Layer Seven Security

SAP Security Notes, February 2017

Zarah on March 7, 2017

Note 2410061 patches a dangerous Distributed Denial of Service (DDoS) vulnerability in the Data Orchestration Engine (DOE) Administration Portal. The DOE is used to access the SAP NetWeaver Mobile Administrator to manage and monitor mobile system landscapes. This includes connecting mobile clients, deploying agents and packages to mobile devices, managing single sign-on, and other tasks.

The DDoS vulnerability stems from the system messages area of the DOE. This is used to transmit messages to mobile clients. Attackers can provoke a denial of service in the DOE by flooding the system messages service and exhausting available resources.

Note 2407694 addresses a similar denial of service vulnerability in the SAP Web IDE for SAP HANA. Web IDE is a development tool for building and deploying Fiori and other applications. The sinopia registry in the Web IDE crashes during publication if a package name contains special characters. Exploitation of the vulnerability can be prevented by blocking the registry from registering new users. The Note includes instructions for identifying systems that have been successfully attacked using the vulnerability. It also included details of a workaround to block attempted new user registrations by modifying permissions for the htpasswd file.

Note 2392860 removes the transaction code ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_RM_PRO_REVIEWER. The transaction can be used to escalate privileges by creating other custom transactions.

Note 2413716 provides instructions for securing the trusted RFC connection for GRC Access Controls Emergency Access Management (EAM). The trusted connection is required to switch user accounts to Fire Fighter IDs (FFIDs).

The instructions include maintaining the authorization objects S_RFCACL and S_ICF, deactivating passwords for FFIDs, and controlling critical basis authorizations for managing trust relationships and RFC destinations.

 

Explore Service Level Reporting in SolMan 7.2

Layer Seven on February 27, 2017

Service Level Reporting (SLR) in SAP Solution Manager performs regular checks against key performance indicators using information available from the EarlyWatch Alert (EWA), Business Warehouse (BW) and the Computer Center Management System (CCMS). The checks can be for single systems or systems grouped into solutions. Reports run automatically on a weekly or monthly schedule but can also be triggered manually for on-demand reporting. SLRs can be displayed in HTML or Microsoft Word. SAP Solution Manger automatically distributes SLRs by email to recipients maintained in distribution lists.

Security-related metrics stored in internal or external BW systems can be read by SLR to create dynamic, detailed and user friendly vulnerability reports. This includes areas such as settings for profile parameters, access control lists in gateway security files, trusted RFC connections or destinations with stored logon credentials, unlocked standard users and standard users with default passwords, active ICF services, filter settings in the security audit log, missing security notes, and users with critical authorizations, profiles or transactions. For HANA systems, it includes database parameters, audit policies, the SYSTEM user, and users with critical SQL privileges. For Java systems, it includes properties for the UME and the invoker servlet. Furthermore, since event data from monitored systems is stored in BW and CCMS, SLR can also report on metrics for events in audit logs including the security audit log and syslog. The latter is particularly relevant for HANA systems which can write logs to operating system files.

SLRs are created and customized in the area for SAP Engagement and Service Delivery in the Fiori Launchpad.

Variants need to be maintained for each report including relevant systems, solutions, data sources, metrics, thresholds and schedule (weekly or monthly).

Once activated, the reports are executed by a regular automated job and accessed through the tile for Service Level Reports.

Comments can be included in SLRs before the reports are automatically distributed by email. SLRs include details of each vulnerability check, risk ratings, and links to relevant SAP Notes and documentation at the SAP Help Portal. Reports also include a gap assessment against compliance frameworks such NIST, PCI-DSS and IT-SOX. SLRs are archived by Solution Manager for trend analysis.

SAP Security Notes, January 2017

Zarah on February 7, 2017

Note 2407862 deals with a highly dangerous buffer overflow vulnerability in Sybase Software Asset Management (SySAM) that scores almost 10/10 using the Common Vulnerability Scoring System.  SySAM performs license management for products such as ASE, ESP, PowerDesigner and the Replication Server.

The vulnerability arises from the Flexera Flexnet Publisher software bundled in SySAM. The third party software is bundled in products provided not only by Sybase, but vendors such as Intel, Cisco, HP, Adobe, RSA and Siemens.

