Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse.
Note 3150454 was also updated to enforce authorization checks in lower SP levels of SAP NetWeaver Application Server ABAP when RFC destinations are modified using transaction SM59.
Note 3210823 addresses an information disclosure vulnerability in Open Document within SAP BusinessObjects Business Intelligence Platform (BOBJ). Open Document is a web application that processes incoming URL requests for documents and other objects. The vulnerability can be exploited by unauthenticated attackers to retrieve sensitive information over the network. The impacted versions of BOBJ are 4.2 SP009 and 4.3 SP002 – SP003.
Notes 3213524 and 3213507 patch lower-priority information disclosure vulnerabilities in the commentary and monitoring databases of SAP BOBJ that could lead to the exposure of sensitive system data. The vulnerabilities require network access for successful exploitation.
According to Gartner research, 70 percent of SAP customers have yet to migrate to S/4HANA. Based on current rates of adoption, SAP is unlikely to achieve its goal of migrating ECC customers to S/4HANA by 2027. As a result, the majority of SAP solutions continue to be driven by conventional databases. One of the most common database platforms for SAP is Oracle.
Oracle databases including several important security features to protect data at rest and in transit. This includes network encryption for securing communications between application and database servers, transparent database encryption for encrypting database tables, columns or complete tablespaces, granular access control using Database Vault, and Unified Auditing to support advanced policy-based logging. However, poorly configured Oracle databases can provide a vulnerable target for attackers to access and compromise data in SAP systems, bypassing application-level security and detection.
This article details best practices for securing Oracle databases against common vulnerabilities and exploits to protect against SAP attacks targeted at the database layer.
One of the most important steps is disabling the OPS$ mechanism in Oracle. In earlier versions of Oracle, the password for the SAP database user was retrieved from Oracle tables via an operating system user. The user was able to logon to the database via a shell prompt using credentials maintained at the OS level. The OPS$ mechanism enables threat actors to logon remotely to Oracle using locally-created users with the same IDs as OS users that are authenticated externally. This was deprecated from Oracle 11g. The encrypted password for the SAP database user is now stored in the Secure Storage File System (SSFS). The OPS$ mechanism is disabled using the value FALSE for the database parameter REMOTE_OS_AUTHENT.
Other important parameters include 07_DICTIONARY_ACCESSIBILITY to limit access to objects in the system SYS schema, global_names for blocking database connections from unauthorized domains, remote_login_passwordfile for preventing the use of password files to authenticate users, and options for enforcing robust password policies for database users including password complexity and expiration.
There are several standard users that are enabled in Oracle databases when a new database is created. The default passwords for the users should be changed after the install. Refer to the Oracle Help Center for the full list of standard users.
Users in the PUBLIC group should not be able to execute sensitive packages such as UTL_ORAMTS, UTL_HTTP and HTTPURITYPE. These packages can be used to send data to external destinations. All database users are members of the PUBLIC group.
The WITH_ADMIN privilege should not be included in permissions and roles granted to users, except for Oracle-maintained users. Users with the privilege can grant the permissions and roles to other users.
Critical system and table privileges should be restricted to authorized users only. This includes ALTER SYSTEM, GRANT ANY PRIVILEGE and BECOME USER. The last privilege enables users to inherit the privileges of other users.
Auditing should be enabled for specific database events. Examples include role and user changes, profile changes, database links, granting object and system privileges, changes to stored procedures, and schema triggers. Logging of successful and unsuccessful attempts to alter the audit trail in the SYS.AUD$ table is also recommended.
The Cybersecurity Extension for SAP (CES) performs comprehensive vulnerability scans for Oracle databases supporting SAP applications. The SAP-certified add-on automatically detects Oracle vulnerabilities including insecure authentication mechanisms, database misconfigurations, standard users with default passwords, users with critical roles and privileges, and incomplete audit policies.
CES also monitors Oracle database logs to detect and alert for security incidents and potential data breaches. CES is the only solution that secures the entire SAP stack including application, database and host layers. For host monitoring, CES also supports vulnerability management and threat detection for Oracle Linux operating systems, as well as other Linux variants including Red Hat Enterprise Linux (RHEL) and SUSE Enterprise Linux Server (SLES). In next month’s blog, we will discuss security and monitoring for Microsoft platforms supporting SAP systems, including SQL Server and Windows Server. Coverage for both platforms is included in the Cybersecurity Extension for SAP.
There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from XPath passwords to explicit passwords in the FTP Adapter as temporary workaround.
Note 3157613 deals with a missing authentication check in the License Service API of Business One that could enable attackers to provoke a denial of service.
