Layer Seven Security

SAP Security Notes, March 2018

Note 2331141 addresses a high-risk SQL injection vulnerability in the FI Localization tables of S/4HANA. The corrections included in the support packages listed in the note will enable screening of user input for dangerous SQL statements. The formula expressions delivered in Note 2261750 are a prerequisite for user input validation checks delivered via the note.

Note 2604541 includes corrections in support packages for a dangerous denial of service and DDOS vulnerability in the Java OData Gateway. The vulnerability impacts vulnerable open-source Apache servlets that manage incoming OData requests. Refer to CVE-2017-12624 and CVE-2017-3156 for further details.

Notes 2596535 and 2587369 deal with information disclosure vulnerabilities in SAP Business Process Automation (BPA) by Redwood and SAP HANA 1.0 and 2.0. Both notes carry a CVSS score of 7.5 or higher and  could be exploited to leak sensitive system and user-related data. In the case of SAP HANA, user credentials may be stored in clear text in indexserver trace files. Attackers may be able to access systems using compromised credentials garnered from the files. This requires TRACE_ADMIN or CATALOG READ privileges. Access to these and other critical privileges in HANA systems should be monitored using SAP Solution Manager.

Note 2595262 includes corrections for a cross-site scripting vulnerability in the SAP CRM WebClient UI. The note has multiple prerequisite notes including collective note 2577883.

Finally, Note 2538829 includes updated libraries for open-source components in the SAP Internet Graphics Server (IGS) that are vulnerable to remote code execution attacks that could lead to memory corruption and provoke a denial of service.

Monitor Dangerous Function Module Calls with SAP Solution Manager

SAP systems operate in highly interconnected landscapes integrated by numerous interfacing technologies.  The most common interface technology is the RFC protocol. The RFC protocol enables remote-enabled function modules (RFMs) to be called in remote systems. Some RFMs can be exploited to perform dangerous, administrative commands in target systems. For example, the function module BAPI_USER_CREATE can be used to create or maintain users. RFC_ABAP_INSTALL_AND_RUN can be used to register and execute arbitrary code. External commands including operating system commands can be executed using SXPG_CALL_SYSTEM and SXPG_COMMAND_EXECUTE. Therefore, monitoring for the execution of dangerous RFMs is critical for detecting potential attacks against SAP systems.

This article discusses how SAP Solution Manager detects and triggers alerts for dangerous RFM calls using Interface and Connection Monitoring (ICMon) and the Monitoring and Alerting Infrastructure (MAI). The article also discusses how the Guided Procedure Framework in Solution Manager can be used to create automated workflows for alert handling and forensic investigations.

ICMon provides a centralized platform for monitoring communications between systems within and across SAP landscapes. The application is accessed from the System and Application Monitoring group in the Fiori Launchpad.

Monitoring scenarios must be configured before using ICMon. The scenarios define the target systems and interface channels for monitoring. They also define the direction of the communications traffic. ICMon supports monitoring for both internal and external systems. It also supports several communication protocols including not just synchronous, transactional, queued, and background RFCs but Web Services, Gateway (OData) connections, HTTP, IDoc, CRM, PI and Cloud services.

Once configured, Solution Manager starts to collect usage data for each scenario at regular intervals through background jobs. It also generates dynamic topologies for each scenario to visualize connections. Channels are color coded based on performance, availability, and configuration issues or exceptions detected by Solution Manager.

Monitoring for specific function modules can be performed by maintaining blacklisted RFMs for RFC interface channels in each scenario. The Number of RFC Executions metric should then be enabled to automatically trigger alerts for the execution of any of the RFMs.

The channel will be colored red in the topology if a dangerous RFC function module call is performed.

The Alert Ticker displays open alerts in the Overview screen.

 

Alerts can be managed from the Alert Inbox of the MAI.

The Alert Details specify the function module and the RFC destination used to call the RFM, as well as details of the calling system, called system, and the timestamp of the event.

The details are also included in attachments appended to email notifications sent by Solution Manager.

 

The Guided Procedure Framework (GPF) in Solution Manager can be used to create standard operating procedures for investigating dangerous RFM executions. The procedures can be started by selecting the option to Start Guided Procedure in each alert. Once initiated, the guided procedure will provide investigators with detailed instructions for performing forensic investigations and log the progress of each step in the procedure.

 

SAP Security Notes, February 2018

Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share common resources such as data storage, user authorizations, and passwords. Permissions to manage spaces including domains and resources are granted through controller roles.

