Layer Seven Security

SAP Security Notes, October 2022

Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific versions of SAP Commerce Cloud. Workarounds are also detailed in the note if the patches cannot be applied. This includes removing the OAuth extension and URL filtering. The latter can be implemented using website redirects in SAP Commerce. However, there are known side-effects with the workarounds. For example, the OAuth extension is required by SmartEdit Module, Assisted Service Module, and other extensions. OAuth may also be required for integrations.

Note 3242933 provides a fix for critical directory traversal vulnerability in SAP Manufacturing Execution that could lead to information disclosure. The effected plugins are Work Instruction Viewer (WI500) and Visual Test and Repair (MODEL_VIEWER).

Note 3229132 patches an information disclosure vulnerability in Program Objects within SAP BusinessObjects Business Intelligence Platform that could be exploited to compromise OS credentials. The credentials are exposed in clear-text to administrators.

Note 3232021 deals with a buffer overflow vulnerability in SAP SQL Anywhere and SAP IQ that can be used to trigger a denial of service in database servers.

Notes 3245929 and 3245928 patch multiple high-risk vulnerabilities in SAP Visual Enterprise Viewer.

Maintaining System Inventories with SAP Solution Manager

Maintaining an accurate and complete inventory of SAP systems is an important requirement for cybersecurity. It enables organizations to assess and prioritize risk management, ensure systems are not accidentally overlooked and exposed to threats, plan and track maintenance activities such as upgrades to apply security patches, and recover rapidly from security incidents including data breaches and successful ransomware attacks. For this reason, compliance frameworks such as CIS, NIST and PCI-DSS include requirements for asset management. The requirement is also the subject of the new bill Strengthening Agency Management and Oversight of Software Assets Act approved by the U.S Senate Homeland Security and Governmental Affairs Committee in September.

In many organizations, SAP asset inventories are maintained in spreadsheets or asset management tools that require manual updating. This can lead to inaccuracies if these approaches fail to keep pace with changes in complex and evolving SAP landscapes. Landscape Management in SAP Solution Manager provides an automated solution for managing system inventories by discovering and mapping SAP assets and automatically updating system information. Landscape Management is included in the standard usage rights for Solution Manager.

System information is sourced by Landscape Management from the System Landscape Directory (SLD). The SLD is the central repository of system information required for SAP lifecycle management. SAP landscapes may have multiple SLDs for backup or to support different environments, but the supplier for Landscape Management is the central SLD. The SLD includes a software catalog for each system known as CR Content. It also includes a Common Information Model (CIM) for sharing hardware and software information. CR and CIM data is automatically synched  from the SLD with Landscape Management via SAP agents. The data can also be automatically or manually imported into Solution Manager in landscapes that do not have an SLD. The data is then synched from Landscape Management with the Maintenance Planner in the SAP Support Portal. This is one of the primary reasons why SAP Solution Manager is required in SAP landscapes even if customers are not actively using any SolMan scenarios.

Landscape Management is accessed from the SAP Solution Manager Administration workgroup in the Fiori Launchpad.

System information is categorized by application server, database, host and component areas. For technical systems, you can select a system from the selection screen and click on Display to display the full system information.

The initial screen summarizes the key attributes for the system such as the SID, database, installation number, release information and SAP products installed in the system. This section also includes the environment, location and lifecycle status. The priority of the system can be used to classify systems based on their business importance using a low to very high rating scale.

The tabs for Technical Scenarios, SAP Support Portal, Business Partners, and Installed Licenses detail the active SolMan scenarios for the system, the system number, key personnel including system owners, business contacts, architects, and technical support with email addresses and telephone numbers, and license information.  

The Software section lists the installed software components including version and support pack level. This information is used by SAP Solution Manager during the calculation of relevant notes including security notes.

The Database, Instances and Clients section include information such as the database type, release and host name, instance names, numbers and directories, and active clients and roles.

The Hosts section will include host-level information such as the host name, FQDN, IP address, OS type and version, CPU, and details of whether the host is physical, logical or virtual.

The Destinations section lists the active RFC destinations in the system by client.

Finally, the Component Groups section details the logical component groups for the system. This is often used to group systems based on their role. The system roles below are predefined by SAP. However, users can create and maintain custom component groups to cluster systems by business group, function, location, or other areas.

