Layer Seven Security

Job Monitoring with SAP Solution Manager

Security monitoring using SAP Solution Manager is driven by a series of background jobs that automate data collection and analysis for system vulnerabilities, security notes, and event logs. Vulnerability data is extracted daily, notes information is collected weekly, and event data can be collected as frequently as every minute. Any interruption to the background jobs for these areas could impact the coverage of security monitoring.

SAP Solution Manager supports centralized monitoring for jobs in SAP systems with automated detection and alerting for job errors. Monitoring for scheduled jobs is setup using a guided procedure that includes steps for selecting relevant jobs, activating alerts, and enabling email/ SMS notifications for alerts.

You can access Job Monitoring from Application Operations in SAP Solution Manager Configuration.

Steps 1-3 of the guided procedure prepare the infrastructure for job monitoring including setup of the required users.  Steps 4-6 involve the selection of scheduled jobs for monitoring and configuring alerts and notifications. In the following example, we will create a monitoring scenario for the standard job SM:SYSTEM RECOMMENDATIONS. This job connects to SAP Support on a weekly schedule to calculate required security, correction, performance, legal, and other notes for systems. It also connects to managed systems to determine the implementation status of calculated notes.

In the first step of the scenario configuration, we define a name and description for the scenario.

During the second step, we select the systems for the scenario. Since SM:SYSTEM RECOMMENDATIONS  runs from Solution Manager, we will select a SolMan installation.

Next, we maintain the scope for the scenario in terms of the specific job.

Once the job is selected, we can adjust the metric settings including thresholds for job errors, processing times, terminations and warnings.

Finally, we activate the alerting and select the required language, severity and description for the alert.

Recipients for email notifications triggered for alerts can be maintained in the Incident and Notifications tab.

Once the scenario is activated in the final step, we will be immediately alerted and notified by Solution Manager for any issue that interrupts the successful execution of the system recommendations job. The steps can be repeated for other scheduled jobs in SAP Solution Manager and managed systems.

SAP Security Notes, October 2020

Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions need to be upgraded to version 10.5.2.113 before applying the patch. The EM service can be stopped in systems if the patch can not be immediately applied. Stopping the service will not impact the Cybersecurity Extension for SAP Solution Manager since the service is not required by the extension.  

Note 2969457 removes a missing XML Validation in Compare Systems within SAP NetWeaver that can be exploited to read arbitrary OS files and provoke a denial of service.

Note 2972661 patches a high priority reflected cross site scripting vulnerability in the SAP NetWeaver Composite Application Framework.

Notes 2941315 and 2898077 contain important updates for a missing authentication check in SAP NetWeaver AS JAVA and information disclosure in SAP Business Objects Business Intelligence Platform, respectively.

Securing OS Platforms with SAP Solution Manager

Securing SAP hosts is a critical component of SAP system hardening. Vulnerable operating systems can provide a pathway to SAP applications, databases and other components, bypassing security mechanisms applied in such layers. This can lead to the compromise of SAP systems including the corruption of critical files and tables. It can also support ransomware attacks that disrupt the availability of SAP services.

The Cybersecurity Extension for SAP Solution Manager performs daily automated scans to identify vulnerabilities in SAP hosts. For Linux operating systems, this includes authentication settings, firewall configurations, file and service permissions, root access, missing security patches, vulnerable packages and services, and misconfigured settings for logging and auditing. It also includes the detection of open TCP/ UDP ports that are targeted by attackers, including FTP, RPC, RDP, SSH, and Telnet.

OS findings are mapped to SAP systems, supporting holistic security across code, application, database and operating system layers.

The Extension also monitors OS logs to identify indicators of compromise in SAP hosts. Alerts and notifications are triggered for security incidents and channeled to SIEM and service desk systems. This includes the following scenarios:

  • Changes to operating system configuration, profile, and kernel parameters
  • Firewall and other network settings
  • File system mounts and unmounts
  • Group, user and password changes
  • Cron jobs
  • Daemon and service changes
  • OS scripts
  • External connections
  • Sudo users
  • Root and sudo commands
  • Failed logon and file access attempts
  • Critical file changes
  • File permission changes
  • OS code injection
  • User locks and unlocks
  • Changes to audit settings and records

Audit records from the Linux audit log are displayed in the alert details. The records include the audit event number and auid of the initial user that triggered the event.

The Cybersecurity Extension for SAP Solution Manager includes integrated incident response procedures to support forensic investigations. Users can select the Respond option from an alert to start an investigation and document the findings.

The Extension currently supports monitoring for Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES). Support for IBM AIX and Microsoft Windows Server is expected in 2021.

