The vulnerability permits malicious interference in the SAP change management and software deployment processes. SAP issues patch to protect file system from exploitation. Credit: Suebsiri / Getty Images A supply chain vulnerability in the SAP transport system that allows attackers to infiltrate the change management or software deployment process has been identified by a cybersecurity provider based in Germany. A patch has been published by SAP SE to fix the issue that threatens all SAP environments that share a single transport directory.SAP transport system vulnerable to malicious interferenceSAP software products are used by companies across the globe, with many providing critical infrastructure, food, energy, and medical supplies. The internal SAP development supply chain is used by customers to request additional functionality and in-house developments to the SAP standard, with changes provided via various staging systems of the respective SAP landscape with SAP transport requests. These requests should not be modified after they have been exported from the central transport directory and released.However, in October 2021, SecurityBridge identified a method that allowed internal attackers without privileged authorizations to infiltrate the SAP change management or software deployment process undetected. “After the export, and before the import into the production system, threat actors have a time window to include malicious objects. A rogue employee with adequate authorizations has the capability to change the release status from ‘released’ to ‘modifiable’,” SecurityBridge wrote in a blog post. This allows transport requests to be altered despite already passing quality gates in the change management process. “Attackers may introduce malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage,” SecurityBridge added. Attackers can then alter the transport request content just before promotion into production, possibly leading to code execution. “Such attacks are very efficient, and all SAP environments are vulnerable if the various SAP staging levels share a single transport directory.” Addressing SAP transport management system vulnerability Organizations that use SAP software products should apply the patch that fixes the vulnerability (CVE-2021-38178), as issued by SAP in security advisory SNOTE 3097887. This protects the file system from manipulation. SAP customers should also check their transport log for tampering before production import, added SecurityBridge. “In it, the described attack method becomes visible.”“While the SAP transport system vulnerability must be taken seriously, we have not identified any active exploit campaigns and fortunately SAP already has a patch available,” Roy Horev, Vulcan Cyber CTO, tells CSO. It would take a highly unlikely set of circumstances for bad actors to construct an advanced persistent threat that leverages the numerous attack vectors necessary to take advantage of this SAP vulnerability, he adds. “However, APTs happen…just ask SolarWinds. The more attack vectors cyber teams can secure or eliminate, the better we will be at protecting our digital business. The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of cyber debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation.” Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe