Layer Seven Security

SAP Security Notes, August 2020

Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes HTTP extensions to support file management on remote web servers. Content management operations in KM are performed by methods that conform to the WebDAV protocol. Force Text Download is deactivated by default. This prevents the opening of files containing malicious scripts. The Malicious Script Filter can be used to encode executable scripts in files uploaded to KM repositories and therefore block the execution of the scripts. Encoded scripts can be decoded using the Malicious Script Handler. Note 2938162 removes a broken authentication vulnerability in KM that enables unauthenticated users to upload files to content repositories.

Note 2941667 introduces authorization checks for report RSBDCREC when executed directly without transaction SHDB. This could be exploited to inject malicious code in recordings or extensions. The note extends checks for authorization object S_BDC_MONI to the report and adds checks for authorization object S_DEVELOP for a central API.

Note 2941315 patches a missing authentication check in a web service that could be exploited to provoke a denial of service in SAP NetWeaver AS JAVA.  Note 2927956 mitigates a missing authentication check for the Unix Xvfb daemon required by SAP BusinessObjects Business Intelligence. The vulnerability could enable attackers to capture keystrokes and screen captures using the X server in SAP hosts.

Prevent and Detect Ransomware Attacks with SAP Solution Manager

Ransomware attacks accounted for one third of malware-based cyber attacks in the first quarter of 2020. Successful attacks encrypt and block access to files in compromised systems. Decryption keys for recovery of the files are typically only released after ransom demands are paid, usually in the form of untraceable cryptocurrencies. The impact of ransomware includes not only ransoms but also recovery costs. The cost of the ransomware attack experienced by Demant in 2019 is estimated at $95M. Costs at Norsk Hydro are expected to reach $70M.

Based on an analysis of telemetry records, there are several early indicators of ransomware operations performed by threat actors. Attackers often use legitimate administrative tools to prepare ransomware attacks. This includes network scanners to identify vulnerable targets and software removal tools to disable antivirus software. Threat actors also often install tools for credential theft on compromised systems.

Ransomware is usually packaged in zip files distributed through emails, trojans, and infected web sites. The ransomware WastedLocker, for example, is often disguised as zip files for legitimate software updates. WastedLocker infected digital infrastructure at Garmin in July, leading to a $10M ransom. Ransomware payloads can also be delivered through compromised SAP systems. Attackers can target remote code execution vulnerabilities in SAP GUI for client-side attacks. Ransomware can be installed directly in SAP servers using external operating system commands. OS commands performed by SAP users are executed by the operating system user <SID>ADM. The user has full administrative privileges for local SAP resources.

The wget command can be used to download ransomware from remote hosts to a target directory in the SAP host. Ransomware payloads can also be loaded directly in servers using transactions CG3Z or CACS_FILE_COPY. Once loaded, the payloads can be extracted and then executed using bash commands in Linux systems. This method for delivering, installing and executing ransomware will encrypt files in folders accessible by the <SID>ADM user and crash SAP applications and services. It may also impact other files and services in the host if the ransomware successfully elevates privileges.

Such exploits can be mitigated or detected in several ways. Access to perform OS commands should be restricted. This includes authorization object S_LOG_COM, transactions SM49 and SM69, program RSBDCOS0, and function modules such as SXPG_COMMAND_EXECUTE. Successful execution of the transactions, programs and function modules should also be monitored, as well as OS commands and changes to custom commands. Refer to SAP Note 1612730 for enabling detailed logging for external commands.

The Cybersecurity Extension for SAP Solution Manager performs automated scans to detect users with OS command privileges. It also monitors SAP logs to alert for the execution of OS commands, new custom commands, and changes to existing commands. The extension also detects and alerts for the execution of transactions SM49, SM69, CG3Z and CACS_FILE_COPY, program RSBDCOS0, and relevant function modules. Alerts are automatically forwarded to SIEM systems with event details. To learn more, contact Layer Seven Security

SAP Security Notes, July 2020

Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems.

