Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are detailed in the note. The note includes patches for both the cloud and on-premise editions. A workaround is also included in the note if the corrections can not be implemented within a reasonable timeframe.
Note 3505503 addresses a Cross-Site Scripting (XSS) vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. The solution included in the note encodes parameters to address the vulnerability.
Notes 3501359 and 3498221 patch Cross-Site Scripting vulnerabilities in SAP CRM and SAP Enterprise Portal.
Note 3488039 deals with multiple missing authorizations in SAP NetWeaver Application Server (AS) ABAP and ABAP Platform. The authorizations impact function modules in function group SMTR_NAVIGATION_MODULES_BX. As a workaround, you may withdraw permission S_RFC with field RFC_TYPE with prefixed value for SMTR_NAVIGATION_MODULES_BX or field RFC_NAME with value of the function modules of the function group SMTR_NAVIGATION_MODULES_BX.
The Network and Information Security (NIS2) Directive takes effect on October 17 and imposes significant requirements on organizations for cybersecurity and incident reporting. NIS2 mandates strict standards for cybersecurity and incident reporting for organizations that are based in the European Union or provide services within the EU. It is targeted at essential and important organizations in specific sectors considered part of the supply chain for critical infrastructure in member states.
The Directive includes requirements for protecting the confidentiality, integrity and availability of data in network and information systems against cyber threats, as well as detecting and reporting significant security incidents within prescribed time frames. This includes data and incidents impacting business-critical SAP solutions.
The newly-released whitepaper from Layer Seven Security simplifies the path to NIS2 compliance by providing guidance for complying with the Directive for SAP solutions. This includes sources for hardening standards to comply with cybersecurity requirements, and threat detection and response mechanisms to comply with the incident reporting requirements of the Directive. The guidance includes specific recommendations for solutions in SAP RISE.
Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build Apps. Applications should be rebuilt with version 4.11.130 or later in SAP Build Apps to address the vulnerability.
Hot news note 3479478 for CVE-2024-41730 patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by threat actors to compromise logon tickets used for single sign-on with a REST endpoint. The fix included in the note secures the default configuration of single sign-on enterprise authentication.
Note 3485284 addresses a high priority XML injection vulnerability in the Export Web Service of BEx Web Java Runtime in SAP Business Intelligence version 7.50. The issue is specific to PDF export only using Java ALV and ADS.
Note 3459935 fixes an information disclosure vulnerability in SAP Commerce Cloud that could lead to the leakage of Personally Identifiable Information (PII) data in query or path parameters. This includes passwords, email addresses, mobile numbers, coupon codes, and voucher codes. The vulnerability impacts specific API endpoints detailed in the note. A workaround is included in the note. Vulnerable endpoints should be replaced with the new secure variants detailed in the solution section of the note.
The fallout of the recent worldwide systems outage has far-reaching consequences for cybersecurity. The outage is estimated to impact 8.5 million devices powered by Microsoft Windows operating systems. The cause of the outage is a corrupted update for an agent used for the Falcon security platform from CrowdStrike. Falcon uses a cloud architecture with servers, workstations, containers, virtual machines, and other devices connected directly to CrowdStrike services through an agent installed in each host. The agent operates at the kernel level. The kernel is responsible for managing work processes in operating systems and mediating access to hardware resources.
Operating systems enable applications to run in two modes: user and kernel. Most applications operate in user mode without direct access to the underlying hardware or system resources. Kernel mode is far more privileged and provides applications with unrestricted access to the system including hardware control, memory management, and device drivers. Errors in applications running in user mode are isolated and do not impact the stability of the operating system. However, errors in applications running in kernel mode can crash the operating system. This is exactly what happened with the recent CrowdStrike/ Microsoft outage.