SAP Security Notes, September 2022

Note 3237075 patches a high priority vulnerability in SAP GRC Access Control that could be exploited by attackers to access Firefighter sessions even after they are closed in the Firefighter Logon Pad. Firefighter IDs are dedicated user identities with elevated privileges that are activated when required and controlled through Emergency Access Management (EAM) in SAP GRC. Note 3237075 provides a patch to detect active Firefighter sessions using SM04 and SM05 information. To properly retrieve the SM05 data, the GRC RFC user will require authorization object S_ADMI_FCD with value PADM. According to SAP, the implementation of the correction will lead to a slight degradation in performance due to the additional time required for the SM04 check during logon. This only affects the central system.

Note 3213507 resolves a privilege escalation and information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the retrieval and modification of sensitive system data from the Central Management Server (CMS) and Monitoring DB. Note 3217303 patches a similar vulnerability in the BOBJ Central Management Console (CMC).

Notes 3223392 and 3226411 deal with high-risk privilege escalation vulnerabilities in SAP Business One and SAP SuccessFactors, respectively. The vulnerabilities can be exploited to gain system privileges.

Finally, note 2998510 was updated to clarify that sysmon is not the only OS application that can be exploited to compromise authentication credentials for the CMS in BOBJ. Also, the vulnerability impacts BOBJ installations operating from both Linux/ Unix and Windows platforms.

Securing Custom SAPUI5 Applications using the Cybersecurity Extension for SAP

SAPUI5 is the foundation of Fiori applications in SAP solutions such as SAP HANA and S/4HANA. It provides a HTML5 framework for developing flexible and user-friendly applications that perform consistently across all browsers, platforms, and devices, and integrate with ABAP programs using APIs such as OData services.

The SAPUI5 library is based on the jQuery JavaScript library. Therefore, although SAP Web IDE is recommended by SAP, UI5 applications can be developed using any development environment that supports JavaScript development. SAPUI5 applications generate their own JavaScript code and handle HTML rendering. Consequently, the applications are more susceptible to code-level vulnerabilities than Web Dynpro applications that use an abstract programming model. Application developers should ensure custom SAPUI5 applications meet stringent security standards during all phases of the development lifecycle. Custom applications are part of the attack surface for SAP systems and vulnerable applications are often targeted by threat actors to compromise SAP solutions. Since custom applications are not maintained by SAP and not patched by SAP security notes, customers are directly responsible for ensuring custom applications are secure and protected against misuse.

Automatic static source code scanning is a proven method to effectively and efficiently detect software vulnerabilities in custom applications during and after development. In addition to static code scanning for over 100 vulnerabilities in custom ABAP programs, the Cybersecurity Extension for SAP (CES) supports the automatic detection of more than 900 vulnerabilities in custom SAPUI5 applications. This includes vulnerabilities such as code injection, SQL injection, cross-site scripting, directory traversal, and missing or insufficient authentication or authorization checks. CES enables SAP customers to securely develop and deploy custom SAPUI5 applications to support the needs of end-users, in accordance with best practices for secure coding.

CES provides detailed information for vulnerabilities detected in custom SAPUI5 applications, including risk analysis, remediation guidance, and details of the impacted lines of code, objects, packages and owners. Findings are also mapped to the Common Weakness Enumeration (CWE) framework to monitor for compliance against coding best practices. CWE is software development standard supported by US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security. The results of static code scan results for custom SAPUI5 applications can be reviewed and managed using SAP Code Inspector (SCI) and exported as Excel/ PDF reports. The results are also integrated with the Vulnerability Report in CES, accessed from the Fiori launchpad for SAP Solution Manager.

SAP Security Notes, August 2022

Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse.

Note 3150454 was also updated to enforce authorization checks in lower SP levels of SAP NetWeaver Application Server ABAP when RFC destinations are modified using transaction SM59.

Note 3210823 addresses an information disclosure vulnerability in Open Document within SAP BusinessObjects Business Intelligence Platform (BOBJ). Open Document is a web application that processes incoming URL requests for documents and other objects. The vulnerability can be exploited by unauthenticated attackers to retrieve sensitive information over the network. The impacted versions of BOBJ are 4.2 SP009 and 4.3 SP002 – SP003.

Notes 3213524 and 3213507 patch lower-priority information disclosure vulnerabilities in the commentary and monitoring databases of SAP BOBJ that could lead to the exposure of sensitive system data. The vulnerabilities require network access for successful exploitation.