Note 3191012 resolves a code injection vulnerability in Business One that enables threat actors to upload and execute malicious executable files, such as exe, bat, and other script or binary file types. The note blocks the upload of file types included in the Microsoft block list.
Notes 3221288 and 3213141 patch vulnerabilities that can lead to the leakage of token information and access credentials for SAP BusinessObjects Business Intelligence and SAP Landscape Management, respectively.
Note 3158375 patches a high priority vulnerability in the SAProuter that can be exploited by attackers to execute administration commands from remote clients. The SAProuter is designed to accept administration commands from local clients only. However, this restriction can be bypassed in installations with specific entries in the saprouttab, the root permission table for the SAProuter. Entries that use the P or S prefix with a wildcard in target host and either a wildcard in the target port or the default port 3299 are vulnerable to the exploit. The use of wildcards in target host and target port for P and S entries is not recommended by SAP. Refer to SAP note 1895350 for details. The use of specific hostnames or IP addresses for target hosts will provide a temporary fix for the vulnerability. However, SAProuter versions 7.22 and 7.53 should be patched to patch levels 1119 and 1011, respectively, to permanently address the vulnerability. Kernel patches are also included in note 3158375.
Note 3197005 deals with a privilege escalation vulnerability in SAP PowerDesigner Proxy. The vulnerability can enable attackers with non-administrative privileges to work around a system’s root disk access restrictions to write or create a program file on the system disk root path, which could then be executed with the elevated privileges of the application during application start up or reboot.
Note 2726124 patches missing authorization checks in multiple components of SAP Automotive Solutions that can also lead users to escalate privileges.
Note 3147498 removes an access control gap in SAP NetWeaver Application Server Java to restrict access to remote objects such as adminadapter services.
System Recommendations (SysRec) in SAP Solution Manager automatically calculates relevant security notes for SAP systems based on the available software and application components in each system. It provides a cross-system view for required notes using a customizable, user-friendly interface.
The use of SysRec is recommended by SAP for the lifecycle management of notes. It connects directly to SAP Support to perform a daily or weekly check for new notes. It identifies prerequisite and side-effect notes. It also identifies support packages for notes. Corrections can be downloaded directly through SysRec and staged automatically in systems. SysRec integrates with Change Request Management (ChaRM) for applying notes. It also supports change impact analysis for test planning through integration with the Business Process Change Analyzer (BPCA). Usage statistics for impacted objects are included in SysRec through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON).
Despite these benefits, there is one major drawback for SysRec. Based on an analysis performed by Layer Seven Security, an average of 30 percent of security notes reported in SysRec are false positives. The notes are irrelevant since the impacted application components are not installed in the relevant SAP systems. The process of manually reviewing notes in SysRec in order to identify and remove false positives is time-consuming, especially for large SAP landscapes. It can also lead to delays in the implementation of corrections to address security vulnerabilities in SAP solutions.
SysRec calculates notes for systems based on software information sourced from the Landscape Managed Database (LMDB) in SAP Solution Manager. The LMDB includes details of software components and versions for each system. This information supports not only SysRec, but Root Cause Analysis and System Monitoring in Solution Manager, and the Maintenance Planner in the SAP Support Portal. The data is synched from the System Landscape Directory (SLD). Therefore, one of the root causes of false positives in SysRec is the incomplete registration of systems in the SLD and synchronization issues between between the SLD and LMDB. Other root causes are job or connection errors during the runtime for the SysRec calculation. The LMDB can be kept in sync with the SLD by using the resynchronization option in the LMDB. Job and connection errors can be identified and alerted for using Job Monitoring and Interface Connection Monitoring in SolMan.
However, system maintenance, synchronization, and monitoring does not remove all false positives in SysRec. This is often a major source of frustration for SAP customers. The Cybersecurity Extension for SAP automatically identifies and removes false positives in SysRec by validating if the application components for notes are installed in SAP systems. Security notes for components that are not installed are marked as ‘Irrelevant’. Irrelevant notes can be removed using filters to improve the quality and reliability of results in System Recommendations.
The Cybersecurity Extension for SAP also enriches SysRec results by including information such as the CVE, CVSS and Vector for each note. This information supports the analysis and prioritizing of security notes based on risk and impact.
Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788.
Notes 2756188 and 2754555 patch Cross-Site Request Forgery (CSRF) vulnerabilities in the front end and back end of Bank Payments of the Fiori UI for Financial Accounting.
