Layer Seven Security

SAP Security Notes, June 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in the Apache web server. This can be abused to perform remote code execution if web applications allow file uploads and the processing of files as JavaServer Pages. Apache Tomcat has been upgraded to harden the AJP Connector. However, SAP does not recommend upgrading the web server. Rather, note 2928570 provides manual procedures for disabling the AJP Connector or securing AJP connections with a secret key.

Note 2918924 provides instructions for removing hard-coded Credentials in SAP Commerce and SAP Commerce Datahub. The use of default passwords for admin and other built-in accounts has been discontinued for new installations of SAP Commerce. Since re-initializing SAP Commerce leads to the deletion of all data in the application, SAP recommends using the scripts in Note 2922193 to remove default credentials in existing installations.  

Note 2933282 removes a missing authorization check that could lead to an escalation of privileges in SAP SuccessFactors Recruiting.

Notes 2906366 and 2734580 includes corrections for high priority information disclosure vulnerabilities in SAP Commerce and SAP NetWeaver Application Server ABAP (AS ABAP), respectively.  

Anomaly Detection with SAP Solution Manager

Threat detection is commonly performed through rules or signature-based pattern matching. Detection engines compare actual events with patterns of malicious events to discover indicators of compromise (IOCs).  IOCs discovered by detection engines typically trigger an alarm or alert for a suspected security breach.

Pattern matching is a tried and tested method to identify known exploits in systems including SAP applications. However, there are several drawbacks with the approach. Attackers can obfuscate their actions to bypass attack detection patterns. Also, since pattern matching detects IOCs based on known signatures, new or emerging IOCs that have not yet been registered are not detected.

Anomaly-based threat detection provides an alternative to pattern matching with greater protection against anti-forensics and the capability to detect previously unknown attacks. Anomaly-based systems rely on profiles of expected or normal user and system behavior.  Actions by users or events in systems that deviate from the profiles generate an alarm or alert.   

Unlike rules and signatures for patten matching, profiles for anomaly detection cannot be created and maintained manually. Anomaly detection is usually applied through machine learning platforms that automate profile building and analysis for large pools of data.  

The Monitoring and Alerting Infrastructure (MAI) in SAP Solution Manager uses a pattern matching approach for threat detection in SAP systems. IOCs detected by the Event Calculation Engine in Solution Manger using pattern matching are displayed and managed in applications such as Security Forensics, System Monitoring, and the Alert Inbox. For anomaly detection, event logs collected, filtered, and normalized by Solution Manager are forwarded to the Predictive Analysis Library (PAL) in SAP HANA.

PAL includes functions for applying complex analytic algorithms using SQLScript database procedures. The functions include procedures for clustering, regression, time series, and other algorithms that are used to detect outliers in security logs. Anomalies discovered by PAL are transmitted back from SAP HANA to SAP Solution Manager for analysis using the Anomaly Detection application in the Cybersecurity Extension for SAP. The application is accessed from the Fiori launchpad in SAP Solution Manager.

Anomaly results are summarized by period. Results can be analyzed by the week, day or hour.

Results are filtered using Advanced Search. This supports filtering by anomaly, date, time, system, user, and source IP/ terminal. Results can also be filtered by anomaly type to view anomalies based on either event data or alert data. Event anomalies include outliers such as high volume of transaction starts, report starts, or data downloads, or a user request from a new IP address or terminal. Alert anomalies include areas such as high volume of alerts for a specific system, user or source, or a new alert for a user or system.

Anomalies calculated using standard deviation are scored based on distances from statistical averages. The further the distance from the mean, the higher the confidence level for the anomaly. The results displayed in Anomaly Detection are prefiltered for medium and high confidence anomalies. Anomaly-based threat detection can have a higher incidence of false positives than pattern-based detection. It can generate alarms for every deviation from expected norms. Therefore, an effective scoring mechanism is essential to enable security administrators to identify and focus on high-confidence anomalies.

