Layer Seven Security

Is SAP ASE the Most Vulnerable Point in Your SAP Landscape?

SAP Adaptive Server Enterprise (ASE) is a widely-used relational database server for SAP solutions. As part of the drive to HANA, SAP is expected to withdraw support for third party databases including Oracle, IBM and Microsoft. Standard support for Oracle 19c, for example, will end in April 2024. Oracle 19c is the highest release of Oracle certified for SAP.  In contrast, maintenance and support for ASE is expected to continue beyond 2030. This includes both on-premise and cloud deployments. ASE is used within the SAP Cloud Platform and SAP HANA Enterprise Cloud for persistence services.

The database layer in SAP landscapes will increasing comprise of SAP HANA and ASE database systems. However, unlike HANA, security for ASE is often overlooked by SAP customers. As a result, ASE can be a vulnerable target for threat actors in SAP landscapes. This article will discuss the key aspects of ASE security and methods for automating vulnerability management, security patching and threat detection for ASE.

SAP ASE supports both password-based authentication for database users and external authentication using Kerberos, LDAP, or PAM. For password authentication, strict password policies are recommended governing password complexity, failures, expiration, and reuse. The transmission of passwords over the network layer should be secured using SSL through the FIPS 140-2 validated cryptographic module. For external authentication, it is recommended to enable message confidentiality, integrity and origin-checks to secure procedures for remote authentication.

ASE includes several pre-defined roles for provisioning required privileges to database users. They are managed using the sso security officer role. Access to this role should be restricted to authorized users. Other critical roles include the sa security administration role, and roles for operations, replication, job scheduling, web services, and system administration.

ASE also includes multiple default accounts that should be locked if not in use. This includes the accounts probe, sybmail, jstask, and mon_user. The sa account has system-wide privileges. The password for the account is blank on install. The account should be locked after the initial database configuration. The use of the guest account is not recommended since it inherits the permissions of the public role.

Remote users can be authorized to execute remote procedure calls (RPC) in ASE. Remote user IDs are mapped to local IDs by ASE to authorize access to RPCs. The use of remote users should be avoided.

Vulnerable services in ASE should be disabled to reduce the attack surface. This includes the extended stored procedures xp_cmdshell and xp_sendmail. Other stored procedures should be enabled to support enhanced security checks. For example, sp_extrapwdchecks should be activated to check for password reuse.

Column and table-level encryption can be enabled to protect data at rest. Encrypted data is transparent to applications and therefore does not impact operations. ASE supports the Advanced Encryption Standard (AES) encryption algorithm and 256-bit key lengths.  AES is a NIST-approved cipher standard.

Auditing is disabled by default in ASE. Once enabled, audit options should be activated to log specific events to the audit log. This should include auditing of the sa account and critical roles such as sso, configuration changes, login failures, role and account changes including user passwords, and the execution of stored procedures. It is also recommended to enable auditing for data binds, changes to encryption keys, and the importing/ exporting of data to/from external files.

Audit events are written to system audit tables. The tables can be read using SQL commands. Only select and truncate commands are supported for the audit tables. The event details include a unique event ID, timestamp, the ID of the account that performed the audited event, and the details of objects that were accessed or modified.

The Cybersecurity Extension for SAP leverages the database connectivity of SAP Solution Manager (SolMan) and SAP Focused Run (FRUN) to automatically detect security vulnerabilities in ASE installations that could be exploited by threat actors. This includes vulnerabilities in the following areas:

Settings for external authentication
Policies for password authentication
Users with critical roles
Disabling of default accounts
Remote users
Deactivation of vulnerable database services
Transport layer security
Database encryption
Auditing and logging

The Extension provides detailed recommendations to remediate vulnerabilities and harden ASE installations against targeted exploits.

Security notes for ASE are reported by System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to calculate required notes. The Cybersecurity Extension for SAP integrates with SysRec to automatically identify and remove potential false positive notes based on installed application components. You can filters notes in SysRec for the ASE components BC-SYB-*.

