2018 - Layer Seven Security

Layer Seven Security Recognized as an SAP Cybersecurity Leader

Layer Seven on December 17, 2018

Layer Seven Security has been named as the leading SAP cybersecurity provider in the 2018 Top 10 SAP Solution Providers. According to the source of the study, Layer Seven Security provide a “unique and innovative approach to securing business-critical SAP systems against cyber threats”. The study recognizes Layer Seven as an “innovative force in the SAP cybersecurity industry” for delivering “leading-edge vulnerability management, patch management, threat detection and incident response without requiring customers to license and install complex and expensive new platforms.”

The report also acknowledges the SAP partner’s “extraordinary levels of year-on-year growth”. Layer Seven Security more than doubled it’s customer base and experienced a 350% surge in revenue in 2018. The company recently announced an ambitious 3-year roadmap that includes recent innovations such as interactive security reporting based on SAP Web Intelligence, monitoring for Java users with administrative privileges, and security monitoring for SAP databases including Sybase ASE. Planned innovations include integration between SAP Solution Manager and the NetWeaver add-on for Code Vulnerability Analysis, the development of Fiori applications for embedded security reporting in SAP Solution Manager, and support for OS, cloud and network platforms for end-to-end security monitoring of the SAP technology stack.

Webinar Recording: Security Analytics with SAP Web Intelligence

Layer Seven on December 17, 2018

Watch the webinar replay to learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

– Discover security vulnerabilities
– Manage missing patches
– Detect alerts for security incidents
– Collaborate and track remediation efforts using comments
– Filter and sort report data
– Export and share results
– Access reports remotely

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Watch Now

SAP Security Notes, November 2018

Zarah on December 7, 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro. It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes. Note 2622660 was updated for multiple high-risk vulnerabilities addressed by Chromium release 70.0.3538.

Note 2681280 patches a critical remote code execution vulnerability in SAP HANA Streaming Analytics (HSA). The vulnerability impacts the open source Java-based Spring Framework library used by HSA. The note carries a CVSS score of 9.9/10.

Note 2701410 deals with a high-risk directory traversal vulnerability that could be exploited by attackers to access, modify or corrupt files on hosts supporting SAP Disclosure Management.

Note 2693083 removes transaction ZPTTNO_TIME from the standard role SAP_PS_RM_PRO_RECMANAGER. The transaction could be abused to escalate privileges in CRM Records and Case Management.

Webinar: Security Analytics with SAP Web Intelligence

Layer Seven on November 27, 2018

Thu, Dec 13, 2018 11:00 AM – 12:00 PM EST

Learn how to visualize security risks in your SAP systems using interactive reports in SAP Web Intelligence. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Join the global leaders in security monitoring with SAP Solution Manager to learn how to:

We will also demonstrate how you can trial Web Intelligence using Layer Seven’s cloud platform.

Secure, Patch & Respond: Security Analytics with SAP Web Intelligence

Layer Seven on November 20, 2018

SAP Web Intelligence enables users to visualize and manage security risks in SAP systems using interactive reports delivered through an intuitive web interface. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Animated charts summarize risks by system, location, priority and other dimensions. Results can be filtered and sorted to focus on specific areas. Users can comment on report elements for collaboration, decision-making and tracking remediation efforts. Reports can be exported to Excel, HTML and PDF. Reports can also be accessed remotely using the mobile app for SAP BusinessObjects.

The security reports are comprised of five distinct sections. The first section includes a series of charts that summarize risks across three dimensions: vulnerabilities, security notes, and alerts. The results can be filtered to focus on single or multiple systems.

The second section includes trend charts, bar graphs, geo-maps and bubble charts that break down the results for each dimension.

The remaining sections convey detailed findings and empower users to secure SAP systems against cyber threats by discovering and removing vulnerabilities, applying patches, and responding to alerts for suspected security breaches.