Note 2934135 introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. KBA 2948106 includes FAQs to support the implementation of the note. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

Note 2932473 removes a high-risk information disclosure vulnerability in the XMLToolkit of AS Java. The vulnerability could be exploited to read arbitrary files including files containing sensitive system configuration data.

Note 2734580 includes updated instructions for patching another information disclosure vulnerability impacting AS ABAP.  Note 2091403 should be implemented as a prerequisite for 2734580.

RECON: Secure Your Systems with SAP Solution Manager

US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated 10/10 using the Common Vulnerability Scoring System and can be exploited remotely by unauthenticated attackers to fully compromise SAP systems.

RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems including SAP ERP, CRM, SCM, and BW.

CISA strongly recommends SAP customers to apply SAP Note 2934135 to mitigate RECON. The note introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. The LM Configuration Wizard is required by SAP Landscape Management. According to SAP, “This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. You can temporarily activate or enable this application for executing the SAP lifecycle procedures.” Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

The implementation status of Notes 2934135 and 2939665 for impacted systems should be tracked using System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to discover relevant notes for SAP applications, databases and components.

Users can create custom tiles in SysRec to track the implementation status of RECON notes in their SAP landscape from the Fiori launchpad.

The Cybersecurity Extension for SAP Solution Manager monitors Java application logs to detect the signature of RECON exploits. This includes enabling and executing the vulnerable application. The Extension also detects the creation of new administrative users and connections by new users or source IP addresses using anomaly detection. RECON alerts can be investigated using the incident response procedures Preventing RECON Attacks and Investigating Suspected RECON Attacks.

Email and SMS notifications are triggered for RECON alerts. The alerts can also be monitored in Solution Manager using the Alert Inbox, System Monitoring, and other applications. They can also be integrated with SIEM solutions for cross-platform monitoring. Custom alarms can be added to the Fiori launchpad to notify users of suspected RECON exploits.

SAP Security Notes, June 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in the Apache web server. This can be abused to perform remote code execution if web applications allow file uploads and the processing of files as JavaServer Pages. Apache Tomcat has been upgraded to harden the AJP Connector. However, SAP does not recommend upgrading the web server. Rather, note 2928570 provides manual procedures for disabling the AJP Connector or securing AJP connections with a secret key.

Note 2918924 provides instructions for removing hard-coded Credentials in SAP Commerce and SAP Commerce Datahub. The use of default passwords for admin and other built-in accounts has been discontinued for new installations of SAP Commerce. Since re-initializing SAP Commerce leads to the deletion of all data in the application, SAP recommends using the scripts in Note 2922193 to remove default credentials in existing installations.  

Note 2933282 removes a missing authorization check that could lead to an escalation of privileges in SAP SuccessFactors Recruiting.

Notes 2906366 and 2734580 includes corrections for high priority information disclosure vulnerabilities in SAP Commerce and SAP NetWeaver Application Server ABAP (AS ABAP), respectively.  

Anomaly Detection with SAP Solution Manager

Threat detection is commonly performed through rules or signature-based pattern matching. Detection engines compare actual events with patterns of malicious events to discover indicators of compromise (IOCs).  IOCs discovered by detection engines typically trigger an alarm or alert for a suspected security breach.

Pattern matching is a tried and tested method to identify known exploits in systems including SAP applications. However, there are several drawbacks with the approach. Attackers can obfuscate their actions to bypass attack detection patterns. Also, since pattern matching detects IOCs based on known signatures, new or emerging IOCs that have not yet been registered are not detected.

Anomaly-based threat detection provides an alternative to pattern matching with greater protection against anti-forensics and the capability to detect previously unknown attacks. Anomaly-based systems rely on profiles of expected or normal user and system behavior.  Actions by users or events in systems that deviate from the profiles generate an alarm or alert.   

Unlike rules and signatures for patten matching, profiles for anomaly detection cannot be created and maintained manually. Anomaly detection is usually applied through machine learning platforms that automate profile building and analysis for large pools of data.  

