There Is No Place To Run : Assessing SAP Focused Run Security

SAP Focused Run is the brand new product in the SAP world. Introduced in 2020 it is the replacement of the current well known SAP Solution Manager. It is a dedicated type of SAP System to manage all others in the company landscape. In other words, this new product will be the technical backbone of many business applications for companies in years to come.

The first part of this talk will describe our research process used to understand how this new product works, and how we discovered several vulnerabilities. Attendees will learn how weaknesses in connected systems can be leveraged to compromise SAP Focused Run and then, compromise the rest of the landscape.

In the second part of the talk, five different vulnerabilities found by our Research Lab on different SAP products will be shared and presented, along with a complete attack scenario affecting SAP Focused Run. We will speak about vulnerabilities like Insecure Deserialization, XSLT Injection, Code injection and Missing Authentication.

Finally, we will provide all recommendations and mitigation strategies related to issues covered in this talk.

Opening part

After a quick “whoami” and introduction, we will speak about how the SAP landscape is heterogeneous, what is the “SAP Focused Run” product and what was our motivation for selecting it.

State of the art

We will describe what previous research exists on SAP Solution Manager as well as on SAP Focused Run. What was the difference between them, and the current state of security related to the SAP Focused Run.

SAP Focused Run assessment

Step by step, we will show the way we use it to understand how it works, how it communicates with other systems, and also how we found a missing authentication vulnerability that enables any users to decrypt all encrypted configuration where high privileges credentials are stored. Then we will explain why this issue makes the Focused Run security very dependent on each other’s system security themself.

Only one is enough

In this part we will explain and detail 5 critical vulnerabilities our team discovered over the last 2 years. We will share about:

  • XSLT injection into SAP Portal, CVE-2021-37531
  • Code injection into SAP XMII, CVE-2021-21480
  • Code injection into SAP P2P, CVE-2020-26829
  • Insecure deserialization into Wily introscope, CVE-2020-6364
  • Missing authentication into SAP Netweaver JAVA, CVE-2020-6287

Related cvss scores are 9.9 or 10 for each. Only one is enough to trigger the vulnerabilities discovered in the previous part.

How to secure SAP Focused Run

We will provide all related SAP OSS Notes numbers and CVE as well as several manual quick mitigation related to issues we covered in this talk.

Closing part

Finally we will conclude with our feelings about these researches, thanking, questions and reminder for the charity 10k “Focused” run.

About the Speaker