Layer Seven Security

U.S Treasury Sanctions ERPScan

Earlier this week, the United States Treasury issued an Executive Order to prohibit U.S organizations from engaging with ERPScan, a subsidiary of Digital Security and a provider of security software and services for SAP systems. According to a press release issued by the Treasury, Digital Security “provided material and technological support to Russia’s Federal Security Service (FSB)” and contributed to efforts to “increase Russia’s offensive cyber capabilities for the Russian Intelligence Services”. Treasury Secretary Steve Mnuchin stated that the Executive Order is driven by the need to “counter the constantly evolving threats emanating from Russia”.

ERPScan has denied any link with the FSB in an official statement. Further, it stated that “it is unfortunate that American companies will not have a competitive market in the ERP Security field, turning our main US competitor into a monopolist without any incentive to innovate.”

There are several competitors in the ERP security market within the United States. Therefore, the withdrawal of ERPScan is unlikely to lead to a monopoly in the market. Furthermore, the solution providers in the market have demonstrated a universal commitment to innovation including advances such as Data Loss Prevention using SAP Solution Manager recently announced by Layer Seven Security. There is no reason to believe that the Executive Order will diminish the level of innovation in the market.

However, the Executive Order has highlighted the risk to SAP customers arising from the dependence on third party security tools for SAP security monitoring. Layer Seven Security is the only solution provider in the market that eliminates this risk by leveraging SAP Solution Manager to protect SAP systems from cyber threats. Solution Manager is supported and maintained directly by SAP. Contact Layer Seven Security to discuss these and other benefits of SAP cybersecurity monitoring with Solution Manager.

Top Five Tips for System Recommendations

System Recommendations in SAP Solution Manager connects directly to SAP Support for real-time patch updates. It also connects to each system within SAP landscapes to monitor patch levels. SysRec downloads corrections for security vulnerabilities from SAP Support to each system and integrates with other areas in Solution Manager for change impact analysis, change management, and test management. SAP customers can therefore discover unapplied patches, bundle patches into change requests, and plan and execute test plans for patch cycles from a single integrated platform.

This article provides suggestions for optimizing System Recommendations to improve the performance of the application and the user experience. The tips will enable you to minimize false positives, identify and troubleshoot errors, and personalize the user interface.

System Recommendations reads the Landscape Management Database (LMDB) to determine the version and support pack levels for installed software components in each system. Therefore, the LMDB should be configured correctly, regularly updated and synchronized with the System Landscape Directory (SLD). This will reduce the likelihood of false positives such as the display of notes for irrelevant components, databases and operating systems. Kernel registration in the SLD will also help to minimize false positives. Alternatively, irrelevant components can be set to inactive in the customizing table AGSSR_OSDB to exclude them from the results returned by SysRec.

The background job SM:SYSTEM RECOMMENDATIONS periodically updates System Recommendations by connecting to SAP support and to managed systems to calculate unapplied notes. Processing errors for the object ASG_SR should be monitored using the Application Log (transaction SLG1). Alerts for job errors including automatic email notifications should be configured using Business Process Monitoring (BPMon) in Solution Manager.

System Recommendations excludes notes that are irrelevant, postponed or discontinued.  Therefore, it displays results for notes that have the implementation status New or New version available. Since the available status options don’t include options for notes with manual corrections that have been implemented, a custom status option for such notes should be configured by maintaining table AGSSR_STATUS. This can be performed using transaction SM30. Customers can also create custom status options to group notes by patch cycle, project or other criteria. In the example below, we’ve assigned a group of notes to the custom status group Q3 2018 and filtered the results to list the notes assigned to the group.

Status changes performed by users for notes are logged by System Recommendations. The changes are tracked in the details section for each note.  This section also tracks comments entered by users for notes. Comments are useful for tracking discussions between users that could impact implementation decisions including the approach, rationale, and timeline for applying security patches. Changes and comments entered by users can be viewed in table AGSSR_SYSNOTEC.

Finally, Fiori tiles can be configured in SysRec to create shortcuts for notes for specific systems, groups, and other variables. The tiles are accessed from the Fiori Launchpad and can be assigned to custom or standard groups. Once saved to the Launchpad, the results for each tile are automatically updated by System Recommendations.

SAP Security Notes, May 2018

SAP released an update for Hot News Note 2357141 which addresses a critical OS command injection vulnerability in the terminology export report program of  SAPterm (transaction STERM). STERM is used to search SAP-delivered terminology and create and maintain customer-specific terminology. TERM_EXCEL_EXPORT is a standard executable program that enables users to export terminology repositories to Excel. The program calls function modules that accept unfiltered user commands in expressions that are used to call systems. This could be abused by attackers perform arbitrary operating system commands using the elevated privileges of the <sid>adm user.  The impact of such an exploit could include compromise of the entire SAP file system in the effected host. This explains the high CVSS base score of 9.1 / 10 for Note 23557141. The Note rates high in terms of the impact to information confidentiality, integrity and availability. Systems with SAP_BASIS versions 7.31 – 7.66 should be patched to the relevant Support Package level listed in the Note.

There was also an important update for Note 2622660 which includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft.

Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Finally, Note 2537150 was re-released with updated support pack information. The Note includes corrections to automatically terminate active sessions for users whose  passwords have been changed in BusinessObjects.