The Monitoring and Alerting Infrastructure (MAI) in SAP Solution Manager uses a pattern matching approach for threat detection in SAP systems. IOCs detected by the Event Calculation Engine in Solution Manger using pattern matching are displayed and managed in applications such as Security Forensics, System Monitoring, and the Alert Inbox. For anomaly detection, event logs collected, filtered, and normalized by Solution Manager are forwarded to the Predictive Analysis Library (PAL) in SAP HANA.

PAL includes functions for applying complex analytic algorithms using SQLScript database procedures. The functions include procedures for clustering, regression, time series, and other algorithms that are used to detect outliers in security logs. Anomalies discovered by PAL are transmitted back from SAP HANA to SAP Solution Manager for analysis using the Anomaly Detection application in the Cybersecurity Extension for SAP. The application is accessed from the Fiori launchpad in SAP Solution Manager.

Anomaly results are summarized by period. Results can be analyzed by the week, day or hour.

Results are filtered using Advanced Search. This supports filtering by anomaly, date, time, system, user, and source IP/ terminal. Results can also be filtered by anomaly type to view anomalies based on either event data or alert data. Event anomalies include outliers such as high volume of transaction starts, report starts, or data downloads, or a user request from a new IP address or terminal. Alert anomalies include areas such as high volume of alerts for a specific system, user or source, or a new alert for a user or system.

Anomalies calculated using standard deviation are scored based on distances from statistical averages. The further the distance from the mean, the higher the confidence level for the anomaly. The results displayed in Anomaly Detection are prefiltered for medium and high confidence anomalies. Anomaly-based threat detection can have a higher incidence of false positives than pattern-based detection. It can generate alarms for every deviation from expected norms. Therefore, an effective scoring mechanism is essential to enable security administrators to identify and focus on high-confidence anomalies.

Results can be sorted and exported to CSV/ PDF with the applied filters. The layout can be personalized by users to add, remove, and rearrange columns.

The details for each anomaly can be viewed by clicking on an anomaly in the summary. Anomaly times are in UTC. Timestamps for events are based on system time.

The Notify option can be used to append the anomaly details to an email for sharing.

SAP Solution Manager enables advanced threat detection for SAP systems by combining the benefits of both signature and pattern-based detection with anomaly detection using SAP HANA. Licensing for SAP HANA is included with the usage rights for SAP Solution Manager 7.2.

SAP Discloses Critical Vulnerabilities in ASE Databases

SAP customers are urged to apply a series of recent patches released by SAP for the Adaptive Server Enterprise (ASE).  SAP ASE, previously known as Sybase SQL Server and Sybase ASE, is a widely deployed database platform used for both SAP and non-SAP applications. According to SAP, ASE is used by over 30,000 customers worldwide, including 90 percent of the top 50 banks.

Four of the patches released by SAP are for critical or high-risk vulnerabilities in multiple components of ASE. The vulnerabilities impact ASE versions 15.7 and 16.0 and carry CVSS scores ranging between 7.2 and 9.1.

Note 2917275 patches the most severe of the vulnerabilities by applying input validation for DUMP and LOAD commands that could be exploited to overwrite critical configuration files during database backup operations. Attackers can run DUMP commands to overwrite database configuration files with corrupted versions that will replace the default configuration. This can be exploited to install backdoors to ASE using credentials stored in the corrupted configuration files. It can also be exploited to execute arbitrary commands and executables using local system privileges by modifying the sybmultbuf_binary Backup Server setting.

Note 2917090 impacts Windows installations of the SAP ASE 16. Credentials for SQL Anywhere packaged in ASE can be read by any Windows user. SQL Anywhere supports database creation and version management. The credentials can be used to perform code execution with local privileges.

Notes 2916927 and 2917273 deal with high-risk SQL injection vulnerabilities in global temporary tables and ASE Web Services. Both vulnerabilities can be exploited to escalate privileges in ASE.

Database security notes including patches for ASE should be regularly monitored and applied using System Recommendations in SAP Solution Manager. Solution Manager connects directly to SAP Support for patch updates and monitor the patch status of SAP applications and databases. SAP Solution Manager also supports comprehensive vulnerability management for SAP ASE. Automated, daily security scans for ASE should be configured using Solution Manager to check for vulnerabilities related to the database configuration, administrative privileges, stored procedures, and other areas. The ASE audit log can be monitored by the Monitoring and Alerting Infrastructure (MAI) in Solution Manager to detect and alert for suspected malicious commands. To learn more, contact Layer Seven Security.