Results can be sorted and exported to CSV/ PDF with the applied filters. The layout can be personalized by users to add, remove, and rearrange columns.

The details for each anomaly can be viewed by clicking on an anomaly in the summary. Anomaly times are in UTC. Timestamps for events are based on system time.

The Notify option can be used to append the anomaly details to an email for sharing.

SAP Solution Manager enables advanced threat detection for SAP systems by combining the benefits of both signature and pattern-based detection with anomaly detection using SAP HANA. Licensing for SAP HANA is included with the usage rights for SAP Solution Manager 7.2.

SAP Discloses Critical Vulnerabilities in ASE Databases

SAP customers are urged to apply a series of recent patches released by SAP for the Adaptive Server Enterprise (ASE).  SAP ASE, previously known as Sybase SQL Server and Sybase ASE, is a widely deployed database platform used for both SAP and non-SAP applications. According to SAP, ASE is used by over 30,000 customers worldwide, including 90 percent of the top 50 banks.

Four of the patches released by SAP are for critical or high-risk vulnerabilities in multiple components of ASE. The vulnerabilities impact ASE versions 15.7 and 16.0 and carry CVSS scores ranging between 7.2 and 9.1.

Note 2917275 patches the most severe of the vulnerabilities by applying input validation for DUMP and LOAD commands that could be exploited to overwrite critical configuration files during database backup operations. Attackers can run DUMP commands to overwrite database configuration files with corrupted versions that will replace the default configuration. This can be exploited to install backdoors to ASE using credentials stored in the corrupted configuration files. It can also be exploited to execute arbitrary commands and executables using local system privileges by modifying the sybmultbuf_binary Backup Server setting.

Note 2917090 impacts Windows installations of the SAP ASE 16. Credentials for SQL Anywhere packaged in ASE can be read by any Windows user. SQL Anywhere supports database creation and version management. The credentials can be used to perform code execution with local privileges.

Notes 2916927 and 2917273 deal with high-risk SQL injection vulnerabilities in global temporary tables and ASE Web Services. Both vulnerabilities can be exploited to escalate privileges in ASE.

Database security notes including patches for ASE should be regularly monitored and applied using System Recommendations in SAP Solution Manager. Solution Manager connects directly to SAP Support for patch updates and monitor the patch status of SAP applications and databases. SAP Solution Manager also supports comprehensive vulnerability management for SAP ASE. Automated, daily security scans for ASE should be configured using Solution Manager to check for vulnerabilities related to the database configuration, administrative privileges, stored procedures, and other areas. The ASE audit log can be monitored by the Monitoring and Alerting Infrastructure (MAI) in Solution Manager to detect and alert for suspected malicious commands. To learn more, contact Layer Seven Security.

SAP Security Notes, May 2020

Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers.  The vulnerability carries a base CVSS score of 9.9/10 and can be exploited over the network.

Hot News Note 2885244 carries a similar CVSS score of 9.8/10 and can be exploited to bypass authentication using REST Webservices (BIPRWS) for Live Data Connect in the SAP Business Intelligence Platform. The fix packaged with the note enables Live Data Connect to logon to the BI Central Management Server (CMS) with a shared key. This prevents logons to the CMS without a password when using trusted authentication.  The fix is available for version 2.4 of Live Data Connect. Customers using earlier versions are advised to upgrade to version 2.4.

Notes 2917275 and 2917090 patch critical code injection and information disclosure vulnerabilities in the Backup Server and Cockpit of SAP Adaptive Server Enterprise (ASE), formerly Sybase ASE. ASE is a widely used database platform for SAP systems. Note 2917275 applies input validation checks for DUMP and LOAD commands to prevent the execution of malicious user-provided code.  Note 2917090 prevents the disclosure of sensitive system and user data including account credentials. The impacted ASE versions are 16.0 SP02 and SP03.

