Layer Seven Security

SAP Security Notes, March 2020

Hot News note 2845377 patches a missing authentication check in the Diagnostics Agent. The Agent is a component of the Solution Manager landscape. It commonly connects to the Java server in Solution Manager through the J2EE Message Server HTTP port. This is recommended by SAP. However, it can also connect to Solution Manager using a direct P4 connection. P4 is a proprietary SAP protocol based on Remote Method Invocation (RMI) and Common Object Request Broker Architecture (CORBA). Direct P4 connections between Solution Manager and Diagnostics Agents are not recommended by SAP for most scenarios.

The patch delivered in note 2845377 closes the P4 port and therefore prevents the ability to connect to the service. Leaving the port open could enable attackers to connect to the Agent and execute commands using the permissions of the <SID>adm user. It could also enable attackers to shut down the agent. This could interrupt monitoring in Solution Manager. However, the impact on security monitoring would be minimal since the Diagnostics Agent supports monitoring for AS Java and SAProuter log files only. Availability monitoring is performed using the SAP Host Agent. The Diagnostics Agent is used primarily for performance monitoring.

Hot News note 2890213 patches a missing authentication check in User-Experience Monitoring (UXMon). UXMon executes and analyzes the results of client-side scripts to monitor availability and performance metrics in endpoints. The note enables user authentication for the EemAdmin administration service.

Note 2806198 provides corrections for a critical directory traversal vulnerability in the SAP NetWeaver Universal Description Discovery and Integration (UDDI) Server. The UDDI Server is a Services Registry containing definitions for enterprise services and metadata references. It also provides information related to web service consumers and providers including physical systems.

Security Forensics with SAP Solution Manager

Security Forensics in SAP Solution Manager supports centralized log monitoring for SAP landscapes. The Fiori application from Layer Seven Security enables users to analyze incidents across multiple logs and systems directly from Solution Manager, helping organizations to detect and respond to security breaches. It also protects against anti-forensics.  Since event logs are replicated to a central log, attackers can not remove all traces of their actions to avoid detection.

Security Forensics is accessed from the Fiori launchpad for SAP Solution Manager.

The application currently supports the Security Audit Log, Gateway Server log, HTTP log, Transaction log, Read Access Log, System Log, User Change logs, and the HANA Audit log. Support for the Java Security Log and SAProuter log is scheduled for Q3 2020.

Advanced Search supports complex queries based on system, log source, date, time, user, source terminal/ IP address, and event ID.

Log Source:

Source terminal/ IP address:

Date/Time:

The query below filters log events to isolate actions performed by the SAP* user. The query results reveal that the SAP* user was locked due to failed logon attempts in system AS2 at 10:30:00 on 23.03.2020.

The results can be exported to a csv file to support offline analysis and collaboration. Event details can also be appended directly to an email by selecting the Notify option from the drilldown.

Personalized alarms for events can be configured using the Save As Tile option for filter selections.

Alarms are displayed as custom tiles in the launchpad. Below we have added an alarm for log events related to the SAP* user in production systems. The tile will automatically update to display the number of matching records. Users can click on the alarm to view the details of the events.

Security Forensics is available for SAP Solution Manager 7.2 SP07 or higher. The application is available for both HANA and conventional database platforms.  For the latter, customizing options are provided to activate log monitoring for only specific managed systems and adjust the log retention period.

SAP Security Notes, February 2020

Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against brute force attacks. This could lead to delayed responses to logon requests. Note 2841053 recommends blocking access from untrusted networks to the Host Agent ports 1128 and 1129. Alternatively, access to the Host Agent can be bound to specific IP addresses or hostnames defined in the value for profile parameter service/hostname or using an access control list specified in the host_profile of the agent. Another option is to disable username/password-based authentication and only allow certificate-based authentication using the value disabled for the host profile parameter saphostagent/authentication_method.