The Falcon agent operates in kernel mode as a device driver. This is most likely because the agent requires privileged access to system data structures to deliver the protection provided by CrowdStrike. Microsoft is well aware of the risk posed by applications running in kernel mode. The Windows Hardware Quality Labs (WHQL) program is intended to test and certify third party device drivers to manage the risk. The driver used by the Falcon agent was WHQL tested and certified. However, security products such as Falcon require continuous updates to counter the latest cyber threats. Since it’s not feasible to recertify the driver for each update, updates are applied through dynamic definition files that can include code executed by the driver. This code is not tested and signed as part of the WHQL program. A software bug in unsigned code packaged in a recent update for the Falcon driver running in kernel mode is the root cause of the large-scale system outage.
There are two obvious questions that arise from the events. The first is why was the software bug not discovered and removed before the update was released by CrowdStrike? This points to concerns around development and release management procedures on the part of the software vendor. Understandably, its not feasible to test software updates against for every possible scenario. For example, past CrowdStrike updates have been known to trigger crashes in the Central Management Console and Central Management Server of SAP BusinessObjects. However, given the widespread impact of the current bug, it’s likely that more comprehensive testing would have revealed the error. It also raises questions around inadequate parameter validation by the Falcon agent that may have detected and blocked errors in arguments passed to kernel functions to prevent system crashes. This points to concerns around software design.
The second question is why didn’t organisations analyze the impact of the updates in test machines or perform a staged rollout? Testing would have most likely revealed the issue and a staged rollout of the update would have lessened the impact even if the update wasn’t tested.
The answer to both questions is that both software vendors and customers are responding to a threat landscape that demands rapid response to new and emerging threats. Therefore, organizations are prioritizing speed of response for information security over preserving the availability of their systems. The outage provides a stark reminder of the dangers of this approach.
Systems outages can be especially severe if they impact business-critical SAP solutions. SAP customers should identify third party agents and programs that operate in kernel mode in SAP hosts. The continued use of such software should be reviewed in light of recent events, especially if the software is automatically updated by the vendor without any input from the customer.
The Cybersecurity Extension for SAP protects SAP solutions from advanced persistent threats without the use of kernel-level agents or programs. The solution operates in user mode to monitor and secure the application, database and operating system layers in SAP hosts.
Note 3483344 addresses a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), included in the S4CORE component of SAP S/4HANA. The vulnerability can be exploited to escalate privileges and read sensitive information. The correction included in the note deactivates the affected functions to remove the vulnerability. There is no workaround provided by SAP. The note applies to versions 102-103 of S4CORE and 104-108 of S4COREOP.
Note 3490515 patches a vulnerability in SAP Commerce which enables users to misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. The issue materializes when both early login and registration are set to true. It does not affect setups that utilize classic accelerator storefronts and is specific to B2B scenarios. A workaround in the note includes steps for disabling early login and registration.
Note 3454858 addresses an information disclosure vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note updates function module F4_DXFILENAME_TOPRECURSION to restrict access to the file system and prevent users from traversing to unauthorized directories.
Note 3456952 patches SAP NetWeaver AS ABAP and ABAP Platform to prevent developers bypassing an API configured for malware scanning using classes CL_HTTP_REQUEST and CL_HTTP_ENTITY.
Notes 3482217 and 3468681 address multiple cross-site scripting vulnerabilities in SAP Business Warehouse and SAP Knowledge Management, respectively.
SAP Focused Run (FRUN) is a Application Lifecycle Management (ALM) solution designed for real-time and high-volume system monitoring. It benefits from a more simplified and scalable architecture than other ALM platforms such as SAP Solution Manager (SolMan). Also, unlike SolMan, it runs exclusively with SAP HANA.
System monitoring using FRUN is supported through the deployment of the Simple Diagnostics Agent (SDA) to target systems. The SDA is integrated with the SAP Host Agent in SAP solutions. It collects and forwards metrics from systems to FRUN using HTTPS. System connections are routed through reverse proxies such as the Web Dispatcher. The SAP Host Agent, SDA and Web Dispatcher are included in RISE system builds and landscapes. Therefore, RISE systems can be monitored by both customers and service providers using SAP Focused Run.
