Layer Seven Security

Discover, Implement and Test Security Notes using SAP Solution Manager 7.2

The results of the recent Verizon DBIR revealed significant differences between industries in terms of vulnerability patching. Organizations in sectors such as information technology and manufacturing typically remove over 75% of vulnerabilities within 3 weeks of detection. At the other end of the spectrum, 75% or more of vulnerabilities discovered in financial and public sector organizations and educational institutions remain unpatched for longer than 12 weeks after discovery.

The DBIR masks important differences between patching for devices and applications. Servers, for example, are generally more effectively patched than routers and switches.

Patch cycles for SAP infrastructure and applications are typically more drawn-out than most other technologies.  There are several reasons for this. The most important is the lack of visibility into the impact of SAP patches. This leads to a reluctance to apply corrections that may disrupt the performance or availability of systems.

SAP Solution Manager 7.2 overcomes this challenge by enabling customers to pinpoint the impact of security notes before they are applied in systems. Change impact analysis is performed using Usage and Procedure Logging (UPL) and Business Process Change Analyzer (BPCA) integrated with System Recommendations (SysRec).

SysRec provides a real-time analysis of missing security notes and support packs for ABAP and non-ABAP systems including Java and HANA. It connects directly to SAP Support to discover relevant notes and packs for systems configured in the LMDB – SolMan’s landscape information repository. It also connects to each managed system within SAP landscapes to check the implementation status of notes.

System Recommendations is accessed through the Change Management group in the Fiori launchpad for SAP Solution Manager.

The dashboard below is displayed after the SysRec tile is selected and summarizes notes across the landscape. IT Admin Role and System Priority are attributes maintained in the LMDB. Views can be personalized to sort or filter by attributes or notes.

You can apply a wider selection of filters in the detailed section of SysRec to further breakdown the results.

Once the filters are applied, the selection can be saved as a Fiori to tile to avoid reapplying the filters during future sessions. The tile is saved to the launchpad and the counter in the tile automatically updates based on the current status of the system.

The details for each note can be read by clicking on the short text.

The Actions option allows users to change the status of notes and add comments. Status options are customizable.

Corrections can be downloaded directly from SAP Support by selecting Integrated Desktop Actions – Download SAP Notes.

Once selected, you can change the target system before the download. The note will be available in SNOTE within the target system after the download.

Change impact analysis is performed at both a technical and business level. For technical analysis, SysRec reads data collected by Usage and Procedure Logging (UPL) to display information related to the usage level of objects such as programs, methods and function modules impacted by notes. This is performed by selecting the relevant notes and then Actions – Show Object List.

The results below reveal that Note 2373175 is impacting the standard SAP class CL_HTTP_SERVER_NET. This class was used 325311 times in system AS2 during the timeframe defined for UPL.

For business impact analysis, SysRec integrates with Business Process Change Analyzer (BPCA). BPCA reads solution documentation maintained in Solution Manager to discover modules, transactions, reports, and other areas impacted by notes.

SysRec’s ability to perform comprehensive and reliable change impact analysis for security notes enables customers to overcome one of the most significant roadblocks to effectively patching SAP systems. The usage data collected through UPL together with the solution documentation leveraged using BPCA provides SAP customers with the insights to develop test strategies targeted at the actual areas impacted by notes and narrow the window of vulnerability for unpatched systems.

In a forthcoming article, we will discuss how to import SAP templates and create and execute test plans using Test Management in SAP Solution Manager 7.2.

Highlights of the 2017 DBIR Report

The Data Breach Investigations Report (DBIR) has chronicled the growth in security and data breaches for over a decade.  The findings of the most recent report released on April 27 are based on the analysis of more than 42,000 security incidents across a variety of industries and countries.

For the first time, the DBIR examines security breaches for key industries to analyze threats confronted by specific verticals. According to the report, attack patterns and motives, as well as susceptibility to different forms of attack vary considerably between industries. For example, manufacturing companies are more likely to fall victim to phishing attacks than public sector organizations. Manufacturers are also more likely to be targeted by attackers motivated by corporate espionage than financial fraud. The industry insights are useful for aligning defense strategies to the risk profiles of each vertical.

Overall, the DBIR revealed that the majority of breaches (75%) are perpetrated by outsiders. Over half of attacks are performed by organized criminal groups and 18% by state-sponsored attackers. Internal resources are detecting a greater proportion of breaches than prior years, pointing to improving detection and response capabilities within organizations.

Hacking and malware remain the leading causes of security breaches. The report revealed a 50% increase in ransomware attacks. Ransomware is now the fifth most common form of malware, up from 22nd in 2014. There was also a noticeable increase in phishing attacks. Phishing is used in 21% of security incidents and has a success rate of 7.3%.

The DBIR analyzed patching processes across industries and concluded that most sectors follow a quarterly patch cycle. However, the percentage of patches implemented on-time varies from a high of 97.5% in the Information sector to a low of 18% in Education.

The findings of the DBIR are summarized below. The full report is available at Verizon Enterprise.


SAP Security Notes, April 2017

Note 2419592 includes further corrections for a code injection vulnerability in TREX that was originally patched by SAP through Note 2234226 in February 2016. The vulnerability impacts the TREXNet protocol used for internal communications by TREX components and servers. TREXNet communication does not require any authentication. Therefore, the protocol can be abused to execute dangerous commands including OS commands using the administrative privileges of the <SID>ADM user. As a result, SAP recommends running TREX in an isolated subnet. Detailed instructions are documented in the TREX Installation Guide. However, the corrections included in Note 2419592 block access to the TREXNet interface from outside the TREX landscape. Therefore, it protects unsegmented systems against malicious commands targeting the protocol. TREX versions 7.10 and 7.25 must be upgraded to revisions 74 and 37 respectively to apply the corrections.

Note 2235515 includes an important update for SNOTE to log information related to the RFC destination used to download notes. SNOTE can be abused to download malicious packages from attacker controlled servers if the default RFC destination is changed. SNOTE executes program SCWN_NOTE_DOWNLOAD during runtime. The program will use an alternative RFC destination maintained in table CWBRFCUSR if a destination is defined in the table.  For more information refer to Note 2235514.

Notes 2410082, 2372301, 2400292 and 2387249 deal with weaknesses in XML input validation that expose several ABAP and Java applications to XML External Entity (XXE) attacks. The impact of successful XXE exploits include sensitive information disclosure and denial of service.

Finally, Note 2407616 provides an update for saprules.xml to secure against a high-risk vulnerability that could enable attackers to execute remote commands against SAP GUI. saprules.xml is used by the SAP GUI Security Module to protect clients against  potentially malicious commands from back-end SAP servers.