The Extension also monitors ASE audit logs in real-time to detect and alert for potential breaches such as the use of default users that should be locked, changes to roles and user permissions, failed logins, locked users, database configuration changes including audit settings, successful calls to sensitive stored procedures, the installation of Java programs, password resets, remote procedure calls to/from external servers, the deployment of web services, and commands that transfer table contents to/ from external files.  

Alerts can be investigated using built-in incident response procedures and workflows.

Audit records are replicated from ASE installations to the Cybersecurity Extension for SAP to support archiving and forensic analysis and to protect against log corruption.

To learn more, contact Layer Seven Security.

SAP Security Notes, April 2023

Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing.

Hot news note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could be exploited to overwrite system files and trigger a denial of service, interrupting the availability of systems. Note 1512430 provides an alternative approach for removing the vulnerability. The note blocks report RSPOXDEV and RSPOXOMS from overwriting files in AS ABAP. The corrections require assigning a physical path to the logical path RSPO_FILE_LOCATION delivered with the note using transaction FILE.

Note 3298961 fixes an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). Exploitation of the vulnerability could enable threat actors to discover the password of the BI user by accessing and decrypting the lcmbiar file. Password protection for the file can be applied as a workaround if the patch in the note cannot be applied.

Finally, note 3305907 addresses a high-priority directory traversal vulnerability that could enable attackers to upload and overwrite files in the BI Content Add-on for AS ABAP through a vulnerable report that does not apply sufficient authentication checks and file validation. The correction included in the note removes the ability to upload files through the vulnerable report.  

What’s New in the Cybersecurity Extension for SAP

The new release of the Cybersecurity Extension for SAP (CES) is scheduled for general availability on April 24. It includes several important enhancements, configuration checks and patterns for threat detection to further protect SAP solutions from advanced cyber threats.

The prior release of the CES provided capabilities for SAP customers to automatically discover and remove false positive security notes calculated by System Recommendations (SysRec) in SAP Solution Manager. This improved the quality and reliability of results in SysRec and reduced the manual effort required by SAP administrators to analyze security patches. The new release of CES extends the enhancements for SysRec by including CVE, CVSS and vector information for calculated security notes.

The new release also includes configuration checks for protection against directory traversal in ABAP systems. The checks review path validation for files with no defined physical paths and the definition of physical file paths for logical paths. Checks are also applied for settings in SAP Virus Scan Interface (VSI) profiles and supported MIME types. SAP VSI integrates with scanning engines to discover and block malware in file uploads and downloads from SAP solutions.

The new release includes extended checks for Unified Connectivity (UCON) including HTTP whitelists for protection against clickjacking attacks and relevant background jobs. It also includes extended checks for Read Access Logging including log domains, groups and fields. In addition, checks for the masking and encryption of payment card data are included in the new release.

There are over 210 checks for critical transactions in S/4HANA included in the release. Future releases will rollout authorization checks for solutions such as S/4HANA, ECC, BW/4HANA, BW, CRM. The checks will enable customers to use the Cybersecurity Extension for SAP to monitor critical access and segregation of duties in lieu of SAP Governance, Risk & Compliance (GRC), given the scheduled end of maintenance of GRC.

There are several new checks for code vulnerabilities in custom SAP programs. This includes checks for XSRF protection and the forceEncode attribute.

New patterns for detecting Indicators of Compromise (IOCs) in SAP solutions include successful and unsuccessful program installations, uninstallations and changes in Microsoft Server platforms for SAP. Similar patterns were included in earlier versions of CES for Linux platforms to support the detection of potential ransomware attacks.

IOCs are also included for the detection of changes to specific security-relevant parameters in SAP ABAP and HANA systems.

A new security framework has been added to CES for S/4HANA. The framework will enable customers to automatically check the compliance of S/4HANA systems with SAP requirements in the Security Guide for S/4HANA.

The new release of CES deprecates custom infocubes and process chains used in earlier versions. This dramatically improves the stability and performance of CES and the ability of the solution to rapidly process large data sets with minimal resources.

Security alerts for multiple hosts can be mapped to specific SAP System IDs in the new release. Also, filters for security alerts include a new field to support searching of security alerts based on time ranges using the format HH:MM:SS for start and end times.