SAP Security Notes, September 2020

Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on SAP Adaptive Server Enterprise (ASE) 15.7 and 16.0. BW installations running on other database platforms are not impacted.

Note 2961991 patches SAP Marketing by blocking the ability of authenticated attackers to invoke certain functions in the vulnerable Mobile Channel Servlet. The fix will block unwanted URLs via web.xml and scan the payloads of /$batch requests. The workaround in note 2962970 can provide an interim fix if note 2961991 cannot be immediately implemented.

Note 2941667 includes updated correction instructions for an OS command injection vulnerability in NetWeaver AS ABAP. The note impacts the  batch input recorder report RSBDCREC when executed outside the context of transaction SHDB.

Notes 2902456 and 2912939 are also updated for a privilege escalation vulnerability in SAP Landscape Management and a Server Side Request Forgery vulnerability in AS ABAP, respectively.

Secure Your Custom Code with SAP Solution Manager

The Cybersecurity Extension for SAP Solution Manager now supports static code analysis for custom SAP programs. Released in September, version 3.3 performs code vulnerability detection for hard coded users, passwords, hosts, systems, and clients, SQL injection, cross-site scripting, missing or insufficient authorization checks, directory traversal, sensitive table reads and writes, OS command injection, and insecure communication methods and passwords.

The ABAP checks are integrated with SAP Code Inspector (SCI) and ABAP Test Cockpit (ATC). They can be applied for new developments and existing custom programs. For existing programs, periodic scans are scheduled in the ATC. Scan results are also viewed using ATC. The results below are displayed in SAP Eclipse.

The details of vulnerabilities including the impacted lines of code in the relevant objects can viewed by clicking on each error.

Findings are integrated with the Vulnerability Report in SAP Solution Manager. Remediation plans can be recorded and tracked using action plans in Solution Manager. Alternatively, exemptions can be requested for vulnerabilities in the ATC.

Automatic blocking for transport requests containing security-related errors can be enforced in the Change and Transport System (CTS). Furthermore, the SAP BAdI CTS_REQUEST_CHECK can be implemented to trigger security checks during the release of a transport request.

Checks can be applied from central systems for remote systems. The procedures are outlined in SAP Note 2364916 and a Technical Article in the SAP Community.

SAP Security Notes, August 2020

Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes HTTP extensions to support file management on remote web servers. Content management operations in KM are performed by methods that conform to the WebDAV protocol. Force Text Download is deactivated by default. This prevents the opening of files containing malicious scripts. The Malicious Script Filter can be used to encode executable scripts in files uploaded to KM repositories and therefore block the execution of the scripts. Encoded scripts can be decoded using the Malicious Script Handler. Note 2938162 removes a broken authentication vulnerability in KM that enables unauthenticated users to upload files to content repositories.

Note 2941667 introduces authorization checks for report RSBDCREC when executed directly without transaction SHDB. This could be exploited to inject malicious code in recordings or extensions. The note extends checks for authorization object S_BDC_MONI to the report and adds checks for authorization object S_DEVELOP for a central API.

Note 2941315 patches a missing authentication check in a web service that could be exploited to provoke a denial of service in SAP NetWeaver AS JAVA.  Note 2927956 mitigates a missing authentication check for the Unix Xvfb daemon required by SAP BusinessObjects Business Intelligence. The vulnerability could enable attackers to capture keystrokes and screen captures using the X server in SAP hosts.

Prevent and Detect Ransomware Attacks with SAP Solution Manager

Ransomware attacks accounted for one third of malware-based cyber attacks in the first quarter of 2020. Successful attacks encrypt and block access to files in compromised systems. Decryption keys for recovery of the files are typically only released after ransom demands are paid, usually in the form of untraceable cryptocurrencies. The impact of ransomware includes not only ransoms but also recovery costs. The cost of the ransomware attack experienced by Demant in 2019 is estimated at $95M. Costs at Norsk Hydro are expected to reach $70M.

Based on an analysis of telemetry records, there are several early indicators of ransomware operations performed by threat actors. Attackers often use legitimate administrative tools to prepare ransomware attacks. This includes network scanners to identify vulnerable targets and software removal tools to disable antivirus software. Threat actors also often install tools for credential theft on compromised systems.

Ransomware is usually packaged in zip files distributed through emails, trojans, and infected web sites. The ransomware WastedLocker, for example, is often disguised as zip files for legitimate software updates. WastedLocker infected digital infrastructure at Garmin in July, leading to a $10M ransom. Ransomware payloads can also be delivered through compromised SAP systems. Attackers can target remote code execution vulnerabilities in SAP GUI for client-side attacks. Ransomware can be installed directly in SAP servers using external operating system commands. OS commands performed by SAP users are executed by the operating system user <SID>ADM. The user has full administrative privileges for local SAP resources.

