Layer Seven Security

Introducing the SAP Cybersecurity Framework 4.0

Cyber attacks are at epidemic levels. According to research performed by 360 Security, there were over 85 billion attacks in 2015, equivalent to 2000 attacks per second. The cost of data breaches continues to grow, year after year, and reached record levels in 2016. Juniper Research estimate that average costs will exceed $150M within three years.

Introduced in 2014, the SAP Cybersecurity Framework provides the most comprehensive benchmark for securing SAP systems against advanced persistent threats. It presents a roadmap for hardening, patching and monitoring SAP solutions using standard SAP-delivered tools.  The newly released fourth edition of the Framework includes important updates in the areas of transport layer security, network segmentation in virtualized environments, and security settings applied through application level gateways.

The Framework no longer recommends the use of the EarlyWatch Alert (EWA) for security monitoring. This is due to concerns related to the updated rating scale used to grade security risks in the EWA. However, the Framework includes an expanded section for security monitoring using SAP Solution Manager including an overview of security-related tools bundled within Solution Manager such as Configuration Validation, System Recommendations, Monitoring and Alerting Infrastructure (MAI), Service Level Reports, Interface Monitoring, and Dashboards.

The SAP Cybersecurity Framework is available in the white paper Protecting SAP Systems from Cyber Attack.

RFC Hacking: How to Hack an SAP System in 3 Minutes

RFC exploits are hardly new. In fact, some of the well-known exploits demonstrated below are addressed by SAP Notes dating back several years. However, the disturbing fact is that the measures required to harden SAP systems against such exploits are not universally applied. As a result, many installations continue to be vulnerable to relatively simple exploits that could lead to devastating consequences in SAP systems. The impact of the exploits in the demonstration below include the theft of usernames and password hashes, remote logons from trusted systems, and the creation of dialog users with SAP_ALL privileges.

The first exploit demonstrates how attackers can perform operating system commands to extract sensitive information from an SAP database. This is performed through external programs such as sapxpg that are called through the RFC gateway without any authentication. The information extracted in the demo includes user credentials. However, the exploit can be used to read or modify any data from SAP databases.

The second exploit demonstrates how attackers abuse the RFC protocol to change system users to dialog users and then logon from remote systems using the privileges of RFC users.

The final exploit demonstrates the dangers of RFC callback attacks. In the example below, an RFC callback from a compromised system to a vulnerable system creates an unauthorized user in the calling system with the dangerous SAP_ALL profile. Attackers can also use this exploit to change salary information, modify programs, and many other scenarios.

Systems vulnerable to RFC exploits can be discovered using SAP Solution Manager. Solution Manager regularly scans and alerts for vulnerabilities in RFC communications such as weaknesses in access control lists for RFC gateways, RFC users with administrative profiles, RFC destinations with stored logon credentials, and missing whitelists for RFC callbacks. The Monitoring and Alerting Infrastructure (MAI) of Solution Manager generates alerts for changes to RFC destinations, successful or unsuccessful attempts to call external programs through the gateway server, and RFC callbacks. Contact Layer Seven Security to discuss how to leverage Solution Manager to discover and remove RFC vulnerabilities in your SAP systems.

SAP RFC Hacking from Layer Seven Security on Vimeo.