Layer Seven, Author at Layer Seven Security

Artificial Intelligence Exploits Vulnerabilities in Systems with a 87 percent Success Rate

Layer Seven on April 18, 2024

Based on a newly-released paper published by researchers at the University of Illinois, AI agents can combine large language models with automation software to autonomously analyze and exploit security vulnerabilities. During the research, OpenAI’s GPT-4 large language model was able to successfully exploit 87 percent of vulnerabilities when provided with a CVE advisory describing the flaws. The dataset included 15 one-day vulnerabilities taken from the Common Vulnerabilities and Exposures (CVE) database. One-day vulnerabilities are vulnerabilities that have been disclosed but not patched. More than 50 percent of the dataset were critical or high-rated vulnerabilities. Vulnerability exploitation was performed by GPT-4 using the ReAct automation framework.

Large language models are AI programs that use deep learning to recognize and interpret complex data such as human language. GPT-4 failed to exploit just two of the 15 vulnerabilities in the dataset. This included CVE-2023-51653 for Hertzbeat RCE. The cause of the failure to exploit this particular CVE was due to differences between the language available for the detailed description of the vulnerability and the language deployed for the AI agent.

Researchers calculated the cost of successful AI agent attacks at just $8.80 per exploit. The agent consists of only 91 lines of code and has not been publicly released at the request of OpenAI.

The ground-breaking research demonstrates the risk posed by AI to automate the discovery and exploitation of security vulnerabilities. It reduces the complexity and cost of vulnerability exploitation and increases the reach of threat actors.

The details of SAP vulnerabilities are publicly available in sources such as the CVE database and the NIST National Vulnerability Database (NVD). AI agents using large language models can analyze CVEs in the databases including details revealed in links for each CVE. SAP vulnerabilities are also documented and explained in depth in security forums. This often includes disclosure of sample code for vulnerability exploitation.

According to another recent study performed by Flashpoint and Onapsis, ransomware incidents impacting SAP systems increased by 400% over the last three years. Conversations on SAP vulnerabilities and exploits increased by 490% across the open, deep, and dark web between 2021 and 2023.

SAP customers can actively manage the risk of the successful discovery and exploitation of vulnerabilities including attacks leveraging artificial intelligence by regularly patching SAP solutions and through on-going vulnerability management. The Cybersecurity Extension for SAP automates the detection of both required SAP security notes and vulnerabilities in SAP solutions and infrastructure. It also detects vulnerabilities in custom SAP applications and programs.

SAP Security Notes, April 2024

Layer Seven on April 9, 2024

Note 3434839 deals with a high-priority security misconfiguration in the User Management Engine of SAP NetWeaver AS Java. User passwords created using self-registration are not subject to password complexity requirements defined in UME settings. The misconfiguration impacts version 7.50 of AS Java. The password policy can be enforced by updating the impacted software components to the recommended versions specified in the note. Disabling user self-registration and the ability of users to modify their profiles is recommended a temporary workaround if the components cannot be upgraded in a reasonable timeframe.

Note 3421384 patches an information disclosure vulnerability in the Web Intelligence application of SAP BusinessObjects Business Intelligence that could enable attackers to access sensitive operating system information. The note includes support package patches to address the vulnerability. Since the vulnerability arises from the reading of arbitrary Excel files, a workaround can be applied by removing the service Excel Data Access from all Adaptive Processing Servers.

Note 3438234 addresses a directory traversal vulnerability in SAP Asset Accounting caused by insufficient validation of user-provided path information. The correction included in the note verifies the path information against logical filenames. The vulnerable programs RAALTE00 and RAALTD01 can be protected using authorization groups as a workaround.

FBI and CISA Issue Alert for Threat Actors Actively Exploiting SQL Injection Vulnerabilities

Layer Seven on March 26, 2024

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week to urge organizations to urgently address SQL injection vulnerabilities in software. The alert is based on recent exploits performed by the CL0P cybercrime group, also known as TA505. The Russian group has exploited SQL injection vulnerabilities to propagate ransomware that has extorted an estimated $100M from organizations.

TA505 provides Ransomware-as-a-Service (RaaS) to other threat actors, sells access to compromised corporate networks as an initial access broker, and operates botnets specializing in financial fraud. The group is actively exploiting SQL injection vulnerabilities to install web shells in compromised servers. The web shells are used to execute operating system commands, install malicious ransomware programs, and exfiltrate data. TA505 is believed to have breached 130 organizations in just 10 days.

SQL injection vulnerabilities arise when user inputs are included in SQL commands to execute database queries. The processing of database queries containing malicious commands can enable threat actors to access and modify sensitive data, change programs and system configurations, and install and execute programs such as ransomware.