To learn more, contact Layer Seven Security. You can also request a free trial for security reporting with SAP Web Intelligence using Layer Seven’s cloud platform.

SAP Security Notes, October 2018

Zarah on November 7, 2018

Hot News note 2654905 patches a high risk information disclosure vulnerability in the SAP BusinessObjects BI Suite. The execution of specific CMS queries on the Central Management Server could bypass authorization checks and lead to the leakage of sensitive data. The vulnerability scores 9.8/ 10 based on the Common Vulnerability Scoring System v3 (CVSS). Patches for BI 4.1 SP 10-12 and 4.2 SP 4-6 referenced in the Note enable authorization checks for vulnerable CMS queries.

Note 2699726 provides corrections to remove a missing network isolation error in SAP’s Open Source project Gardener. Gardener is an API server that provides Kubernetes clusters for several SAP products. SAP is responsible for security updates for Gardener instances and Gardener managed Kubernetes clusters at SAP. Note 2699726 applies only to Gardener stakeholders in the Open Source Community who operate their own Gardener installations. The Note recommends upgrading to Gardener release 0.12.4 or higher in order to prevent admins in shoot clusters from compromising seed clusters or other shoot clusters.

Note 2696962 provides instructions for dealing with a Denial of Service (DoS) vulnerability in the SQLite database engine of SAPFoundation. SQLite is embedded in the SAP Cloud Platform SDK for iOS 2.0 SP02 and 3.0.

Note 2674215 provides corrections for patching a stack overflow vulnerability that could be exploited by attackers to provoke a denial of service in SAP Plant Connectivity.

Coming Soon: Security Reporting with SAP Web Intelligence

Layer Seven on October 16, 2018

SAP Web Intelligence (WebI) provides a platform for self-service reporting that enables users to analyze and visualize data from SAP systems using an intuitive, interactive and web-based interface. WebI supports BEx queries to connect to security-related data in Business Warehouse within Solution Manager. Users can create dynamic reports with embedded dashboards to monitor and manage risks and track remediation efforts. Reports are published to the BI Launch Pad to support enterprise-wide access through a web browser. They can also be refreshed, scheduled and broadcast from the Launch Pad.

Stay tuned for more details.

How to Comply with the DHS Recommendations for Securing SAP Systems from Cyber Attacks

Layer Seven on October 16, 2018

In response to the dramatic rise of cyber attacks targeting ERP applications, the United States Department of Homeland Security (DHS) issued a warning earlier this year that encouraged organizations to respond to the risks targeted at their business applications by implementing specific measures to secure, patch and monitor SAP systems. The measures included scanning for vulnerabilities and missing security patches, managing SAP interfaces, and monitoring user behaviour, indicators of compromise, and compliance against security baselines for systems.

This article discusses how you can leverage SAP Solution Manager to comply with the DHS recommendations. Solution Manager is installed and available in most SAP landscapes and includes diagnostics and monitoring applications to support cybersecurity. The specific applications are outlined below against each of the DHS recommendations.

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Configuration Validation in Solution Manager can perform automatic daily scans of SAP systems against security benchmarks to identify misconfigurations that could expose systems to cyber threats. The scans are performed against snapshots of systems stored in the Configuration and Change Database (CCDB). The results of the scans are stored in an internal Business Warehouse (BW). Service Level Reports and Security Dashboards connect to BW using BEx queries to read the results of the security scans and report the findings.

System Recommendations (SysRec) in Solution Manager connects directly to SAP Support to discover missing security patches. SysRec also connects to each system in an SAP landscape to determine the current patch level. It reads the system information in the Landscape and Management Database (LMDB) to identify installed software components and versions. SysRec also integrates with the ABAP Call Monitor, Usage Procedure Logging, and Solution Documentation to perform change impact analysis for security patches.

2. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Interface and Connection Monitoring (ICMon) in Solution Manager automatically maps cross-system interfaces including RFC, HTTP, IDOC and Web Services. This includes internal and external connections. It also monitors real-time traffic patterns to detect and alert for malicious actions including dangerous RFM and URL executions.

