Layer Seven Security

Webinar Playback: Holistic SAP Cybersecurity with CVA & SolMan

Watch the playback of this month’s webinar to learn how you can implement holistic cybersecurity for your SAP systems with Code Vulnerability Analyzer and Solution Manager.

CVA performs static code analysis to detect vulnerabilities in custom code. SAP Solution Manager detects vulnerabilities and threats in SAP systems including components such as the gateway server, message server and SAProuter, targeted by the recent 10KBLAZE exploits. 

Together, CVA and Solution Manager provide an integrated platform to secure custom code and SAP systems against cyber threats.

SAP Security Notes, May 2019

Note 1408081 was updated in May in response to the recent 10KBLAZE exploits targeting vulnerabilities in the gateway server. The note includes revised instructions for maintaining access control lists in the gateway security files reg_info and sec_info for different kernel versions. The access control lists should be configured to control external server registrations and program starts. The note recommends restricting registrations and starts to within the same system or SID cluster using the options ‘local’ and ‘internal’. However, the updates do not mention the risk that the security mechanisms applied by the recommended entries could be bypassed by attackers that register as internal servers with the message server. Therefore, it is critical to maintain access control lists for the message server to support the secure configuration of the gateway server.

For additional security against 10KBLAZE exploits, a separate port should be configured for internal message server communications, external monitor commands should be rejected, communications between kernel components should be encrypted, and the bit mask value for the profile parameter gw/reg_no_con_info should be set to a value of 255.

Note 2756453 provides manual instructions and automated corrections for removing a high-risk cross-site scripting vulnerability in S/4HANA.

Note 2784307 deals with another high-risk vulnerability in the REST Interface that could be exploited to escalate privileges in SAP Identity Management.

 

10KBLAZE: Secure Your Systems with SAP Solution Manager

On May 2, the Department of Homeland Security issued an alert for SAP customers in response to the disclosure of new exploits targeting vulnerable SAP components. According to some reports, the so-called 10KBLAZE exploits could impact 90% of SAP installations worldwide. The exploits target misconfigurations in the gateway server and message server installed in most SAP systems including S/4HANA, ERP and CRM. The successful execution of the exploits could enable attackers to exfiltrate or modify data and provoke a denial of service without authentication. In other words, attackers can completely compromise target SAP systems without any user credentials.

The new exploits target known vulnerabilities addressed by notes and advisories released by SAP since 2005.  Note 821875 details measures to secure the message server, including restricting external access, separating internal and external communications, and maintaining secure access control lists. The profile parameter ms/monitor should be set to 0 to prevent external programs such as msmon from administering the message server at the operating system level. Access to transaction SMMS should also be restricted since the setting can be changed dynamically using the Message Server Monitor within the application server. A separate port for internal communication between application servers should be defined using parameter rdisp/msserv_internal. This will prevent external clients from intercepting or rerouting internal message server communications.  The port should not be exposed to clients or intranets. Finally, the parameter ms/acl_info should specify the file containing a restrictive access control list of hosts, domains, IP addresses or subnets for application servers permitted to log on with the message server.

ACLs should also be defined for the gateway server to control access to starting external programs.  This can be performed using the gateway security file sec_info. The correct syntax for the file depends on the kernel level. For kernel 7.20 and higher, the setting USER-HOST=LOCAL is recommended to protect against 10KBLAZE exploits. This will allow connections from the same server instance. The setting USER-HOST=INTERNAL could be vulnerable but is required for SID clusters. For detailed guidance, refer to Note 1408081. The ACLs should be supported by the setting gw/acl_mode to 1. This parameter defines the behavior of the gateway server if sec_info does not exist.

Since some 10KBLAZE exploits are targeted at modifying or redirecting data packets, enabling SNC to authenticate and encrypt client-server communications is recommended.

SAP systems vulnerable to 10KBLAZE exploits can be discovered using SAP Solution Manager. The Cybersecurity Extension for SAP Solution Manager automatically monitors security settings for the message server and gateway server including profile parameter settings, access control lists and users with critical transactions such as SMMS. The extension also monitors message and gateway logs for external monitor commands, successful and unsuccessful program starts, and other events. Alerts are triggered by the extension for suspected exploits.