Notes 2878030 and 2877968 deal with missing input validation vulnerabilities in SAP Landscape Management. Attackers with admin privileges could exploit the vulnerabilities to execute malicious commands with root privileges in the SAP Host Agent through Landscape Management. The options for SAP Landscape Management Internal Operation Check and LVMIntOpOld should be enabled before applying the corrections in the support package referenced in the notes. RuntimeInternalOperationValidator should be executed after the corrections are applied to activate the fixes in all hosts.

Webinar Playback: SIEM Integration for SAP

Security Information and Event Management (SIEM) systems support centralized security monitoring across networks. They ingest and analyze data from hosts, routers, switches, firewalls and other components to identify and respond to security threats.

SIEM systems can ingest data directly from SAP application logs. However, direct integration is complex and laborious. It also requires high maintenance and may substantially increase costs if SIEM licensing is tied to log size or events per second.

This challenge can be overcome by integrating SAP logs with SIEM systems using SAP Solution Manager, a management server in SAP landscapes. Solution Manager filters, structures and enriches security event data in SAP logs to support fast, seamless integration with SIEM systems.

This webinar recording discusses the challenges of direct ingestion of SAP logs and the benefits of integration using Solution Manager. It also provides recommendations for configuring audit settings and policies for the following data sources in SAP:

Security Audit Log
System Log
ICM Log
Business Transaction Analysis
Gateway Log
Change Documents
Read Access Log
Java Security Log
HANA Audit Log
SAProuter Log

The webinar is a digest of the whitepaper SIEM Integration for SAP.

You can download the whitepaper here.

Prevent Configuration Drift with SAP Solution Manager

Maintaining system security in dynamic SAP environments is a constant challenge. New users are added every day. Permissions for existing users are constantly updated to keep up with changing requirements. Software updates, transports and other changes introduce new components or developments and often necessitate changes to system settings. With each change, even hardened systems can become less secure and more vulnerable to intrusion.  

To some extent, the risk of configuration drift can be managed through regular vulnerability scanning. However, scan results only identify the consequences of changes, not the root cause. Periodic audits of system and user changes can also help to address the risk. Audits can uncover compliance gaps against change management protocols, but are limited in scope since they are usually performed manually.

Change Analysis in SAP Solution Manager provides an automated response to the risk of configuration drift in SAP systems. The application tracks changes in systems including ABAP, HANA, Java parameters, database and operating system settings, user privileges, notes, software updates, and transport requests. The tool maintains a history of changes performed in each system for two years.

Change Analysis is accessed from the Root Cause Analysis work center in the Fiori launchpad for SAP Solution Manager.

Scope selection supports filtering of changes by system, type or environment.

Results can be filtered further to focus on changes within a specific time frame.

The filtered results are summarized in the dashboard below.

The dashboard supports drilldown from summarized results by system and category into detailed changes. In the example below, the results reveal that the value of parameter gw/accept_timeout was modified in system AS2 at 3.00PM on February 11, 2020.

In another example, the results reveal that the profile SAP_ALL was assigned to the user ATTACKER9 on the same day in the identical system.

Notifications for changes to critical areas can be configured using the monitoring and alerting framework within Solution Manager. The notification below is an alert for changes to RFC destinations. Email and SMS notifications for changes are also supported. Alerts can be integrated with SIEM systems or incident management systems for automated ticketing.

Change Reporting can be used to compare the configuration of different systems.

It can also be used to compare the configuration of the same system using different timestamps. In the example below, we are comparing the configuration of system ECP on February 6 with January 22 to identify changes that occurred in the system during the interval.

The comparison tool is useful for identifying not only changes that may lead to configuration drift within systems but also differences between settings in production environments and other environments such as quality or development. The comparison results are displayed in the Result Details and can be exported for analysis. According to the results below, the SAP_UI component was upgraded in ECP from version 751 to 753 during the interval.

SAP Security Notes, January 2020

Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a prerequisite for note 2822074 and therefore should be implemented in advance. The report SWO_RFC_AUTH_CHECK_STATE can be executed after the note is applied to check the activation of the checks.