Securing Oracle Databases for SAP

According to Gartner research, 70 percent of SAP customers have yet to migrate to S/4HANA. Based on current rates of adoption, SAP is unlikely to achieve its goal of migrating ECC customers to S/4HANA by 2027. As a result, the majority of SAP solutions continue to be driven by conventional databases. One of the most common database platforms for SAP is Oracle.

Oracle databases including several important security features to protect data at rest and in transit. This includes network encryption for securing communications between application and database servers, transparent database encryption for encrypting database tables, columns or complete tablespaces, granular access control using Database Vault, and Unified Auditing to support advanced policy-based logging. However, poorly configured Oracle databases can provide a vulnerable target for attackers to access and compromise data in SAP systems, bypassing application-level security and detection.

This article details best practices for securing Oracle databases against common vulnerabilities and exploits to protect against SAP attacks targeted at the database layer.

One of the most important steps is disabling the OPS$ mechanism in Oracle. In earlier versions of Oracle, the password for the SAP database user was retrieved from Oracle tables via an operating system user. The user was able to logon to the database via a shell prompt using credentials maintained at the OS level. The OPS$ mechanism enables threat actors to logon remotely to Oracle using locally-created users with the same IDs as OS users that are authenticated externally. This was deprecated from Oracle 11g. The encrypted password for the SAP database user is now stored in the Secure Storage File System (SSFS). The OPS$ mechanism is disabled using the value FALSE for the database parameter REMOTE_OS_AUTHENT.

Other important parameters include 07_DICTIONARY_ACCESSIBILITY to limit access to objects in the system SYS schema, global_names for blocking database connections from unauthorized domains, remote_login_passwordfile for preventing the use of password files to authenticate users, and options for enforcing robust password policies for database users including password complexity and expiration.

There are several standard users that are enabled in Oracle databases when a new database is created. The default passwords for the users should be changed after the install. Refer to the Oracle Help Center for the full list of standard users.

Users in the PUBLIC group should not be able to execute sensitive packages such as UTL_ORAMTS, UTL_HTTP and HTTPURITYPE. These packages can be used to send data to external destinations. All database users are members of the PUBLIC group.

The WITH_ADMIN privilege should not be included in permissions and roles granted to users, except for Oracle-maintained users. Users with the privilege can grant the permissions and roles to other users.

Critical system and table privileges should be restricted to authorized users only. This includes ALTER SYSTEM, GRANT ANY PRIVILEGE and BECOME USER. The last privilege enables users to inherit the privileges of other users.

Auditing should be enabled for specific database events. Examples include role and user changes, profile changes, database links, granting object and system privileges, changes to stored procedures, and schema triggers. Logging of successful and unsuccessful attempts to alter the audit trail in the SYS.AUD$ table is also recommended.

The Cybersecurity Extension for SAP (CES) performs comprehensive vulnerability scans for Oracle databases supporting SAP applications. The SAP-certified add-on automatically detects Oracle vulnerabilities including insecure authentication mechanisms, database misconfigurations, standard users with default passwords, users with critical roles and privileges, and incomplete audit policies.

CES also monitors Oracle database logs to detect and alert for security incidents and potential data breaches. CES is the only solution that secures the entire SAP stack including application, database and host layers. For host monitoring, CES also supports vulnerability management and threat detection for Oracle Linux operating systems, as well as other Linux variants including Red Hat Enterprise Linux (RHEL) and SUSE Enterprise Linux Server (SLES). In next month’s blog, we will discuss security and monitoring for Microsoft platforms supporting SAP systems, including SQL Server and Windows Server. Coverage for both platforms is included in the Cybersecurity Extension for SAP.

SAP Security Notes, July 2022

There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from XPath passwords to explicit passwords in the FTP Adapter as temporary workaround.

Note 3157613 deals with a missing authentication check in the License Service API of Business One that could enable attackers to provoke a denial of service.

Note 3191012 resolves a code injection vulnerability in Business One that enables threat actors to upload and execute malicious executable files, such as exe, bat, and other script or binary file types. The note blocks the upload of file types included in the Microsoft block list.

Notes 3221288 and 3213141 patch vulnerabilities that can lead to the leakage of token information and access credentials for SAP BusinessObjects Business Intelligence and SAP Landscape Management, respectively.