3. Analyze systems for malicious or excessive user authorizations.

Solution Manager can detect users with administrative privileges in SAP systems. It flags users with privileged authorizations, profiles, roles, transactions, Java permissions, and HANA system and table privileges. Privileges can include standard and custom objects.

4. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can monitor event logs in SAP systems to detect and alert for indicators of compromise (IOCs). This includes log files and tables such as the Security Audit Log, HTTP Log, System Log, Gateway Server Log, Change Document Log, Read Access Log, Java Security Log, HANA Audit Log, and the SAProuter Log. The MAI triggers alerts and email and text notifications for IOCs. Guided procedures provide a framework for incident response and tracking.

5. Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

MAI monitors user logs to detect and alert for suspicious behavior covering both privileged and non-privileged users. This includes unauthorized access, escalation of privileges and actions that could lead to data leakage.

6. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

SAP Partners periodically update content for Solution Manager to address new vulnerabilities and attack vectors.

7. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Solution Manager continuously monitors for policy violations against security baselines and compliance frameworks such as GDPR, IT-SOX, NIST and PCI-DSS. Service Level Reports and Dashboards provide directions for implementing and tracking remedial actions taken to patch and secure systems. Guided procedures document incident investigation steps performed by responders. The results are archived in Solution Manager.

To learn more about how Solution Manager can help you comply with the DHS recommendations for securing SAP systems, contact Layer Seven Security.

SAP Security Notes, September 2018

Zarah on October 9, 2018

Note 2681207 patches a high-risk missing XML validation vulnerability in Extended Application Services (XS) in SAP HANA. The OData parser in HANA XS does not sufficiently validate XML input from users. This can lead to the processing of malicious code that could provoke a denial of service in the database server. The vulnerability can be exploited if applications using OData services are enabled on HANA XS. If authentication is not enforced for an enabled application using OData, an anonymous attacker can exploit the vulnerability. The attacker needs network access to the HTTP/HTTPs port of the SAP HANA database XS engine classic model. The vulnerability can be fixed by applying the software packages listed in note 2681207. Alternatively, you can limit network access to the XS classic server running in the tenant databases of a multitenant system. The default port range is 30040 – 30997. It is also recommended to enforce authentication for applications using OData services via HANA XS.

Note 2644279 deals with a similar high-risk missing XML validation vulnerability in a component of the BEx Web Java Runtime in Business Warehouse. The issue is specific to PDF ALV Export.

Note 2392860 removes transaction ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_ RM_PRO_REVIEWER in SAP CRM Case Management. The transaction could be abused to escalate privileges.

Other high priority notes include note 2670284 which updates logging functions in Crystal Reports and Business One for HANA to prevent the disclosure of sensitive information, and note 2449974 which introduces authorization check V_VBKA_VKO for specific Sales Support APIs in ECC Sales and Distribution.

SAP Security Notes, August 2018

Zarah on September 7, 2018

There were several high priority Security Notes released in August for vulnerabilities impacting multiple Business Intelligence applications. Note 2569748 patches an XML External Entity vulnerability in Crystal Reports for Enterprise. Note 2614229 deals with a memory corruption vulnerability in the BOBJ platform that can be triggered by a buffer overflow. Note 2644154 provides corrections for a SQL injection vulnerability in the BI Launchpad for Web Intelligence that could be exploited to read sensitive data.

A similar SQL injection vulnerability is addressed in the MaxDB database by note 2660005. The solution includes removing unnecessary privileges for DBM operators responsible for managing databases.

Notes 2655250 and 2155614 patch missing authorization checks in the MDM Catalog of Supplier Relationship Management (SRM) and components of ERP Sales and Distribution.

Note 2201710 includes instructions for responding to Logjam and similar vulnerabilities in SAP products using OpenSSL. Logjam involves downgrading vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. Note 2201710 adds protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits.