SAP and SAP client applications in order to provide encryption between SAP components. SNC can be configured to provide differing levels of protection. It can be configured to protect authentication, protect the integrity of information traversing the network or to ensure privacy.
De Villiers adds: “Previously, organisations would have to purchase an SNC library from a SAP partner in order to ensure the safety of their information.”
He advises businesses to ensure that an SNC encryption library is deployed and its use enforced within their organisations, as this will prevent attackers obtaining access to their SAP systems by arbitrarily sniffing data on the network.
“However, since SNC libraries can potentially also be consumed programmatically, this may not prevent attacks against the fundamental protocol by users with valid SAP credentials,” cautions De Villiers.
Story by Alex Kayle