The wget command can be used to download ransomware from remote hosts to a target directory in the SAP host. Ransomware payloads can also be loaded directly in servers using transactions CG3Z or CACS_FILE_COPY. Once loaded, the payloads can be extracted and then executed using bash commands in Linux systems. This method for delivering, installing and executing ransomware will encrypt files in folders accessible by the <SID>ADM user and crash SAP applications and services. It may also impact other files and services in the host if the ransomware successfully elevates privileges.

Such exploits can be mitigated or detected in several ways. Access to perform OS commands should be restricted. This includes authorization object S_LOG_COM, transactions SM49 and SM69, program RSBDCOS0, and function modules such as SXPG_COMMAND_EXECUTE. Successful execution of the transactions, programs and function modules should also be monitored, as well as OS commands and changes to custom commands. Refer to SAP Note 1612730 for enabling detailed logging for external commands.

The Cybersecurity Extension for SAP Solution Manager performs automated scans to detect users with OS command privileges. It also monitors SAP logs to alert for the execution of OS commands, new custom commands, and changes to existing commands. The extension also detects and alerts for the execution of transactions SM49, SM69, CG3Z and CACS_FILE_COPY, program RSBDCOS0, and relevant function modules. Alerts are automatically forwarded to SIEM systems with event details. To learn more, contact Layer Seven Security

SAP Security Notes, July 2020

Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems.

Note 2934135 introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. KBA 2948106 includes FAQs to support the implementation of the note. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

Note 2932473 removes a high-risk information disclosure vulnerability in the XMLToolkit of AS Java. The vulnerability could be exploited to read arbitrary files including files containing sensitive system configuration data.

Note 2734580 includes updated instructions for patching another information disclosure vulnerability impacting AS ABAP.  Note 2091403 should be implemented as a prerequisite for 2734580.

RECON: Secure Your Systems with SAP Solution Manager

US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated 10/10 using the Common Vulnerability Scoring System and can be exploited remotely by unauthenticated attackers to fully compromise SAP systems.

RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems including SAP ERP, CRM, SCM, and BW.

CISA strongly recommends SAP customers to apply SAP Note 2934135 to mitigate RECON. The note introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. The LM Configuration Wizard is required by SAP Landscape Management. According to SAP, “This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. You can temporarily activate or enable this application for executing the SAP lifecycle procedures.” Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

The implementation status of Notes 2934135 and 2939665 for impacted systems should be tracked using System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to discover relevant notes for SAP applications, databases and components.

Users can create custom tiles in SysRec to track the implementation status of RECON notes in their SAP landscape from the Fiori launchpad.

The Cybersecurity Extension for SAP Solution Manager monitors Java application logs to detect the signature of RECON exploits. This includes enabling and executing the vulnerable application. The Extension also detects the creation of new administrative users and connections by new users or source IP addresses using anomaly detection. RECON alerts can be investigated using the incident response procedures Preventing RECON Attacks and Investigating Suspected RECON Attacks.

Email and SMS notifications are triggered for RECON alerts. The alerts can also be monitored in Solution Manager using the Alert Inbox, System Monitoring, and other applications. They can also be integrated with SIEM solutions for cross-platform monitoring. Custom alarms can be added to the Fiori launchpad to notify users of suspected RECON exploits.

SAP Security Notes, June 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in the Apache web server. This can be abused to perform remote code execution if web applications allow file uploads and the processing of files as JavaServer Pages. Apache Tomcat has been upgraded to harden the AJP Connector. However, SAP does not recommend upgrading the web server. Rather, note 2928570 provides manual procedures for disabling the AJP Connector or securing AJP connections with a secret key.

Note 2918924 provides instructions for removing hard-coded Credentials in SAP Commerce and SAP Commerce Datahub. The use of default passwords for admin and other built-in accounts has been discontinued for new installations of SAP Commerce. Since re-initializing SAP Commerce leads to the deletion of all data in the application, SAP recommends using the scripts in Note 2922193 to remove default credentials in existing installations.  

Note 2933282 removes a missing authorization check that could lead to an escalation of privileges in SAP SuccessFactors Recruiting.

Notes 2906366 and 2734580 includes corrections for high priority information disclosure vulnerabilities in SAP Commerce and SAP NetWeaver Application Server ABAP (AS ABAP), respectively.