Note 2998510 provides a fix for an information disclosure vulnerability in the Central Management Server (CMS) of SAP BusinessObjects that could lead to the leakage of authentication credentials in Sysmon event logs.
Central note 3170990 was updated with note 3189409 to include a patch for the critical Sping4Shell Remote Code Execution vulnerability in SAP Business One Cloud.
SAP Focused Run delivers real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers that need to monitor customer SAP installations from a central platform. It leverages the power of SAP HANA to support centralized monitoring for thousands of systems in high-volume environments. Focused Run is intended to complement SAP Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. However, Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.
This article explores the capabilities of the Advanced Configuration Monitoring (ACM) scenario in Focused Run. Scenarios such as Advanced Event and Alert Management (AEM), Advanced Integration Monitoring (AIM) and Advanced User Monitoring (AUM) will be discussed in later posts. ACM includes Configuration and Security Analytics (CSA), accessed from the Fiori launchpad of Focused Run. CSA enables SAP users to analyze the configuration of applications, databases and hosts and automate audits for security compliance. The following short video from SAP provides a quick introduction to CSA: Advanced Configuration Monitoring
CSA analyzes configuration data collected and transferred via the Simple Diagnostics Agent (SDA) from SAP systems. Focused Run does not include a built-in Business Warehouse (BW). Therefore, unlike Solution Manager, configuration data is stored in HANA database tables starting with CCDB_DATA_ rather than BW InfoCubes. This simplifies the architecture and improves the performance for configuration analysis. The tables are read by the Configuration and Change Database (CCDB). Configuration changes are tracked to support change and trend analysis. This includes changes to security-relevant parameters, services, RFC destinations, and user privileges. The CCDB contains snapshots of SAP systems. The configuration data is structured in containers known as config stores. The stores can be updated every hour to maintain up-to-date snapshots of SAP systems. The stores can be queried using the search option in CSA. The config store below displays the current values for all profile parameters in system FR1.
The following store contains details of user assigned critical profiles. User related stores can be customized to extract details for specific profiles, roles, user types, authorizations, and combinations of roles and authorizations.
CSA can be used to configure and apply policies that analyze config stores to audit systems and automate compliance checks. Policy Maintenance in CSA enables users to create XML policies. Policies can also be converted from target systems in Configuration Validation from SAP Solution Manager. Policies can be exported and imported as XML files or transported between Focused Run installations. SAP recommends limiting the number of checks in single policies to 100 to restrict the number of SQL statements. However, single policies can be combined into composite policies to execute thousands of checks in parallel. In the example below, the composite policy ABAP Parameters includes multiple single policies for reviewing security-relevant parameters in ABAP systems.
In order to apply a generated single or composite policy to audit SAP systems, you must first define the scope of systems. Systems can be grouped by Customer ID, Data Center, IT Admin Role (Environment) and other variables (see below). Customer ID can be used to group systems by company or business group.
The next step is to select and apply the required single or composite policy. The results below summarize the compliance status of systems in the L7_FRUN group against the ABAP Parameters composite policy.
Users can drilldown into the findings for each system to focus on parameters that failed the policy check.
You can click on the icon at the end of each rule to view further details.
The current value of the parameter is displayed in the Value column. The results can be exported to Excel for offline analysis.
Policy checks can be scheduled for hourly, daily or weekly intervals in Policy Management.
The results of the scheduled checks can be displayed in Trend Analysis. This provides a graphical analysis of compliance levels for each interval of the report.
Focused Run does not include the equivalent of System Recommendations in SAP Solution Manager for discovering and applying security notes. SAP periodically publishes policies for security notes to GitHub. The policies can be downloaded and imported into Focused Run to check for the implementation status of relevant notes in each system. This approach can lead to inconsistencies between System Recommendations and Focused Run since calculated notes may not align between the solutions. The Cybersecurity Extension for SAP Focused Run from Layer Seven Security integrates System Recommendations with Focused Run to ensure calculated notes are consistent between both platforms. The CSA policy below displays all security notes calculated by System Recommendations. The results can be filtered by system and priority. With this approach, SAP customers do not need to manually update FRUN with new policies for security notes. Calculated notes are updated automatically daily.
The beta release of the Cybersecurity Extension for SAP Focused Run is scheduled for Q3 2022 and will include additional config stores to supplement the security content in the CCDB, preconfigured single and composite policies for ABAP, HANA and Java systems, and monitoring templates to support alerting for SAP logs including the Security Audit Log and the HANA audit log.