Visualize Security Risks for SAP Systems with Threat Maps

Threat Maps in SAP Solution Manager visualize security vulnerabilities, missing patches and open alerts for SAP systems across geolocations. They provide a fast and intuitive way to display and interact with security information for SAP landscapes that span multiple cities, countries, or regions.

System data is maintained in the Landscape Management Database (LMDB) of SAP Solution Manager. The LMDB stores information related to technical systems, hosts, databases and domains in SAP landscapes. This includes installed software components and versions, database types and releases, clients, instances, RFC destinations and OS details for SAP systems.

Attributes for systems are maintained directly in the LMDB. Systems can be assigned to business units using the Description attribute. The environment and priority level for systems are maintained using the attributes IT Admin Role and Priority.  The coordinates for business units in terms of longitude and latitude are maintained in the Location attribute, separated by a comma.

The system attributes maintained in the LMDB integrate directly with the Threat Map, accessible from the Fiori launchpad in Solution Manager.

Users can switch between results for vulnerabilities, patches and alerts using the toolbar at the top of the application.

The size and opacity of geocircles is driven by quantitative and qualitative factors including volume, rating, environment and system priority.

Results are summarized for each business unit. However, users can drilldown to detailed results by clicking on the geocircles.

Map filters support filtering based on system, environment and priority.

Results can also be filtered by period to display results from the current day to the prior year.

The Threat Map can be customized to focus on specific countries or regions. Navigation tools support zoom in and out. The map also supports click and drag for navigation.

Map filters and positions can be saved to the Fiori launchpad as custom tiles.

The Threat Map is bundled in the Cybersecurity Extension for SAP Solution Manager available from Layer Seven Security.

SAP Discloses Security Gaps in Cloud Solutions

SAP issued a statement last week to disclose security lapses in several cloud products including SAP Cloud Platform, SAP Analytics Cloud, SuccessFactors, and Concur. According to the statement, the disclosure was prompted by an internal security review. SAP does not believe customer data has been compromised as a result of the issues. The lapses impact 9% of the company’s 440,000 customers.

The announcement is expected to dampen customer support for digital transformation initiatives intended to shift the hosting of SAP applications from on-premise data centers to cloud providers.

SAP also announced that the organization is updating security-related terms and conditions for its cloud solutions.  In response to concerns that such changes may be intended to reduce SAP’s legal risk for security issues and shift more responsibility for security to customers, SAP declared that the terms and conditions will “remain in line with market peers”.

Furthermore, SAP denied any link between the announcement and security breaches attributed to the Cloud Hopper hacking campaign. Cloud Hopper successfully exfiltrated sensitive data from multiple organizations by penetrating HPE’s cloud computing service. The campaign is suspected to be sponsored by the Chinese Ministry of State Security.

SAP Security Notes, April 2020

Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution.

Note 2904480 patches a significant input validation vulnerability in REST XML APIs within SAP Commerce. This could impact the availability and confidentiality of web stores based on the eCommerce platform.

Note 2896682 delivers corrections for a high risk directory traversal vulnerability in Knowledge Management that could enable attackers to overwrite, delete, or corrupt files on SAP servers.

Note 2902645 removes a privilege escalation vulnerability impacting the SAP Host Agent. SAP recommends updating the Agent to at least version 7.21 PL46 to prevent attackers from gaining root privileges over the underlying operating system using the Agent’s Operation Framework. Note 1031096 provides instructions for upgrading the Host Agent.

Finally, notes 2495144 and 2495462 provide switchable authorization checks for specific, sensitive function modules in SAP Central Finance and SAP Leasing. Switchable checks supplement checks for authorization object S_RFC. They should be activated using transaction SACF after the notes are applied.   

Automating SAP Audits with Solution Manager

According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders.

Compliance Reporting in SAP Solution Manager enables organizations to automate audits for SAP systems and reallocate resources to projects and audits focused on other organizational goals. The continuous monitoring powered by the application also enables auditors to identify compliance gaps immediately rather than at the end of a reporting period. This can reduce regulatory risk by providing owners with more time to remediate control gaps.