The example below illustrates how you can discover insecure sec_info entries that could expose systems to 10KBLAZE exploits.

Click on Vulnerability Report in the Fiori Launchpad.

SAP Cybersecurity Extension for Solution Manager 10

Filter by ABAP systems, select the check-box for the target system and click on Display.

SAP Cybersecurity Extension for Solution Manager 09

Filter for vulnerabilities in open status within the area of RFC Security. Click on the check for starting of external programs.

SAP Cybersecurity Extension for Solution Manager 08

Review the details and recommendation. Click on the linked SAP Notes and SAP Help.

SAP Cybersecurity Extension for Solution Manager 07

Click on Additional Information to review the insecure entries in the sec_info ACL.

SAP Cybersecurity Extension for Solution Manager 03

Focus on entries with the setting USER-HOST=internal.

Click on the download icon to export the current settings.

If required, add comments in the Comment section.

SAP Cybersecurity Extension for Solution Manager 04

The finding for the system will be automatically removed from the report once the sec_info entries are updated. However, you can manually change the status using the Change Status option. Note that status changes are tracked in the extension.

SAP Cybersecurity Extension for Solution Manager 05

You can also assign responsibility for remediating the finding to specific groups using the Change Owner option.

SAP Cybersecurity Extension for Solution Manager 06

Webinar: 10KBLAZE – Secure Your SAP Systems with CVA and SolMan

According to a recent report, thousands of SAP installations may be vulnerable to 10KBLAZE exploits targeting SAP applications.

Join SAP and Layer Seven Security to learn how to secure your SAP systems against the exploits with SAP Code Vulnerability Analyzer (CVA) and SAP Solution Manager. CVA performs static code analysis to detect vulnerabilities in custom code. SAP Solution Manager detects vulnerabilities and threats in SAP systems including components such as the gateway server, message server and SAProuter, targeted by 10KBLAZE.

Together, CVA and Solution Manager provide an integrated platform to secure your business-critical SAP systems against 10KBLAZE and other exploits.

Thu, Jun 6, 2019
11:00 AM – 12:00 PM EDT

REGISTER

SAP Security Notes, April 2019

Note 2747683 patches a vulnerability in the signature security mechanism of the Adapter Engine in SAP NetWeaver Process Integration (PI). The vulnerability could enable attackers to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. Such requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.  SAP has corrected the relevant code in PI Axis Adapter. The corrections apply additional checks for signed elements for correctness before signature validation. Customers should apply the relevant support packages and patches referenced by SAP Note 2747683.

Note 2776558 provides corrections for a high-risk insufficient authorization check in SAP Funding Management.  The vulnerability could be exploited to escalate privileges and carries a CVSS score of 8.3/10.

Notes 2742758 and 2741201 deal with information disclosure vulnerabilities in in the messaging system and runtime workbench of SAP PI. This could lead to the leakage of sensitive system information that could be exploited to perform further attacks against the platform.

Note 2687663 patches a similar vulnerability in the .NET SDK WebForm Viewer of SAP Crystal Reports. Sensitive database information that could be disclosed by exploiting the vulnerability  include user credentials.

 

Securing Administrative Access in SAP AS Java

The misuse of administrative privileges is a common method used by attackers to compromise applications and propagate attacks to connected systems. The elevated privileges granted to administrative accounts are a prized target for attackers and provide a fast path to accessing or modifying sensitive data, programs and system settings.

User privileges for Java applications are administered through the User Management Engine (UME) in the SAP NetWeaver Application Server for Java (AS Java). The UME is the default user store for AS Java and can be configured to use LDAP directories, AS ABAP, or the system database of AS Java as the data source for user-related data.

UME permissions granted to users can include administrative actions such as Manage_All, Manage_Roles, Manage_Users, Manage_User_Passwords, and other privileged functions. Administrative actions are bundled into roles and granted to users organized into user groups. Standard user groups include the Administrator group, as well as groups such as SAP_J2EE_ADMIN and SAP_SLD_ADMINISTRATOR. The latter includes users with administrative access to the System Landscape Directory.  Standard roles include Super Admin and, for Enterprise Portals running on AS Java, Portal System Admin, Portal User Admin and Portal Content Admin.

