When talking to customers and partners, I often hear that organizations are beginning to place more urgency on ensuring SAP application security. Given the growing trend of cyberattacks targeting enterprise resource planning (ERP) systems and the first ever Department of Homeland Security (DHS) U.S. Computer Emergency Readiness Team (US-CERT) alert for SAP business applications, companies need visibility into these implementations and appropriate security measures in place.

Many organizations are looking to move these complex ERP systems to cloud environments to increase efficiency, redefine business processes and promote flexibility. Although the SAP HANA security evolution started in 2011, refinement and maturity came with SAP HANA SP08, which was released in 2014. Initially positioned as the ultimate in-memory database for its products, it has been pushed more recently as a standalone platform.

SAP HANA Attacks on the Rise

While organizations can realize great efficiencies with SAP HANA, these systems are becoming attractive targets for cybercriminals because they store business-sensitive information and processes. In today’s world, most Fortune 1,000 companies rely on SAP for ERP. This single ERP system has become a critical lifeline to companies across all industries.

An intruder who breaches an SAP HANA platform can perform a variety of different attacks, including:

  • Espionage, in which attackers obtain customer, vendor and HR data, financial planning information, balances, profits, sales information, manufacturing recipes and more;
  • Sabotage, in which malicious actors paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information; and
  • Fraud, in which attackers modify financial information, tamper sales and purchase orders, create new vendors, alter vendor bank account numbers and more.

It is no wonder that critical security vulnerabilities in SAP HANA have been on the rise. To prepare customers for this threat, SAP released several versions of SAP HANA over the years, each with its own set of security features.

Timeline of the SAP HANA Security Evolution

Most critical vulnerabilities reside in earlier versions of SPS08 and SPS09. With that in mind, let’s review the SAP HANA security evolution.

  • May 2014: SAP HANA SPS08
    • Critical notes: The top three critical advisories for SPS08 are related to cross-site scripting (XSS) servers.
  • November 2014: SAP HANA SPS09
    • HANA introduced new capabilities including user/role management, encryption, antivirus software support and support for multitenant database containers.
    • Critical notes: Potential information disclosure relating to server information (2148854); SAP HANA secure configuration of internal communication (2165583); and potential remote code execution in HANA (2197428).
  • June 2015: SAP HANA SPS10
    • With this iteration of HANA, security professionals could control access channels for users. It also featured simplified certificate management for secure sockets layer (SSL), transport layer security (TLS) and single sign-on (SSO); automatic generation of public key infrastructure (PKI) and certificates for internal communication channels; and additional hardening options for multitenant database container isolation.
    • Critical notes: Potential termination of running processes triggered by IMPORT statement (2233136); log injection and missing size restriction in SAP HANA Extended Application Services Classic (XS) (2241978); potential information leakage using default SSFS master key in HANA (2183624); and communication encryption for HANA multitenant database containers does not work as expected (2233550).
  • November 2015: SAP HANA SPS11
    • SPS11 enabled analysts to view key change information and switch data encryption on. This version automatically changed initial SSFS master keys and extended SQL injection prevention support.
    • Critical notes: Missing communication security for SAP HANA daemon service (2293958).
  • May 2016: SAP HANA SPS12
    • Enhancements included authentication (disabling authentication mechanisms) and enhanced database trace information for authorization issues.
    • Critical notes: Information disclosure in the CCMS agent of SAP HANA (2347944); information disclosure in SAP HANA cockpit for offline administration (2351486); and information disclosure in SAP HANA XS classic user self-service (2394445).
  • November 2016: SAP HANA 2
    • SAP released SAP HANA 2.0, SP00, which featured Release Note (2380257), FAQ (2159014) and Cockpit Release Note (2380291).

A Patch Day Keeps Vulnerabilities Away

To ensure efficient protection, it is crucial to keep SAP HANA systems updated with the latest security notes and pay attention to those that are most critical. By establishing a monthly patch day, you can react quickly and apply mission-critical patches and corrections. The SAP Security Patch Day is on the second Tuesday of every month. The latest SAP HANA Advisories are useful to stay up to date with the latest threat intelligence.

Special Offer From IBM Security Services

You can also download the “Trends in SAP Cybersecurity” white paper. Ten qualified registrants will receive an opportunity to participate in a free, no obligation, confidential SAP Vulnerability Assessment Scan for up to five SAP systems (SAP SIDs covering ABAP stack, J2EE stack and HANA).

Download the complete White Paper: Trends in SAP Cybersecurity

more from Application Security

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…