Layer Seven Security

SAP Security Notes, September 2021

Layer Seven on October 7, 2021

Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but a temporary workaround is outlined in note 3093977.

Note 3081888 deals with a code Injection vulnerability for XMLForms in SAP NetWeaver Knowledge Management. The note includes a patch for the XMLToolkit parser to prevent the execution of malicious XSL stylesheet files containing scripts with OS-level commands.

Note 3073891 patches multiple OS command injection and reflected Cross-Site Scripting (XSS) vulnerabilities in SAP Contact Center. The vulnerabilities are caused by improper encoding of user input.  

Note 3089831 introduces input validation to protect the remote execution of vulnerable function modules that could be exploited to gain access to backend databases. The note includes instructions for blocking remote calls to the impacted function modules using Unified Connectivity (UCON) as a workaround.

Note 3084487 removes a vulnerable component of SAP NetWeaver Visual Composer that could be exploited by attackers to upload malicious files that run operating system commands with the privileges of the Java Server process. The commands could be used to read and modify data or provoke a denial of service.

SAP Security Notes, August 2021

Layer Seven on September 10, 2021

Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The patches included in the note remove the vulnerable servlet from productive code.

Hot news note 3078312 deals with a blind SQL injection vulnerability in DMIS Mobile Plug-In and SAP S/4HANA. The notes adds an ASSERT statement after the authorization check for function module IUUC_RECON_RC_COUNT_TABLE_BIG that enforces import parameter IT_WHERE_CLAUSE to be empty. If import parameter IT_WHERE_CLAUSE is not empty, the execution of the function module will fail with a short dump. The deactivation of parameter IT_WHERE_CLAUSE is not expected to impact products released to customers, because the remote-enabled function module IUUC_RECON_RC_COUNT_TABLE_BIG is only used by SAP.

Note 3071984 includes an updated workaround for a critical unrestricted file upload vulnerability in SAP Business One. The vulnerability could be exploited to upload any malicious files including scripts without file format validation.

Note 3057378 patches a high risk missing authentication in SAP Web Dispatcher when using X.509 client certificates. The vulnerability also impacts SAP HANA and SAP HANA XS installations containing embedded Web Dispatchers.

Securing the SYSTEM User in SAP HANA

Layer Seven on August 30, 2021

The SYSTEM user is the most powerful database user in SAP HANA with system-wide privileges including permissions to create and maintain other users, perform system changes, stop and start services, and create and drop databases and tables. The user is created during the initial setup of SAP HANA. Once the system is setup, the SYSTEM user should be deactivated and other users should be created for administrative tasks. The user is not required for HANA updates but should be reactivated for system upgrades, installations and migrations. This includes support stack and enhancement pack upgrades.

Since the SYSTEM user is a well-known administrative user with full system privileges, it is often targeted by threat actors. This article outlines measures to secure the user against attacks and detect and alert for actions performed by the user.

1. Reset Initial Password

Initial passwords for the SYSTEM user for both the system database and the first tenant database are set by hardware partners or administrators. The password should be reset immediately after the handover. The reset can be performed using SQL statements or the SAP HANA cockpit by a user with the USER ADMIN or DATABASE ADMIN privilege. Password resets can also be performed by the <sid>adm user from the system database.

2. Deactivate the User

The SYSTEM should not be used for data-to-day activities, especially in production systems. Create alternative dedicated users for each administrative scenario and then deactivate the SYSTEM user. The user can be temporarily reactivated for emergency tasks, when required. Deactivation can be performed using the SQL statement ALTER USER SYSTEM DEACTIVATE USER NOW and reactivation using the statement ALTER USER SYSTEM ACTIVATE USER NOW. The status of the user can be confirmed by reviewing the values in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the SYSTEM user in the USERS system view.

3. Create Audit Policies

Configure audit policies to log for all actions performed by the SYSTEM user and changes to the user such as password changes and user activation/ deactivation. Once activated, the policies will automatically log events to the audit trail. Audit policies can be created using SQL statements or the Auditing tab of the SAP HANA cockpit with the AUDIT ADMIN privilege. Actions should include both successful and unsuccessful events. Events can be written to one of the supported audit trail targets specified in each policy or the default audit trail if none is specified. Maximum retention periods can also be specified for each policy.