Compliance Reporting is accessed from the Fiori launchpad in SAP Solution Manager. Results are automatically updated by daily scheduled scans.

Compliance frameworks and systems are selected in the report filter. There are optional filters to select specific control requirements and systems based on environment or priority. Reports can also be filtered to include or exclude controls based on risk rating and compliance result.  

Compliance Reporting currently supports the frameworks below. This includes CIS, IT-SOX, NIST and PCI-DSS. Support for additional frameworks including GDPR and NERC CIP is expected at the end of Q2 2020. Customers can import custom frameworks to automate auditing for internal security policies and other requirements.

Results for applications and databases are reported in separate columns. The report provides an overall compliance score based on the selected framework and systems. Results are summarized for each requirement.

Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.

Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.

Layer Seven Security Recognized as Top 25 Cyber Security Company

Layer Seven Security has been selected by a panel of experts and members of the CIO Applications editorial board for inclusion in the Top 25 Cyber Security Companies for 2020. The annual list is compiled by CIO Applications to recognize and promote organizations that provide cutting-edge cybersecurity solutions. CIO Applications is a Silicon Valley industry publication based in San Francisco, California. The recognition is based on an evaluation of Layer Seven Security’s innovative Cybersecurity Extension for SAP Solution Manager. The Extension is an add-on for the Solution Manager platform, delivering automated vulnerability management, threat detection and incident response for business-critical SAP systems. Read the full article at CIO Applications.

Securing the SAProuter from Remote Attacks

The surge in remote working has led to an increasing reliance on the SAProuter as a means to facilitate secure remote access to SAP applications. As a reverse proxy between external networks and SAP landscapes, the SAProuter enables organizations to apply more granular policies for filtering and securing connections to SAP systems than network firewalls. However, far from improving security, an improperly configured SAProuter can expose organizations to dangerous exploits that could lead to the compromise of SAP servers.

Since the SAProuter is an internet-facing proxy that provides a direct path to SAP systems, it is an accessible and high-value target for attackers. Port scans against exposed IP addresses will reveal SAProuters available on the standard port 3299. Attackers can send information requests to detected SAProuters to enumerate the scheme for internal IP addresses based on the details of connected hosts disclosed in the response. Once the internal IP address scheme is determined, attackers can then scan the internal network by sending connection requests from the SAProuter to connected hosts. The responses can enable attackers to discover open ports for not only SAP services but services such as HTTP, SMTP, FTP, and SSH if the SAProuter supports native connections.

The information can be used to connect to open and vulnerable services in SAP servers by pivoting through the SAProuter. Once connected, attackers can execute targeted exploits against the servers. For example, an unauthenticated SOAP request to the SAP Host Agent on port 1128 can disclose operating system users that can be targeted using brute force and other attacks. Attackers can also route malicious payloads to SAP servers through the SAProuter.

The secure configuration of the SAProuter can prevent or mitigate such attacks. The route permission table defined in the saprouttab file should specify the source hosts permitted to connect to specific services and target hosts. The use of wildcards in route strings should be avoided. Native connections should be blocked using S entries for the saprouttab rather than P entries. KT and KP entries are recommended to enforce SNC for connections. Information disclosure via the SAProuter should be prevented using the option -Z for info requests. Switching to a non-standard port for the SAProuter is advisable. SAProuter binaries should be updated to the latest available version to apply patches for program vulnerabilities. This includes critical vulnerabilities addressed by notes 1820666 and 1663732. Finally, the SAProuter should be installed in a Demilitarized Zone (DMZ) on a host with a hardened operating system. SAP recommends a C2 class compliant operating system.

Logging for the SAProuter should be enabled using option -G. Once enabled, the SAProuter log can be monitored using SAP Solution Manager to alert for suspected attacks against including accepted or rejected information requests, connection requests, port scans, and native connections.