Note 2589129 recommends using HANA XSA patch level 1.0.70 in order to remove several authentication and authorization bypass vulnerabilities listed in the Note. This includes flaws in specific controller roles that could enable users to retrieve sensitive information. It also includes vulnerabilities that could enable unauthenticated or unauthorized users to read the system configuration using SQL statements and retrieve passwords from log files.

Note 2525222 includes automated corrections and manual instructions for high priority vulnerabilities in the SAP Internet Graphics Server (IGS). The vulnerabilities are caused by unrestricted file uploads that could be exploited to provoke a denial of service, perform cross-site scripting or log injection attacks, and leak sensitive data.

Lastly, Note 2565622 includes corrections to remove a broken authentication vulnerability that could enable attackers to access privileged  functions or read and modify sensitive data in the SAP NetWeaver System Landscape Directory (SLD). The SLD supports landscape management and stores destination information used for system interfaces and the NetWeaver Development Infrastructure (NWDI).

Webinar: Threat Detection with SAP Solution Manager 7.2

How does Solution Manager perform threat detection for SAP systems? What type of events are detected? Which logs are monitored? Is this real-time or near-time monitoring?  Do you receive email and SMS notifications for alerts? How do you prevent alert flooding? How do you use guided procedures for alert handling and forensic investigations? Is it possible to customize workflows in guided procedures? How do you integrate SolMan alerts with SIEM platforms for event correlation? What are the differences between threat detection with SAP Solution Manager and SAP Enterprise Threat Detection?

Discover the answer to these and many more questions by joining Layer Seven’s webinar on March 30. Gain valuable insights that will empower you to unlock the potential of your SAP platforms from the global leaders in cybersecurity monitoring using SAP Solution Manager.

 

REGISTER

SAP Security Notes, January 2018

Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the BAdI GRFN_DOCUMENT. This will activate a positive whitelist in table GRFNDOCUMENTWT to control permitted file extensions and mime types.

Note 2408073 provides updated instructions for the handling of digitally signed notes in the Note Assistant. Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073. Note 2507934 provides instructions for adjusting role SAP_BPO_CONFIG in SAP Solution Manager 7.2. The instructions restrict authorizations for table maintenance in the role to BPO-relevant tables belonging to the authorizataion groups SS, LMDB, PIMA, SA, IWAD, and SC.

SAP Security Notes, December 2017

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Notes 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

SAP Solution Manager is ITIL-Certified for Information Security Management

The SAP Integration and Certification Center (ICC) has been validating and certifying solutions from partners and software vendors for over twenty years. The certifications provided by the ICC are based on rigorous testing and enable customers to invest with confidence in technologies that integrate with SAP solutions. This includes technologies that support security scenarios such as automated vulnerability management, code scanning and threat detection.

The ICC cannot certify SAP’s own product offerings since self-certification does not provide the same level of assurance as independent certification. However, SAP platforms are often certified by recognized certification authorities. SAP Solution Manager, for example, is certified by organizations such as SERVIEW. In fact, Solution Manager is one of the most awarded service management platforms in the market and certified for all 18 certifiable processes of the ITIL framework, including Information Security Management.

ITIL is the Information Technology Infrastructure Library and provides best practices to support the design, management and monitoring of IT infrastructure and optimization of service levels for end users. The framework consists of five distinct lifecycle phases for service strategy, design, transition, operations, and continuous improvement. It includes key performance indicators to identify problems, measure performance, and track progress.

IT Security Management is a process within the Service Design lifecycle of the most recent version of the ITIL framework. It includes four sub-processes for the design of security controls, the performance of regular security reviews, and the management of security incidents. The sub-processes are targeted at preventing, detecting and containing security intrusions and breaches. The chart below maps each sub-process to relevant applications available in SAP Solution Manager.

ITIL v3 – IT Security Management

Applications such as Configuration Validation, Service Level Reporting and the Dashboard Builder enable customers to enforce security baselines for SAP landscapes and monitor compliance against security KPIs. System Recommendations automatically detects missing security patches through a direct connection to SAP support. Interface Monitoring detects potential breaches of cross-system connections. Finally, the Monitoring and Alerting Infrastructure and Guided Procedures provide an advanced framework for detecting and responding to security incidents and suspected breaches. Overall, Solution Manager provides a powerful ITIL-compliant platform for defining, implementing and sustaining secure SAP system landscapes.