Access to administrative roles and rights in AS Java should be granted to required users only, based on the principle of least privilege. Users with administrative privileges in AS Java systems can be detected using the Cybersecurity Extension for SAP Solution Manager. The results are displayed in security reports and dashboards. Alerts are also triggered by the extension for new users granted privileged roles and actions for possible privilege escalations. The extension also detects users with administrative rights in ABAP and HANA platforms, as well as SAP-compatible databases including IBM, Microsoft, Oracle and Sybase.

 

SAP Security Notes, March 2019

Note 2764283 addresses an XML External Entity vulnerability in SAP HANA extended application services (XS), advanced. HANA XS does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space. Successful exploitation of the vulnerability could lead to the leading of arbitrary files in SAP servers or denial of service through resource exhaustion. Note that exploits targeting the vulnerability require either administrative or developer privileges to the SAP space of the XS advanced service. SAP recommends updating to XS advanced runtime version 1.0.102 or later.

Note 2689925 deals with a Cross-Site Scripting (XSS) Vulnerability in the SAML 1.1 SSO Demo App in the SAP NetWeaver Application Server Java. The app does not does sufficiently encode user-controlled inputs. This could lead to  unauthorized changes to web content and the theft of user credentials. The vulnerability impacts versions 7.10 – 7.50 of the software component J2EE-APPS. SAP recommends upgrading the component to the relevant patch level for each version specified in Note 2689925.

Note 2524203 introduces a switchable authorization check to secure access to the function module FKK_DOCUMENT_ READ used to read documents in Accounts Receivable and Payable.

Notes 2662687, 2727689, 2754235, 2746946, 2652102 and 2250863 patch insufficient or missing authorization checks in areas such as SAP Enterprise Financial Services, NetWeaver Application Server ABAP, S/4HANA, Convergent Invoicing and the Payment Engine.

 

Code Vulnerability Management with SAP Solution Manager

Custom Code Management (CCM) in SAP Solution Manager can enable you to take control of custom developments by providing transparency into custom objects in your SAP systems and analyzing the usage of custom code. It can also provide insights into security vulnerabilities in custom objects and packages.

CCM provides an overview of the custom developments in systems and identifies unused or redundant code based on usage statistics from Usage and Procedure Logging (UPL). Decommissioning entire programs or specific lines of code within programs if they are unused or redundant can minimize the attack surface and ensure that time and effort is not wasted managing code-level vulnerabilities in custom developments that are not serving a business need.

Decommissioning in CCM is complemented by tools such as the SAP Clone Finder which identifies custom code that is cloned from SAP standard and supports reverting back to standard code, wherever possible.

CCM displays the results of code checks performed using the ABAP Test Cockpit (ATC). This includes findings from SAP Code Vulnerability Analysis (CVA). CVA performs static application security testing for custom ABAP developments. The tool is used by SAP to scan and secure SAP-delivered code. Therefore, it enables SAP customers to enforce equivalent standards for the security of custom code as enforced by SAP for standard code. Note 1921820 provides details of the security checks performed by CVA. The details are also available in the SAP Community Network.

Enabling CCM is a prerequisite for monitoring the results of CVA checks in SAP Solution Manager. However, CCM is only available to Enterprise support customers and therefore is not available for customers on Standard support. Details of usage rights for Solution Manager are available at the SAP Support Portal.

Licensing restrictions prevent all SAP customers from integrating CVA results with Solution Manager to support holistic cybersecurity monitoring that includes managing risks at the system, user, event and code level.

Layer Seven Security’s custom data connector for CVA resolves this issue by integrating CVA findings directly with the Configuration and Change Database (CCDB) in Solution Manager. This avoids the dependency on CCM and Enterprise support. The data is extracted by the connector from each target system to Solution Manager and automatically updated on a daily schedule. The extracted data is integrated with security reports, dashboards and alerts in Solution Manager to support centralized monitoring for cyber risks in SAP systems including vulnerabilities in custom code. The CVA connector is bundled with the Cybersecurity Extension for SAP Solution Manager.