SAP Security Notes, June 2022

Note 3158375 patches a high priority vulnerability in the SAProuter that can be exploited by attackers to execute administration commands from remote clients. The SAProuter is designed to accept administration commands from local clients only. However, this restriction can be bypassed in installations with specific entries in the saprouttab, the root permission table for the SAProuter. Entries that use the P or S prefix with a wildcard in target host and either a wildcard in the target port or the default port 3299 are vulnerable to the exploit. The use of wildcards in target host and target port for P and S entries is not recommended by SAP. Refer to SAP note 1895350 for details. The use of specific hostnames or IP addresses for target hosts will provide a temporary fix for the vulnerability. However, SAProuter versions 7.22 and 7.53 should be patched to patch levels 1119 and 1011, respectively, to permanently address the vulnerability. Kernel patches are also included in note 3158375.

Note 3197005 deals with a privilege escalation vulnerability in SAP PowerDesigner Proxy. The vulnerability can enable attackers with non-administrative privileges to work around a system’s root disk access restrictions to write or create a program file on the system disk root path, which could then be executed with the elevated privileges of the application during application start up or reboot.

Note 2726124 patches missing authorization checks in multiple components of SAP Automotive Solutions that can also lead users to escalate privileges.

Note 3147498 removes an access control gap in SAP NetWeaver Application Server Java to restrict access to remote objects such as adminadapter services.

30 Percent of Security Notes in System Recommendations are False Positives

System Recommendations (SysRec) in SAP Solution Manager automatically calculates relevant security notes for SAP systems based on the available software and application components in each system. It provides a cross-system view for required notes using a customizable, user-friendly interface.

The use of SysRec is recommended by SAP for the lifecycle management of notes. It connects directly to SAP Support to perform a daily or weekly check for new notes. It identifies prerequisite and side-effect notes.  It also identifies support packages for notes. Corrections can be downloaded directly through SysRec and staged automatically in systems. SysRec integrates with Change Request Management (ChaRM) for applying notes. It also supports change impact analysis for test planning through integration with the Business Process Change Analyzer (BPCA). Usage statistics for impacted objects are included in SysRec through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON).

Despite these benefits, there is one major drawback for SysRec. Based on an analysis performed by Layer Seven Security, an average of 30 percent of security notes reported in SysRec are false positives. The notes are irrelevant since the impacted application components are not installed in the relevant SAP systems. The process of manually reviewing notes in SysRec in order to identify and remove false positives is time-consuming, especially for large SAP landscapes. It can also lead to delays in the implementation of corrections to address security vulnerabilities in SAP solutions.

SysRec calculates notes for systems based on software information sourced from the Landscape Managed Database (LMDB) in SAP Solution Manager. The LMDB includes details of software components and versions for each system. This information supports not only SysRec, but Root Cause Analysis and System Monitoring in Solution Manager, and the Maintenance Planner in the SAP Support Portal. The data is synched from the System Landscape Directory (SLD). Therefore, one of the root causes of false positives in SysRec is the incomplete registration of systems in the SLD and synchronization issues between between the SLD and LMDB. Other root causes are job or connection errors during the runtime for the SysRec calculation. The LMDB can be kept in sync with the SLD by using the resynchronization option in the LMDB. Job and connection errors can be identified and alerted for using Job Monitoring and Interface Connection Monitoring in SolMan.

However, system maintenance, synchronization, and monitoring does not remove all false positives in SysRec. This is often a major source of frustration for SAP customers. The Cybersecurity Extension for SAP automatically identifies and removes false positives in SysRec by validating if the application components for notes are installed in SAP systems. Security notes for components that are not installed are marked as ‘Irrelevant’. Irrelevant notes can be removed using filters to improve the quality and reliability of results in System Recommendations.

The Cybersecurity Extension for SAP also enriches SysRec results by including information such as the CVE, CVSS and Vector for each note. This information supports the analysis and prioritizing of security notes based on risk and impact.

SAP Security Notes, May 2022

Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788.

Notes 2756188 and 2754555 patch Cross-Site Request Forgery (CSRF) vulnerabilities in the front end and back end of Bank Payments of the Fiori UI for Financial Accounting.

Note 2998510 provides a fix for an information disclosure vulnerability in the Central Management Server (CMS) of SAP BusinessObjects that could lead to the leakage of authentication credentials in Sysmon event logs.

Central note 3170990 was updated with note 3189409 to include a patch for the critical Sping4Shell Remote Code Execution vulnerability in SAP Business One Cloud.