Flexnet Publisher is vulnerable to a stack buffer overflow vulnerability that could enable attackers to execute arbitrary code remotely and without authentication. Since the code could provoke a crash in the Vendor Daemon which performs license control in software products, it could lead to a denial of service in SySAM and products that rely on SySAM. This explains the extremely high CVSS score of the vulnerability.

According to Flexera, a patch for the vulnerability was made available to vendors in November 2015. It is not clear if this included SAP. The vulnerability was published in the NIST National Vulnerability Database (NVD) shortly thereafter in February 2016.  Despite the criticality of the vulnerability, a correction for SySAM was only made available in January 2017. Customers are advised to download and install SySAM 2.4 to apply the correction.

Note 2389042 deals with a similar denial of service vulnerability in SAP Single Sign-On (SSO) which could interrupt the availability of SAP services for users. The SSO Authentication Library should be patched to the latest patch level specified in the Note.

Note 2407696 removes support for the DES encryption algorithm used to secure configuration data in SAP Online Banking 8.3. SAP recommends using stronger algorithms supported by Online Banking including AES and 3DES. Note that AES is more efficient in software implementations than 3DES since 3DES was designed for hardware implementations.

Introducing the SAP Cybersecurity Framework 4.0

Layer Seven on January 25, 2017

Cyber attacks are at epidemic levels. According to research performed by 360 Security, there were over 85 billion attacks in 2015, equivalent to 2000 attacks per second. The cost of data breaches continues to grow, year after year, and reached record levels in 2016. Juniper Research estimate that average costs will exceed $150M within three years.

Introduced in 2014, the SAP Cybersecurity Framework provides the most comprehensive benchmark for securing SAP systems against advanced persistent threats. It presents a roadmap for hardening, patching and monitoring SAP solutions using standard SAP-delivered tools.  The newly released fourth edition of the Framework includes important updates in the areas of transport layer security, network segmentation in virtualized environments, and security settings applied through application level gateways.

The Framework no longer recommends the use of the EarlyWatch Alert (EWA) for security monitoring. This is due to concerns related to the updated rating scale used to grade security risks in the EWA. However, the Framework includes an expanded section for security monitoring using SAP Solution Manager including an overview of security-related tools bundled within Solution Manager such as Configuration Validation, System Recommendations, Monitoring and Alerting Infrastructure (MAI), Service Level Reports, Interface Monitoring, and Dashboards.

The SAP Cybersecurity Framework is available in the white paper Protecting SAP Systems from Cyber Attack.

RFC Hacking: How to Hack an SAP System in 3 Minutes

Layer Seven on January 21, 2017

RFC exploits are hardly new. In fact, some of the well-known exploits demonstrated below are addressed by SAP Notes dating back several years. However, the disturbing fact is that the measures required to harden SAP systems against such exploits are not universally applied. As a result, many installations continue to be vulnerable to relatively simple exploits that could lead to devastating consequences in SAP systems. The impact of the exploits in the demonstration below include the theft of usernames and password hashes, remote logons from trusted systems, and the creation of dialog users with SAP_ALL privileges.

The first exploit demonstrates how attackers can perform operating system commands to extract sensitive information from an SAP database. This is performed through external programs such as sapxpg that are called through the RFC gateway without any authentication. The information extracted in the demo includes user credentials. However, the exploit can be used to read or modify any data from SAP databases.

The second exploit demonstrates how attackers abuse the RFC protocol to change system users to dialog users and then logon from remote systems using the privileges of RFC users.

The final exploit demonstrates the dangers of RFC callback attacks. In the example below, an RFC callback from a compromised system to a vulnerable system creates an unauthorized user in the calling system with the dangerous SAP_ALL profile. Attackers can also use this exploit to change salary information, modify programs, and many other scenarios.

Systems vulnerable to RFC exploits can be discovered using SAP Solution Manager. Solution Manager regularly scans and alerts for vulnerabilities in RFC communications such as weaknesses in access control lists for RFC gateways, RFC users with administrative profiles, RFC destinations with stored logon credentials, and missing whitelists for RFC callbacks. The Monitoring and Alerting Infrastructure (MAI) of Solution Manager generates alerts for changes to RFC destinations, successful or unsuccessful attempts to call external programs through the gateway server, and RFC callbacks. Contact Layer Seven Security to discuss how to leverage Solution Manager to discover and remove RFC vulnerabilities in your SAP systems.

SAP RFC Hacking from Layer Seven Security on Vimeo.