SAP Security Notes, May 2020

Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers.  The vulnerability carries a base CVSS score of 9.9/10 and can be exploited over the network.

Hot News Note 2885244 carries a similar CVSS score of 9.8/10 and can be exploited to bypass authentication using REST Webservices (BIPRWS) for Live Data Connect in the SAP Business Intelligence Platform. The fix packaged with the note enables Live Data Connect to logon to the BI Central Management Server (CMS) with a shared key. This prevents logons to the CMS without a password when using trusted authentication.  The fix is available for version 2.4 of Live Data Connect. Customers using earlier versions are advised to upgrade to version 2.4.

Notes 2917275 and 2917090 patch critical code injection and information disclosure vulnerabilities in the Backup Server and Cockpit of SAP Adaptive Server Enterprise (ASE), formerly Sybase ASE. ASE is a widely used database platform for SAP systems. Note 2917275 applies input validation checks for DUMP and LOAD commands to prevent the execution of malicious user-provided code.  Note 2917090 prevents the disclosure of sensitive system and user data including account credentials. The impacted ASE versions are 16.0 SP02 and SP03.

Visualize Security Risks for SAP Systems with Threat Maps

Threat Maps in SAP Solution Manager visualize security vulnerabilities, missing patches and open alerts for SAP systems across geolocations. They provide a fast and intuitive way to display and interact with security information for SAP landscapes that span multiple cities, countries, or regions.

System data is maintained in the Landscape Management Database (LMDB) of SAP Solution Manager. The LMDB stores information related to technical systems, hosts, databases and domains in SAP landscapes. This includes installed software components and versions, database types and releases, clients, instances, RFC destinations and OS details for SAP systems.

Attributes for systems are maintained directly in the LMDB. Systems can be assigned to business units using the Description attribute. The environment and priority level for systems are maintained using the attributes IT Admin Role and Priority.  The coordinates for business units in terms of longitude and latitude are maintained in the Location attribute, separated by a comma.

The system attributes maintained in the LMDB integrate directly with the Threat Map, accessible from the Fiori launchpad in Solution Manager.

Users can switch between results for vulnerabilities, patches and alerts using the toolbar at the top of the application.

The size and opacity of geocircles is driven by quantitative and qualitative factors including volume, rating, environment and system priority.

Results are summarized for each business unit. However, users can drilldown to detailed results by clicking on the geocircles.

Map filters support filtering based on system, environment and priority.

Results can also be filtered by period to display results from the current day to the prior year.

The Threat Map can be customized to focus on specific countries or regions. Navigation tools support zoom in and out. The map also supports click and drag for navigation.

Map filters and positions can be saved to the Fiori launchpad as custom tiles.

The Threat Map is bundled in the Cybersecurity Extension for SAP Solution Manager available from Layer Seven Security.

SAP Discloses Security Gaps in Cloud Solutions

SAP issued a statement last week to disclose security lapses in several cloud products including SAP Cloud Platform, SAP Analytics Cloud, SuccessFactors, and Concur. According to the statement, the disclosure was prompted by an internal security review. SAP does not believe customer data has been compromised as a result of the issues. The lapses impact 9% of the company’s 440,000 customers.

The announcement is expected to dampen customer support for digital transformation initiatives intended to shift the hosting of SAP applications from on-premise data centers to cloud providers.

SAP also announced that the organization is updating security-related terms and conditions for its cloud solutions.  In response to concerns that such changes may be intended to reduce SAP’s legal risk for security issues and shift more responsibility for security to customers, SAP declared that the terms and conditions will “remain in line with market peers”.

Furthermore, SAP denied any link between the announcement and security breaches attributed to the Cloud Hopper hacking campaign. Cloud Hopper successfully exfiltrated sensitive data from multiple organizations by penetrating HPE’s cloud computing service. The campaign is suspected to be sponsored by the Chinese Ministry of State Security.