Finally, vulnerability details now include tables containing the complete fields and values from source CCDB stores. The tables support data filtering and export.

The next release of the Cybersecurity Extension for SAP is scheduled for June 2023 and will include support for detecting IOCs in logs for SAP ASE databases, vulnerability and event correlation, and trend analysis for tracking changes in vulnerabilities, patches and alerts for periods covering up to two years.  

SAP Security Notes, March 2023

Hot news note 3273480 was updated in March for SP026 of NetWeaver Application Server Java (AS Java) 7.50. The note deals with a critical SQL injection vulnerability that can be exploited by unauthenticated attackers that attach to an open interface exposed through JNDI by User Defined Search (UDS) of AS Java. The fix included in the note applies authorization checks to mitigate the vulnerability. The authorizations are assigned to the roles SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONFIGURATOR_J2EE, SAP_XI_DEVELOPER_J2EE and NWA_READONLY.

Note 3252433 patches a broken authentication vulnerability impacting the LockingService in AS Java. The note removes public access and applies the required authentication and authorization checks for the service.

Hot news notes 3245526 and 3283438 address high-risk vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ). Note 3245526 fixes a code injection vulnerability in the Central Management Console (CMC). The note removes the ‘Use Impersonation’ option from the CMC and introduces authorization checks for scheduling program objects. Note 3283438 fixes an OS command execution vulnerability in the Adaptive Job Server. Workarounds are detailed in the note including unchecking the options Run scripts/binaries and Run Java programs in the CMC, and disabling the rexecd service.

Notes 3294595 and 3302162 patch directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities can be exploited to overwrite system files and trigger a denial of service.

Configuration and Security Analytics with SAP Focused Run

SAP Focused Run supports real-time monitoring for high-volume SAP landscapes and customers with advanced requirements for system management, user and integration monitoring, and vulnerability management. Configuration and Security Analytics (CSA) in SAP Focused Run applies security policies to  discover vulnerabilities in SAP systems. The policies read the contents of configuration, software and user-related stores in the Configuration and Change Database (CCDB). The CCDB stores are refreshed daily using the Simple Diagnostics Agent (SDA), installed in SAP systems monitored by Focused Run.

This article explores capabilities in CSA for tuning security checks using exclusions, configuring alerts for critical vulnerabilities, and investigating security-related changes reported by CSA.

Exclusions can be applied to exclude specific checks in security policies. In the example below, we have applied an exclusion to exclude a check that validates the status of the standard DDIC user. The first step is to open to CSA in the Advanced Configuration Monitoring workgroup.

The next step is to select the relevant policy and select Exemption for Policies.

Select Create to add the exemption. Select the Check ID based on the available checks in the policy and add an Exception ID and Description.

You can add a date range if the exclusion is temporary and should be automatically removed after a target date. Once saved, the check will be excluded from the policy. Exemptions can be maintained and deleted after they are applied.

Alerts for systems that fail checks in security policies can be configured using Configuration Validation Alert Management.

Select Create and add an Alert ID and Description. The Alert Source should be set to Configuration Validation – Policy. Select the Policy and maintain options for Aggregation Level, Scope, Frequency and Severity. Select ON and click on Save to activate the alert.

Alerts can be configured for specific systems or groups based on Customer ID, Data Center, IT Admin Role, Lifecyle Status, or Networks.

IT Admin Role can be used to apply alerts for systems based on environments.

Email and SMS options for alert notifications can be maintained using Outbound Variants.

Alerts can be investigated and managed using Alert Management. In the example below, we can see the alert configured in CSA for changes to standard users. Alerts in Alert Management be integrated with SIEM and service desk solutions. For detailed information, refer to the SAP Help Portal.

Changes in SAP systems are captured and logged in CSA. This includes areas such as parameter settings, RFC destinations, ICF services, and user authorizations, profiles, roles, and transactions. The details of the changes can be viewed using the option to display change of configuration items. Select a time frame for changes using Time Frame Selection.

You can also maintain a custom time frame.

Select a system to view to view a summary of the changes.

Select a store to view the details of changes. In the example below, we can see the details of users that were assigned the SAP_ALL profile in a system over the last three months.