The risk of SQL injection can be mitigated using a combination of input validation and output encoding, escaping and quoting. Input validation reviews user-provided data before it is included in database queries and rejects data that does not conform with expected specifications such as character types, length, and syntax. Output encoding, escaping, and quoting can be more effective than input validation since programs often need to support free-form text containing arbitrary characters.

SAP software is subjected to static code analysis and other forms of security testing to detect and remove potential SQL injection vulnerabilities. However, SAP is not responsible for securing custom programs and applications deployed to SAP systems. Securing custom programs is the responsibility of each SAP customer. The Cybersecurity Extension for SAP is an SAP-certified addon that automatically detects SQL injection vulnerabilities in custom SAP ABAP programs and SAP UI5 applications. This includes SQL injection vulnerabilities in SELECT, INSERT, UPDATE, MODIFY, DELETE and other statements, as well as GROUP, JOIN, SET, WHERE, and other conditions and clauses. It also detects SQL injection issues in ADBC, DDL, DML and other statements executed by APIs in SAP systems.

The Cybersecurity Extension for SAP integrates with the ABAP Test Cockpit (ATC) and SAP Code Inspector (SCI). It also integrates with the Transport Management System (TMS) to automatically scan and block requests containing SQL injection and other security vulnerabilities.

SAP Security Notes, March 2024

Layer Seven on March 13, 2024

Hot news note 3425274 deals with a critical code injection vulnerability in applications developed with SAP Build Apps. The note recommends rebuilding applications with version 4.9.145 or later.

Hot news note 3433192 patches a code injection vulnerability in the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. The plug-in allows threat actors with the Administrator role to upload potentially dangerous files that could be exploited to run arbitrary commands. The corrections included in the note block the upload of dangerous file types and supports virus scanning for uploaded files.

Note 3414195 includes support package patches for SAP BusinessObjects Business Intelligence (BOBJ) version 4.3 SP02 – 05 to address a high-priority path traversal vulnerability in the Central Management Console. The vulnerability arises from a version of Apache Struts included in BOBJ which is vulnerable to CVE-2023-50164.

Note 3410615 corrects a Denial-of-Service vulnerability impacting SAP HANA XS. The DoS can be triggered by a high volume of HTTP/2 requests. The HTTP/1 protocol is not affected. A workaround can be applied by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false to disable support for the HTTP/2 protocol.

Note 3346500 was updated with revised solution information for a high-risk authentication vulnerability in SAP Commerce Cloud. The solution changes the default value of the property user.password.acceptEmpty to false to prevent the use of empty passphrases for user authentication.

Security Compliance for SAP RISE Solutions

Layer Seven on February 19, 2024

S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).

The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.

The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.

SAP RISE should be selected from the framework selection screen.

Once the framework is selected, you can select a target system from the available systems in your SAP RISE landscape and click on Execute.

The results are summarized for each requirement and an overall compliance score is calculated for the system.

You can drilldown into each requirement to navigate the detailed findings.

You can click on the > icon for each finding to view further information and create an action plan to manage the remediation of compliance issues.

The report filters can be used to focus on specific requirements or results. For example, you can suppress compliant areas to isolate compliance failures.

Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results.

The shortcuts can be published as custom tiles to existing or new work groups.

Compliance reports can also be scheduled to run on regular intervals. The reports are automatically distributed in PDF or CSV to recipients by email during each run.

The Cybersecurity Extension for SAP is an SAP-certified addon for SAP Solution Manager and SAP Focused Run. An addon version for other SAP NetWeaver AS ABAP systems such as SAP GRC is expected in Q4 this year.

SAP Security Notes, February 2024

Layer Seven on February 15, 2024

Hot news note 3420923 patches a critical code injection vulnerability in the Web Survey component of Application Basis. Prerequisite note 1110803 is required to apply the correction for versions 700-710 and note 1354949 is required for version 711. As a workaround, remote calls to function modules of CA-SUR can be restricted using authorization object S_RFC.

Note 3417627 addresses a high-risk cross-site scripting vulnerability in the User Admin Application of SAP NetWeaver Application Server Java (AS Java). The vulnerability is a side effect of improper encoding and validation introduced with note 3251396.

Note 3426111 secures an XML parser in the Guided Procedures component of AS Java to patch an XML External Entity (XXE) injection vulnerability. The vulnerability can be exploited by threat actors to read sensitive files. The note includes details of a workaround that requires disabling the vulnerable caf-eu-gp-model-iforms-eap application.

Notes 3424610 and 3410875 deal with broken authentication and cross-site scripting vulnerabilities in the SAP Cloud Connector and SAP CRM, respectively.