The raw data for CVA results can be viewed in the custom CCDB store ATC_RESULTS. Results include the check ID, object name, package name, developer name, impacted lines, and a description of each finding.

The findings are mapped to service level reports, web-based reports, and security dashboards in Solution Manager.

CVA results are also integrated with security alerts and email/ SMS notifications generated by SAP Solution Manager.

SAP Security Notes, February 2019

Hot News Note 2742027 patches a critical broken authentication check in SAP HANA Extended Application Services, advanced model. The vulnerability could lead to unauthorized administrative access and the exfiltration, modification or deletion of sensitive data in HANA XS. The vulnerability carries a CVSS score of 9.4/10. It ranks relatively low in terms of attack complexity and requires no privileges in target systems. HANA XS Advanced should be upgraded to the patch level specified in the Note to address the risk. The Note includes manual instructions for a workaround if an upgrade is not possible. The workaround removes the affected OIDC component. A side-effect of the workaround is the deactivation of X.509-based or SPNEGO single sign-on for HANA users.

Note 2070691 deals with a high priority information disclosure vulnerability in the SAP Solution Tools Plug-In (ST-PI) that could lead to the leakage of sensitive data including configuration data and user passwords. The information can be used to perform targeted attack against database servers for SAP systems.

Note 2729710 includes a correction for a missing XML Validation vulnerability in the System Landscape Directory (SLD).

The correction avoids processing of all XML files that use XML External Entity (XXE). This could cause the SLD to continuously loop, read arbitrary files and send local files.

Cyber Espionage Warning: 30% Growth in Targeted Attacks

The findings of the annual Internet Security Threat Report indicate that the number of organizations targeted by advanced hacking groups increased by almost one third between 2015 and 2018. The groups have not only substantially increased their cyber-espionage operations, they are also deploying increasingly sophisticated tactics against a growing number of sectors. National hacking groups such as Chafer and cross-national groups such as Dragonfly are conducting highly targeted campaigns to gather intelligence and exfiltrate data from organizations.

Chafer is linked to the use of leaked NSA exploits and is credited for several attacks against telecoms and transportation companies and their supply chains. Dragonfly has targeted primarily energy and utility companies including infiltrating the control systems of power supply systems. Other groups such as Gallmaker have been responsible for attacks against government institutions and military organizations.

Hacking groups are no longer relying on malware delivered through spear-phishing or other exploits to carry out attacks.  Rather, they are using publicly available tools to execute targeted cyber-espionage campaigns. This includes tools such as Metasploit which provides tools and utilities for exploit development and deployment. Metasploit includes numerous modules for SAP exploits. Approximately 39 percent of intrusions in 2017 did not deploy any malware.  The use of publicly-available tools with legitimate purposes can obfuscate attacks and prevent detection.

Despite the growing sophistication of attacks, average breakout times across all intrusions and threat actors more than doubled between 2017 and 2018 from 1 hour and 58 minutes to 4 hours 37 minutes. This is according to the 2019 Global Threat Report. The breakout metric measures the average time taken by attackers to escalate or propagate an initial compromise to other targets in a network.  The increase in breakout time suggests that organizations are more effectively hardening potential targets against exploits and detecting and isolating attacks. However, the overall average masks substantial differences between threat actors. Russian threat actors have an average breakout time of just 18 minutes and 49 seconds. This means organizations typically have under 20 minutes to discover and contain attacks from Russian hacking groups. Average breakout times are lowest for Russian, North Korean and Chinese hacking groups and highest for cyber criminals.

Successfully detecting and containing cyber intrusions relies not only on speed of detection but also speed of response. Real-time or near-time threat detection should therefore be supported by effective incident response mechanisms to investigate security breaches. SAP Solution Manager provides an integrated platform for both threat detection and incident response. SolMan connects directly to event logs in SAP systems as often as every 5 minutes to detect and alert for security breaches. It also provides automated procedures for investigating and tracking incident response. To learn more, contact Layer Seven Security.