May 2018 - Layer Seven Security

Monitoring the SAProuter with SAP Solution Manager

Layer Seven Security on May 18, 2018

The SAProuter performs a pivotal role in SAP landscapes by filtering SAP traffic using a more granular approach than is possible with conventional network-level firewalls. As a stand-alone program, it is commonly installed in DMZ servers that support network services rather than SAP applications.

The SAProuter is often targeted by attackers given it’s function as the gateway to SAP systems. There are several attack vectors targeting known vulnerabilities in earlier versions of the program. Therefore, it’s important to regularly update the SAProuter to the latest release and patch level. You can refer to note 1897597 for release information and note 1921693 for instructions for updating the program. Other recommendations include changing the well-known default port and blocking remote access to the SAProuter. This could be abused to control the SAProuter from external clients or hosts. It can also be exploited to modify the route permission table.

The route permission table is maintained in the saprouttab file stored in the working directory of the SAProuter and controls route strings between hosts. It applies an access control list to permit or reject connections between source and target systems through the SAProuter. Standard entries in the route permission table have the syntax P (Permit) /S (Secure) /D (Deny) <source-host> <destination-host> <destination-port or service> <password>. The password option for permitted connections is optional.

The access control list should be as restrictive as possible and only permit the necessary connections. Wildcards (*) should not be used in the destination host and port fields. The rule D * * * * should be included as the last entry in the list to explicitly deny all connections that are not defined in the route permission table.

Lastly, the access list should be configured to support only authenticated and encrypted connections using the K prefix for positive entries. This requires the configuration of Secure Network Communications (SNC) for the SAProuter. For detailed instructions, refer to the SAP guide for SAProuter SNC Configuration.

The SAProuter can be monitored with SAP Solution Manager. The Solution Manager Diagnostics (SMD) agent should be installed on the server hosting the SAProuter. The Remote OS Script Collector (ROSCC) is also required to run OS commands through the Monitoring and Alerting Infrastructure (MAI) of Solution Manager. The next steps are the registration of the SAProuter in Solution Manager and the execution of the steps for managed system setup. Once completed, the SAProuter is available for monitoring.

The route permission table can be monitored by Solution Manager to automatically detect insecure entries including unauthenticated and unencrypted connections and entries with wildcards in the destination and port fields. An example is provided below.

The release and patch level of the SAProuter can be checked using the ROSCC. The port used by the SAProuter and whether the program accepts commands from remote hosts can also be monitored with the ROSCC.

The SAProuter log can be read to detect connections rejected by the SAProuter based on the route permission table. An example of an alert is provided below. Click on the image to enlarge.

Email notifications are automatically triggered by Solution Manager for alerts. See below.

Analysts can execute guided procedures in Solution Manager to investigate alerts and document findings. An example is provided below for Securing the Route Permission Table.

The guided procedure provides a framework for discovering insecure entries in the saprouttab file, identifying required entries, maintaining the route permission table and finally, monitoring the SAProuter log for rejected connections.

Detailed reference documentation is included for each step in the procedure.

SAP Security Notes, April 2018

Zarah Basilio on May 8, 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro. It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes. Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Note 2552318 provides an important update for Note 2376081 released in August 2017. The note deals with a high priority code injection vulnerability impacting iviews created in Visual Composer. Iviews are interactive, web-based applications in Java platforms. The corrections included in Notes 2552318 and 2376081 will support code injection checks for the entire input stream received from Visual Composer in the export to Excel mechanism. Note 2376081 should be implemented before 2552318.

Note 2537150 includes corrections to automatically terminate active sessions for user whose passwords have been changed in BusinessObjects.

Note 2587985 provides instructions for removing a Denial of Service (DOS) vulnerability in the Apache Http Server embedded in SAP Business One.

Finally, Note 2190621 provides a solution to log peer IP addresses instead of terminal IP addresses in the Security Audit Log, Peer or routed IP addresses are less vulnerable to manipulation than terminal IP addresses.