It is well known that SAP systems present an attractive target for hackers and manipulators. After all, SAP systems gather all the sensitive company data in one place, making it all the more important to protect them against unauthorized access. In addition to conventional measures for improving SAP security and compliance, this includes extensive anti-virus protection adapted specifically to the requirements of SAP systems.

In widely-used portal applications like SAP eRecruiting, SAP Supplier Relationship Management (SRM), and SAP Knowledge Management and Collaboration (KMC), users upload files to their portal application that are then saved in the database by the SAP NetWeaver platform. These uploads cannot be protected through standard virus scanners, however. This raises the risk that malware-infected content could be saved in the SAP system and distributed to internal and external users, who may suffer damage as a result.

Enhanced virus protection with the SAP Virus Scan Interface (VSI)

To counter the risk that compromised content could enter SAP systems through file uploads, the SAP Virus Scan Interface (VSI) has been developed with specification 2.0. It makes it possible to use external anti-virus (AV) solutions to check various attachments between SAP system components (between application servers and front-end clients, for example).

SAP uses VSI not only for classic anti-virus protection, but also to analyze and filter content. It allows differentiation by the following:

• Classic anti-virus check based on signature files
• Blocking active content in documents, such as JavaScript
• Identification and filtering of documents based on the document type
• File scan, to scan only locally saved files
• Memory scan, to scan binary objects located in memory.
• SAR scan: SAR (SAP Archive Repository) is SAP’s proprietary archive format for providing software content

As this shows, there is not only a potential risk from conventional virus-infected documents, which would normally be discovered by anti-virus solutions installed on the client system. Documents that contain malicious active content and enable cross-site scripting (XSS) attacks, for example, can also be dangerous. According to a current analysis by the OpenWebApplicationSecurityProject (OWASP) XSS attacks remain on the list of top 10 risk sources and therefore pose a significant danger to system security.

SAP security through virus protection: First identify your protection requirements.

Whether or not additional protection against viruses and other malware is needed for the SAP system landscape involved can be determined by analyzing the use cases and potential upload channels. Potential risks will also be discovered in this process. In addition to typical HTTP file uploads, for example, in HCM eRecruiting through browser-based front-ends, uploads can also be made from SAP Fiori apps. Uploaded documents are displayed in SAP Fiori apps and elsewhere without additional security-relevant checks. If a document has malicious content, downloading or even displaying that document could trigger unintended processes on the front-end. Ultimately, this could result in cross-site scripting vulnerabilities. A number of SAP Fiori apps currently feature the possibility of uploading and displaying saved documents.

Virus protection for SAP systems: More up to date than ever before

There is still a strong need to employ additional defensive mechanisms through the SAP VSI interface. To arrive at an exact assessment as to which systems are relevant and require protection, you should analyze your use cases and take the probability of occurrence and protection requirements categorization of each system into account.

The check of whether the SAP Virus Scan Interface is activated and used is an integral part of the technical check of SAP systems conducted by the SAST SUITE. We would be happy to assist you in the assessment and selection of suitable anti-virus and risk mitigation measures using the SAP VSI interface, as well as the solutions available in this context. Contact us or find out more at our SAST SOLUTIONS website.

Axel Giese (SAP Security Consulting, SAST SOLUTIONS)

 

These reports may also be of interest to you:

RFC Interfaces in SAP Landscapes: an overview

One step at a time: How to secure and harden your SAP Gateway