SAP Cybersecurity Buyers Guide from SAPinsider

Layer Seven on January 24, 2024

The SAP Cybersecurity Buyers Guide from SAPinsider provides a valuable, independent assessment of the capabilities of technology vendors and consultants for SAP security solutions and services. The guide reviews key solution providers and consultants in the cybersecurity domain for SAP. It performs a Vendor Capability Assessment across the following areas:

Threat Intelligence and Detection
Access and Identity Management
Data Protection and Encryption
Vulnerability Management
Incident Response and Forensics
Cloud Security and Compliance
Secure Code and Application Review

The Cybersecurity Extension for SAP is a featured vendor in the Buyers Guide and acknowledged in the review for its strong coverage in all areas. The solution is also cited for its support for S/4HANA and cross-stack security in SAP systems including application, database and host layers, rapid deployment, and lower costs and maintenance compared to alternatives.

D OWNLOAD

SAP Security Notes, January 2024

Layer Seven on January 11, 2024

Hot news note 3412456 deals with a critical privilege escalation vulnerability impacting the development platforms SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA. Applications in the node.js JavaScript runtime environment are vulnerable to CVE-2023-49583. Applications developed using @sap/xssec library versions earlier than 3.6.0 and @sap/approuter versions earlier than 14.4.2 are impacted. node.js application dependencies should be upgraded with the latest versions of the libraries @sap/approuter and @sap/xssec.

Hot news note 3413475 deals with another privilege escalation vulnerability. This impacts SAP Edge Integration Cell used to design, deploy and manage APIs with SAP Integration Suite. Edge Integration Cell should be upgraded to version 8.9.13 to mitigate the vulnerability. There is no available workaround.

Note 3389917 includes corrections for a high-priority denial of service vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver Application Server ABAP and SAP Web Dispatcher. The DOS can be triggered by threat actors through a high volume of HTTP/2 requests. Support for the HTTP/2 protocol can be disabled in effected versions of the ICM and Web Dispatcher by the setting parameter icm/HTTP/support_http2 to FALSE. NetWeaver Application Server Java is not impacted since it does not support HTTP/2.

Note 341186 patches a code injection vulnerability in the File Adapter within SAP Application Interface Framework that enables privileged users to execute OS commands using a vulnerable function module.

Note 3407617 details manual steps for correcting a missing authorization check in SAP LT Replication Server running on SAP S/4HANA 1809 to 2023. The steps involve restricting the permissions of the user for LT Replication Server background jobs.

SAP Solution Manager, Private Cloud Edition, for SAP RISE Customers

Layer Seven on December 19, 2023

Usage rights for SAP Solution Manager are included in SAP support and maintenance agreements for on-premise SAP solutions. The rights include database licenses for SAP HANA and ASE. Customers with Enterprise Support agreements have usage rights for all functional areas of Solution Manager, whereas customers with Standard Support agreements have restricted rights that include commonly used areas such as Change and Release Management (ChaRM), System Recommendations, and System Monitoring, but excludes areas such as Custom Code Management and Business Process Analytics.

SAP Cloud ALM is an alternative Application Lifecycle Management (ALM) solution that is provided to SAP customers with active cloud services. It can be used for both cloud and on-premise SAP solutions. Enterprise Support customers have usage rights for Cloud ALM but customers with cloud services and no on-premise solution supported by SAP do not have usage rights for Solution Manager.

There is currently no feature parity between Cloud ALM and Solution Manager. In other words, Cloud ALM does not support the same scenarios as Solution Manager. Since many customers require ALM functions that are not provided by Cloud ALM, SAP provides cloud-only customers with the option to subscribe to SAP Solution Manager, Private Cloud Edition (PCE).

Solution Manager PCE is the successor to SAP Solution Manager for SAP S/4HANA Cloud and like its predecessor, it is available in two versions: Project Documentation and Full. The main difference between the two versions is that the project documentation version is deployed as a single-system landscape, whereas the full version is deployed as a dual-system landscape, similar to on-premise installations. The full version is required to support the deployment of agents to managed systems.

Cloud-only customers can order the full version of SolMan PCE from SAP Enterprise Cloud Services (ECS) using SKU 8014172 providing they are using SAP S/4HANA or ERP on RISE. It is provisioned by SAP ECS within 30-40 days and includes SAP HANA.

The Cybersecurity Extension for SAP can be deployed to both on-premise and cloud installations of SAP Solution Manager. This includes SolMan PCE for RISE customers. Layer Seven Security provides a fully managed service for RISE customers that includes setup and maintenance of SolMan PCE.

SAP Security Notes, December 2023

Layer Seven on December 13, 2023

Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.

Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.

Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.

Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.