The details can be filtered, sorted and exported to Excel.

The Cybersecurity Extension for SAP integrates with CSA in Focused Run to apply thousands of security checks for known vulnerabilities in SAP solutions. It also integrates with System Monitoring in Focused Run to detect and alert for more than 600 indicators of compromise in SAP event logs. To learn how you can protect your SAP systems from cyber threats using the Cybersecurity Extension for SAP, contact Layer Seven Security.

SAP Security Notes, February 2023

Hot news note 3273480 was updated in February for a critical vulnerability that could enable attackers to compromise installations of NetWeaver Application Server Java (AS Java) via an open JNDI interface exposed through User Defined Search (UDS). The updates include corrections for side effects caused by the original fix for the vulnerability that implemented authorization checks for affected public methods. Note 3301366 corrects side effects for alerting and monitoring after implementing note 3273480. Note 3284781 provides instructions to correct side effects observed for specific services used by Process Integration (PI).

Note 3285757 recommends upgrading the SAP Host Agent to the latest version 7.22 PL59 in order to patch a high priority privilege escalation vulnerability. Attackers can exploit the vulnerability to execute operating system commands using administrative privileges through webservice requests.

Note 3256787 includes a fix for an unrestricted file upload vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). The note also includes instructions for a workaround that involves applying a whitelist for file format types using the property upload.file.allowed.formats in the file.

Other important notes include 3263135 and 3271091 for information disclosure and privilege escalation vulnerabilities in BOBJ and SAP Business Planning and Consolidation (BPC), respectively.

Analyzing Security Notes with SAP Maintenance Planner

Maintenance Planner is a cloud solution from SAP that supports the planning and administration of systems in SAP landscapes. It is the successor to Maintenance Optimizer and Landscape Planner and consolidates and simplifies tasks such as system installation, updates, upgrades and conversions.

Maintenance Planner is hosted on the SAP Support Portal. It maintains an inventory of SAP systems in customer landscapes. The inventory can be viewed using the Explore Systems tile.  

Landscapes can also be analyzed using graphical topologies in Hybrid Landscape Visualization.

Explore Systems provides detailed software information for each system such as product versions, components and stack levels, as well as tracks and dependencies. Tracks are used to group related systems and streamline maintenance.  

Maintenance Planner identifies products that are out of maintenance, third-party add-ons installed in SAP systems, and inconsistencies between displayed software components and installed components in systems. The software information is sourced by Maintenance Planner directly from the Landscape Management Landscape Database (LMDB) in SAP Solution Manager. The information is synchronized with the LMDB every day via the SAP-OSS connection between Solution Manager and SAP Support.

Upgrade Dependency Analyzer (UDA) is integrated with Maintenance Planner to help identify the impact of maintenance tasks in dependant systems. Maintenance Planner identifies and downloads the required software packages for planned upgrades or new systems. It also supports conversion tasks for migration from SAP ERP to S/4HANA. Finally, Maintenance Planner includes guided workflows to discover and integrate SAP cloud solutions.

Maintenance Planner calculates and displays recommended notes for systems in each landscape. The notes are analyzed and managed using the View Recommended Notes tile. It supports searching, filtering, grouping, sorting, and exporting of results. The Calculate Notes option displays relevant notes for selected systems. Notes are grouped by category including Security, Hot News, Performance and Legal Change.  You can select a note from the available categories to view the details. CVE, CVSS and vector information is provided for SAP Security Notes.

Maintenance Planner can track the implementation lifecycle of notes using the Processing Status option. The following values are supported for the option:

Transferring: Note is transferred for implementation
In Progress: Note implementation is in progress
Not Relevant: Invalid or irrelevant note for the system

A Comments field is also included for users to provide additional information related to the implementation status of each note.

Maintenance Planner provides an alternative to System Recommendations for discovering and managing required notes in SAP systems. However, unlike System Recommendations, Maintenance Planner does not identify SAP HANA, Web Dispatcher and platform-related notes. Also, it does not integrate with Change Request Management (ChaRM), Usage and Procedure Logging (UPL), ABAP Call Monitor (SCMON), and Solution Documentation for the full lifecycle management of notes and automated change impact analysis to support test planning.

