
Manipulation of the SAP Job Management
This is part three of our blog series on the Dangers in SAP Transport Management. In part one, we give an intro to SAP Transports. In part two, we went over the starting point of this attack, the transaction SU24. In this third installment, we’re focused on the manipulation of job management and its associated risks to SAP Transports.
Job Management in SAP poses a big attack surface for external manipulation. The possibilities range from abusing the vulnerabilities of certain SAP standard jobs allowing critical job attributes to be changed, to completely defining and scheduling jobs via transport request.
Every SAP Basis administrator knows the job SAP_COLLECTOR_FOR_PERFMONITOR. It collects statistical data from files and inserts them into tables, which can be read and processed by transactions such as ST03 and ST03N. For this, the job uses several reports, which it reads from the table TCOLL. Though there is a check of added reports against the fixed values of the domain COLL_RNAME while manually maintaining this table, impeding abuse, one can add arbitrary reports via transport. In that case, the reports to be executed from the table TCOLL are not checked against the fixed values of the domain when the job is started by SAP_COLLECTOR_FOR_PERFMONITOR. Furthermore, the job SAP_COLLECTOR_FOR_PERFMONITOR is run in the context of the user DDIC or an equivalent user, meaning that attackers will rarely encounter authorization issues. Though the job runs in the client 000, this is no real limitation for an attack.
Starting with S/4HANA, SAP has introduced a new job repository for standard system jobs. The new transaction SJOBREPO has been introduced that allows authorized users to display and customize existing job definitions to a certain degree. It is also possible to completely deactivate the execution of individual jobs.
More interesting is the fact that SAP has also introduced the new transport object R3TR JOBD together with the new job repository. You can now create job definitions via transaction SE80 on the development system and transport them in a “legal” way to production! This means maximum attention is required when approving such a transport request for production. In early S/4HANA versions the jobs run in the context of the fixed standard user SAP_SYSTEM with profile SAP_ALL. In newer versions, it is possible to define a default user per client (the restriction to client 000 no longer exists) that does not necessarily need SAP_ALL. Nevertheless, SAP recommends assigning at least a generic authorization for all SAP Basis and all SAP HR authorization objects (See SAP Note #2731999). Being aware of the special attention that might be paid to the object R3TR JOBD, attackers might camouflage an attack via the job repository by transporting the individual tables that define a JOBD object instead.
But an attacker is not limited by standard system jobs and can also misuse the common background processing architecture for an attack.
In general, as long as an attacker knows the internal job number, any existing job can be used as a Trojan horse for attacks. Examples are:
- Adding/editing/deleting job steps
- Changing the executing user of a job step
- Changing the status of a job
Mehr hier.
Fachartikel

Die aktuelle Bedrohungsentwicklung und warum XDR immer wichtiger wird

Wie die Analyse des Benutzer- und Entitätsverhaltens zur Cybersicherheit beiträgt

ChatGPT bei der Arbeit nutzen? Nicht immer eine gute Idee

Das Aktualisieren von Software-Agenten als wichtige Praktik der Cyberhygiene auf MSP-Seite

Kosteneinsparungen und Optimierung der Cloud-Ressourcen in AWS
Studien

IDC-Studie: 82 Prozent der deutschen Unternehmen nutzen die Cloud – umfassende Automatisierung der Workloads ist aber noch Zukunftsmusik

Studie zeigt 193 Millionen Malware-Angriffe auf Mobilgeräte von Verbrauchern im EMEA-Raum

2023 State of the Cloud Report

Trotz angespannter Wirtschaftslage: die Security-Budgets steigen, doch der IT-Fachkräftemangel bleibt größte Hürde bei Erreichung von Security-Zielen

BSI-Studie: Viele Software-Produkte für Onlineshops sind unsicher
Whitepaper

Neuer Forrester-Report: Varonis als führender Anbieter von Datensicherheits-Plattformen ausgezeichnet

Arctic Wolf Labs Threat Report: Deutlicher Anstieg der erfolgreichen Fälle von Business-E-Mail-Compromise

Aufkommende Trends in der externen Cyberabwehr

Cyber-Sicherheit für das Management – Handbuch erhöht Sicherheitsniveau von Unternehmen

Aktueller Datenschutzbericht: Risiko XXL am Horizont
Unter4Ohren

Die aktuelle Bedrohungsentwicklung und warum XDR immer wichtiger wird

Optimierung der Cloud-Ressourcen und Kosteneinsparungen in AWS

DDoS – der stille Killer

Continuous Adaptive Trust – mehr Sicherheit und gleichzeitig weniger mühsame Interaktionen