The central note 3170990 consolidates security notes for the critical Spring4Shell vulnerability. Spring4Shell is addressed by CVE-2022-22965. This is related to a remote code execution vulnerability in the open-source Java Spring Framework. Successful exploitation requires Apache Tomcat for serving applications built as a WAR file. Notes 3189428, 3187290, 3189429, 3189635 and 3171258 patch Sping4Shell in multiple SAP Solutions including SAP HANA Extended Application Services, PowerDesigner Web and SAP Commerce.
Hot news notes 3022622 and 3158613 fix a code injection vulnerability in SAP Manufacturing Integration and Intelligence. The vulnerability can be exploited by threat actors to escalate privileges and execute OS commands. The notes block the saving of Java Server Pages (JSP) through the SSCE (Self Service Composition Environment).
Note 3111311 provides solutions for a high priority Denial of Service vulnerability in the Web Dispatcher and Internet Communication Manager. The vulnerability is caused by a program error related to parameter icm/HTTP/file_access. The parameter defines static file access for URL prefixes and the target directory for static files.
Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a multitude of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP.
This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE. Notes 3123396 and 3123427 patch SAP for ICMAD. Note 2934135 secures SAP against RECON exploits. Protection against 10KBLAZE can be applied through notes 1408081, 821875, and 1421005. Some the notes for 10KBLAZE have been available since 2006. This is 13 years before CISA released an alert for the exploits.
Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.
Most software tools for SAP patch management automate the discovery of SAP security notes but do not support notes analysis and implementation. System Recommendations (SysRec) is the only solution that supports the full lifecycle of SAP security notes. SysRec is a standard application in SAP Solution Manager, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager.
Discovery
For notes discovery, SysRec performs a daily check for the latest security notes. Therefore, customers are notified immediately as soon as new notes are released by SAP. SysRec connects directly to the SAP Support Portal to identify new notes. It calculates relevant notes based on software information for SAP systems stored in the Landscape Management Database (LMDB). The LMDB is synced to the SAP NetWeaver System Landscape Directory (SLD). The SLD is the source of system information in SAP landscapes including installed software components, databases and operating systems and the versions of components and platforms. Notes calculation takes into account the implementation status of notes. Therefore, fully implemented notes are automatically excluded by SysRec.
It is important to note that the results returned by SysRec are based on installed components, regardless of usage. All installed components must be maintained and patched even if they are not actively used since they are part of the attack surface.
System Recommendations is widely used by SAP administrators to manage not only SAP security notes but also correction, legal, performance and other notes. SAP security teams that rely on third party solutions for notes discovery often clash with SAP administrators since security notes returned by their tools do not align with the results of SysRec. SAP administrators are inclined to trust the results of SAP applications such as SysRec over third party solutions. This can lead to disputes and delays within organizations as SAP administration and security teams fail to align on the notes that should be implemented. The risk is avoided when both teams use System Recommendations and are therefore aligned on the required security notes.
Analysis
SysRec supports detailed notes analysis through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON). UPL and SCMON support change impact analysis by revealing function modules, methods, programs and other objects impacted by security notes before they are applied. It includes usage statistics for impacted objects. This information enables SAP administrators to determine the scope and extent of testing for security notes. Notes impacting many objects with high usage counts may require detailed integration or regression testing. Conversely, notes impacting few objects with low usage counts indicates that customers may be able to employ less complex and more rapid test approaches such as smoke tests. Change impact analysis in SysRec provides the insights required by SAP customers to pinpoint the effect of security notes in SAP systems. This addresses the root cause of long patch cycles that increase the period of vulnerability for SAP systems.
Implementation
System Recommendations enables users to download corrections from the SAP Support Portal directly to the target SAP system. This is performed using the option for Integrated Desktop Actions. The user is prompted to select the target system before the download and can therefore select non-productive SIDs when analyzing notes for productive SIDs. SysRec automatically calls SNOTE in the target system after the download to apply the note.
Integrated Desktop Actions also enables users to create a Request for Change (RfC) in Change and Request Management (ChaRM) for security notes. ChaRM is commonly used by SAP customers to manage the lifecycle of SAP changes and includes workflows to control requests including phases for requirements, approval, testing, and promotion to production.
If you would like to learn more about patching SAP systems using System Recommendations, request a pre-release of Layer Seven Security’s new whitepaper for SAP Security Patching, scheduled for Q3 2022.
Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU.
ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers. SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.
Note 3123427 patches ICMAD in AS Java. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.
The central note 3131047 for the critical remote code execution vulnerability in the Apache Log4J 2 component was updated with the addition of security note 3154684. The new note patches Log4Shell in the mobile solution SAP Work Manager.