FRUN supports monitoring for all SAP solutions and cloud services. This includes the public and private editions of SAP S/4HANA, SAP Business Suite, ECC, HANA platform, SAP Cloud, SuccessFactors/ HXM, Ariba, Concur, AS ABAP/ Java, Cloud Connector, Business Objects, Enterprise Portal, Mobile Platform, CRM, Business Warehouse, PI/PO, MII and Web Dispatcher. It also supports monitoring for OS and database platforms, and SAP BTP. Steps for monitoring the ABAP, Cloud Foundry, and Neo environments of BTP are detailed in the FRUN Expert Portal.
SAP Focused Run supports advanced monitoring capabilities such as Real User Monitoring. This can be used to monitor user actions for detailed forensics. It also supports System Anomaly Prediction for detecting and investigating anomalies based on predefined models and risks, and advanced Integration and Exception Monitoring for analyzing the usage of system interfaces.
The Cybersecurity Extension for SAP integrates with FRUN to perform advanced security monitoring for SAP solutions, including vulnerability and compliance management, patch management, custom code scanning, and threat detection and response. The SAP-certified solution leverages FRUN applications and components to discover system, code and user-related vulnerabilities, calculate required security notes, and detect security incidents and anomalies.
The Cybersecurity Extension for SAP is accessed from the Fiori launchpad for SAP Focused Run. FRUN users with the required roles can access the solution using the workgroup below. Systems are automatically mapped from the Landscape and Management Database (LMDB). Also, multi-tenancy for customer separation is automatically enforced through network and customer IDs configured by service providers in FRUN.
Deploying the Cybersecurity Extension for SAP to FRUN provides a more reliable and scalable option than deploying to Solution Manager. It also delivers improved performance with lower maintenance in comparison to SolMan. SAP Focused Run and SAP Solution Manager are the current deployment options supported for the standard edition of the Cybersecurity Extension for SAP. A third option is planned for early 2025 that would enable SAP customers to deploy the solution to NetWeaver AS ABAP systems such as SAP GRC. For SAP RISE customers, the cloud edition of the Cybersecurity Extension for SAP provides a SaaS option that does not require deployment to an SAP system.
Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available.
Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and CVE-2024-37178. The note encodes URL parameters to prevent the exploitation of the vulnerabilities.
Note 3466175 patches an access control issue related to the management of incoming payment files in SAP S/4HANA that could lead to an escalation of privileges. The impacted versions of S4CORE are 102-108.
A similar vulnerability is patched by note 3465455 in SAP BW/4HANA. After applying the note, it will not be possible to execute arbitrary functions within SAP BW/4HANA Transformation and DTP. Only functions/methods explicitly defined in the allowlist mentioned in the manual correction instructions can be executed to avoid any misuse.
Note 3425571 fixes an information disclosure vulnerability in NetWeaver AS Java that could lead to the leakage of server information. A workaround is detailed in the note to disable the impacted caf~eu~gp~model~eap application in the Guided Procedures component of AS Java.
S/4HANA Access Risk Analysis, SAP RISE Compliance, SAP ETD Benchmarking and More
The new release of the Cybersecurity Extension for SAP is scheduled for general availability in May and includes several important enhancements.
Version 5.1 includes coverage for critical access and segregation of duties in SAP S/4HANA. It performs more than 700 checks for access to sensitive transactions and conflicting combinations of transactions for business processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in S/4HANA. Exclusions can be maintained for users and groups to tune checks and exclude permitted users. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for S/4HANA. The checks are included in the new areas S/4HANA Critical Access and S/4HANA Segregation of Duties. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.
The new release also includes support for monitoring the compliance of SAP RISE systems with information security standards defined by SAP Enterprise Cloud Services (ECS) in note 3250501. The standards include required settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must comply with for RISE solutions managed by ECS.
Version 5.1 includes several new threat detection patterns to bridge the gap with SAP Enterprise Threat Detection Cloud Edition (ETD CE). As a result, the Cybersecurity Extension for SAP now provides coverage for the same patterns as ETD CE. It also includes more than 750 patterns that are not included in ETD CE. Similar to ETD CE, the Cybersecurity Extension for SAP is available as Software-as-a-Service (SaaS) for RISE customers.