SAP Security Notes, January 2023

Hot news note 3089413 patches a critical capture-replay vulnerability that can lead to authentication bypass in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by the failure to use unique hashes for system identification. Note 3089413 includes corrections for the SAP kernel and the SAP Basis component. The corrections must be applied in both trusting and trusted systems.

Hot news note 3268093 deals with a broken authentication vulnerability in SAP NetWeaver Application Server Java (AS Java). An unauthenticated attacker can attach to an open interface and exploit an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data. This could allow the attacker to gain full read access to user data, modify data and disrupt the availability of services within the system. The correction removes public access to basicadmin and adminadapter services and introduces authentication and authorization for the relevant objects. The required permissions are automatically assigned to the Administrator, NWA_SUPERADMIN, and NWA_READONLY roles by the corrections.

Note 3243924 patches a high-risk insecure deserialization of untrusted data vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). Authenticated attackers with minimal privileges can intercept and modify serialized objects in the Central Management Console and BI LaunchPad of BOBJ. Note 3243924 restricts deserialization to specific internal classes. The note also includes instructions for a workaround that involves removing the vulnerable code in specific files.

Other important notes include 3262810 and 3275391 for code injection and SQL injection vulnerabilities in the Analysis Edition for OLAP in BOBJ and SAP Business Planning and Consolidation, respectively.

Security Alerting with SAP Focused Run

SAP Focused Run provides real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers. It leverages SAP HANA to support centralized monitoring for up to thousands of systems in high-volume environments. Focused Run is intended to complement Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the alerting capabilities of SAP Focused Run using the workgroups Advanced System Management and Advanced Event & Alert Management.

Similar to SAP Solution Manager, Focused Run includes preconfigured monitoring templates and data providers for SAP platforms and solutions including ABAP, HANA, and Java. It also includes database and host templates for monitoring SAP infrastructure.  The standard metrics and alerts within the SAP-delivered templates include content for monitoring the availability and performance of SAP applications, components, agents, interfaces and infrastructure.

The Cybersecurity Extension for SAP extends the coverage of SAP Focused Run to include security monitoring.  The SAP-certified addon provides more than 500 metrics and alerts for detecting indicators of compromise in SAP logs. This includes ABAP logs such as the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Read Access Log, and Change Documents. It also includes support for the Audit Log in HANA platforms. The current version of the Cybersecurity Extension for SAP supports ABAP and HANA platforms. Future releases are expected to support Java systems and operating system logs in Linux hosts.

Alerts can be accessed using Alert Management in the Advanced Event & Alert Management workgroup.

Focused Run supports the grouping of systems into Customer IDs. This can be used to segment results for business units. Alert Management will summarize the results for the Customer IDs selected during the initial selection screen.

You can select the list view to display the current alerts.

You can open and view the details of alerts in the list. The example below is an alert triggered in a managed system for changes performed for the roles assigned to the standard SAP* user.

The Metrics tab includes information related to underlying event including the event timestamp, source IP, target IP, and user information. This information can be automatically integrated with Security Information Event Management (SIEM) systems. Notifications can be also sent for alerts through email or SMS using the Send Notification option in the Actions menu.

Alert Reporting in Alert Management provides a dashboard for monitoring alerts by date, category and systems.

Alerts can be also managed using System Monitoring in the Advanced System Management workgroup.

System Monitoring includes an Alert Ticker in the right pane that displays the latest alerts in real time.

The application also includes a hierarchal view for displaying alerts by managed object type including systems, application servers, instances, databases and hosts.

How to switch from SAP Code Vulnerability Analyzer to the Cybersecurity Extension for SAP, Part 9

The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems. 

Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.

Check central system

The Cybersecurity Extension for SAP applies code vulnerability checks using the ABAP Test Cockpit (ATC). A central check system is recommended for the ATC. The central system performs code analysis for remote systems. Please refer to the SAP guidelines for configuring a central system for your landscape. The latest version of the SAP Basis component is recommended for the central system to analyze custom code in systems with lower versions.