Note 2142551 is re-released with updated correction instructions for implementing whitelists to protect against clickjacking attacks in AS ABAP. Standard protective measures against clickjacking, including the X-Frame-Options HTTP response header, are not suitable for common NetWeaver integration scenarios. Therefore, SAP provides a whitelist-based framework for NetWeaver technologies. The framework and its implementation are described in SAP Note 2319727.

Note 2848498 provides a kernel patch to remove a Denial of service (DOS) vulnerability in the Internet Communication Manager (ICM). Attackers can exploit the vulnerability to crash the ICM by sending specially crafted packets to the IIOP or P4 service that lead to a buffer overflow. The corrections in note 2848498 will support the detection and prevention of the buffer overflow.

Whitepaper: SIEM Integration for SAP

Download the new whitepaper for SAP-SIEM integration from Layer Seven Security. The whitepaper outlines recommended settings for the Security Audit Log, HANA audit log, and other logs to support advanced threat detection. It discusses the challenges of direct integration of SAP logs with SIEM systems in terms of complexity, log volume, maintenance, and event correlation.

The whitepaper advocates SIEM integration using SAP Solution Manager based on benefits such as lower complexity, rapid deployment, reduced costs, ease of maintenance, and the enrichment of event data to support cross-platform correlation.

The SIEM Integrator for SAP is a software add-on for SAP Solution Manager that delivers automated threat detection for SAP systems. The add-on supports integration with SIEM platforms including Splunk, QRadar, ArcSight, LogRhythm and SolarWinds. The Integrator includes 300+ attack detection patterns for SAP platforms and logs.

SAP Security Notes, December 2019

Note 2871877 patches multiple high priority vulnerabilities in Maintenance, Repair, and Overhaul (MRO) Workbenches in SAP Enterprise Asset Management (EAM). This includes missing authorizations checks for authenticated users that could lead to an escalation of privileges, and directory traversal caused by insufficient path validation. The latter vulnerability could enable attackers to read, overwrite, delete, or corrupt files in effected servers. Corrections are packaged in a transport included in the Note.

Note 2734675 provides automated and manual corrections for missing authorization checks in SAP Cash Management. The corrections introduce checks for vulnerable function modules including BAPI_FCLM_BAM_AMD_BNKANT and BAPI_HOUSE_BANK_REPLICATE. The function modules support replication of Bank Account Management (BAM) master data between SAP S/4HANA Finance systems.

Finally, Note 2730227 removes missing authorization checks in the historical data processing component of SAP Central Payments introduced in Note 2651431. SAP Central Payments is part of SAP Central Finance and supports centralized payments and clearing activities in central systems instead of source systems.

Season’s Greetings

2019 was a stellar year. In case you missed them, check out the enhancements we rolled out during the year

CVA – SolMan Integration – Monitor vulnerabilities in your custom programs using SAP Code Vulnerability Analyzer and SAP Solution Manager
Fiori Reports & Dashboards – Manage vulnerabilities and threats directly from the SAP Fiori Launchpad for Solution Manager
> SolMan – SIEM Integration – Connectors for Splunk, QRadar, ArcSight  & LogRhythm to integrate alerts from SAP Solution Manager with SIEM platforms
> Database Monitoring – Security frameworks for IBM, Oracle, Microsoft and Sybase databases

We’re hard at work preparing next year’s enhancements. Watch out for the following in 2020

> Host Security Monitoring – Monitor Linux and Windows hosts for SAP applications with the Remote OS Script Collector in SAP Solution Manager
> End User Monitoring – Real-time user monitoring with SAP Focused Run
> Machine Learning – Predictive analytics for system anomalies using SAP Focused Run
> FRUN – SolMan Integration – Monitor Focused Run alerts for system and user anomalies in SAP Solution Manager

Catch up with us at the upcoming events below

RSA 2020, San Francisco, February 24-28
SAPinsider 2020, Las Vegas, March 17-19

Best wishes from Layer Seven Security

SAP Security Notes, November 2019

Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.

Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.

Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.