Finally, the new release includes new tiles for Actively Exploited Vulnerabilities and Known Exploited Vulnerabilities. The former can be used to display open vulnerabilities that have associated alerts. The latter can display calculated security notes for systems that are required to address Known Exploited Vulnerabilities (KEV) for SAP solutions in the CISA KEV catalog.
Hot news note 3448171 patches a critical file upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. The correction delivered in the note changes the default configuration to prevent file uploads without signatures in the FILESYSTEM and SOMU_DB of the Content Repository. The workaround detailed in the note provides manual steps for applying the secure configuration using transaction OAC0.
Note 3455438 addresses CSS injection and remote code execution vulnerabilities in SAP CX Commerce. Swagger UI in CX Commerce is using is vulnerable to CVE-2019-17495 (CSS injection). This vulnerability enables the attackers to perform Relative Path Overwrite (RPO) in the CSS-based input fields. Apache Calcite Avatica 1.18.0 in CX Commerce is vulnerable to CVE-2022-36364 (Remote code execution). The note removes extensions that use Swagger UI. It also updates Avatica to a secure version.
Note 3431794 fixes a high-risk cross site scripting vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) Platform. BOBJ is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL. User input is sanitized by the correction delivered via the note to address the vulnerability.
Notes 3450286 and 3448445 addresses stored cross site scripting vulnerabilities in SAP NetWeaver AS ABAP that can lead to code injection and session hijacking due to insufficient encoding of URL parameters.
Note 2174651 patches an information disclosure vulnerability in the Integration Directory of SAP Process Integration (PI) that could enable attackers to discover sensitive information such as usernames and passwords.
Based on a newly-released paper published by researchers at the University of Illinois, AI agents can combine large language models with automation software to autonomously analyze and exploit security vulnerabilities. During the research, OpenAI’s GPT-4 large language model was able to successfully exploit 87 percent of vulnerabilities when provided with a CVE advisory describing the flaws. The dataset included 15 one-day vulnerabilities taken from the Common Vulnerabilities and Exposures (CVE) database. One-day vulnerabilities are vulnerabilities that have been disclosed but not patched. More than 50 percent of the dataset were critical or high-rated vulnerabilities. Vulnerability exploitation was performed by GPT-4 using the ReAct automation framework.
Large language models are AI programs that use deep learning to recognize and interpret complex data such as human language. GPT-4 failed to exploit just two of the 15 vulnerabilities in the dataset. This included CVE-2023-51653 for Hertzbeat RCE. The cause of the failure to exploit this particular CVE was due to differences between the language available for the detailed description of the vulnerability and the language deployed for the AI agent.
Researchers calculated the cost of successful AI agent attacks at just $8.80 per exploit. The agent consists of only 91 lines of code and has not been publicly released at the request of OpenAI.
The ground-breaking research demonstrates the risk posed by AI to automate the discovery and exploitation of security vulnerabilities. It reduces the complexity and cost of vulnerability exploitation and increases the reach of threat actors.
The details of SAP vulnerabilities are publicly available in sources such as the CVE database and the NIST National Vulnerability Database (NVD). AI agents using large language models can analyze CVEs in the databases including details revealed in links for each CVE. SAP vulnerabilities are also documented and explained in depth in security forums. This often includes disclosure of sample code for vulnerability exploitation.
According to another recent study performed by Flashpoint and Onapsis, ransomware incidents impacting SAP systems increased by 400% over the last three years. Conversations on SAP vulnerabilities and exploits increased by 490% across the open, deep, and dark web between 2021 and 2023.
SAP customers can actively manage the risk of the successful discovery and exploitation of vulnerabilities including attacks leveraging artificial intelligence by regularly patching SAP solutions and through on-going vulnerability management. The Cybersecurity Extension for SAP automates the detection of both required SAP security notes and vulnerabilities in SAP solutions and infrastructure. It also detects vulnerabilities in custom SAP applications and programs.