4. Monitor the Audit Trail

Monitor HANA audit logs using System Monitoring in SAP Solution Manager. Configure automated alerts and email/ SMS notifications for actions performed by the SYSTEM user or changes to the user. Integrate alerts with SIEM systems for SOC monitoring. Finally, investigate alerts using guided procedures in SAP Solution Manager.

SAP Security Notes, July 2021

Layer Seven on August 6, 2021

Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications.  Note 3007182 includes kernel patches for multiple kernel and Basis versions.

Note 3059446 patches a high priority missing authorization check in NetWeaver AS Java. The Administration Workset in Guided Procedures does not perform necessary authorization checks for an authenticated user, resulting in an escalation of privileges. The affected functions have now been changed and enforced to properly check access restrictions. A possible workaround is to disable the GP Administration Workset using filters in the configuration template. In NWA->Java System Properties, choose the configuration template and in the Filters tab add the filter to disable the caf~eu~gp~ui~admin application.

Note 3056652 includes patches for the J2EE Server Core in NetWeaver AS Java to apply input validation for HTTP requests before storing monitoring data. This will protect against malicious HTTP requests with manipulated headers that could lead to the exhaustion of system resources and provoke a denial of service.

License Auditing with SAP Solution Manager

Layer Seven on July 28, 2021

SAP uses a variety of licensing models for its solutions including perpetual licenses, subscription licenses, and consumption-based term licenses. For perpetual licenses, usage rights for SAP software are restricted to a specific number of SAP Named Users. The number of Named Users is a key component of pricing metrics for such licenses. Compliance is an important aspect of SAP software licensing. SAP requires customers to periodically audit and report the number of Named Users for licensed solutions to ensure compliance. Compliance gaps discovered during audits can lead to increased licensing costs if customers are assigning usage rights to higher quantities of Named Users than allowed by their license agreements with SAP.

SAP provides several audit tools to measure and report license compliance. The License Administration Workbench (LAW) in SAP Solution Manager supports consolidated license measurement and reporting. This article outlines the steps for activating and utilizing the License Administration Workbench to automate and streamline your SAP license audits.

LAW supports license auditing for SAP NetWeaver 7.02 and higher. The ICF services LAW2_WD_ APPLICATION, LAW3_WD_UC_START and LAW3_WD_SLAT_MAIN should be activated to access LAW in SAP Solution Manager. Other relevant services are listed below.

/sap/public/bc/icons
/sap/public/bc/icons_rtl
/sap/public/bc/webdynpro/mimes
/sap/public/bc/webdynpro/ssr
/sap/public/bc/pictograms
/sap/public/bc/webdynpro
/sap/public/bc/webicons

Number ranges must be maintained for objects SLAW_SYST and SLAW_DTSET. The Internet Graphics Service (IGS) and the Adobe Document Services (ADS) must also be available and configured to access LAW. SAP user data required for license audits are automatically transferred by LAW using predefined RFC connections between target systems and SAP Solution Manager. This requires the creation of dedicated system users for LAW in systems. The users should be granted role SAP_BC_LAW_COMMUNICATION. The relevant system data (system number, installation number, hardware key, system ID) are captured by LAW and can be viewed in the System Overview.

Once the prerequisites are met and systems are connected and correctly mapped, you are ready to perform license audits. Audits can be initiated using the option to Start Measurement.

Users can be grouped using attributes maintained in Extended Mode. The next step is to consolidate users from multiple systems. Consolidation rules can also be maintained in Extended Mode.

During the final steps, you can view, export and save the results before selecting the option to transfer to SAP.

SAP Security Notes, June 2021

Layer Seven on July 16, 2021

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules. Customers that do not wish to install the patch can apply a workaround by adjusting the permissions that grant create and change privileges to the SourceRule type. The goal of the workaround is to ensure that only highly trusted employees have such privileges.

Notes 3021197, 3020209 and 302010 deal with multiple high-risk memory corruption vulnerabilities in SAP NetWeaver ABAP. The multiples could be exploited to perform a denial of service using specially crafted requests targeted at the Dispatcher process, SAP Gateway, and SAP Enqueue Server.

Note 3053066 removes a missing XML validation vulnerability in SAP NetWeaver AS Java that could enable attackers to read files in the file system or crash SAP services using specially crafted XML files. The note enables blocking of external entities via the XML parser.

Securing Software Supply Chains for SAP Systems

Layer Seven on June 30, 2021

Software supply chain attacks are advanced cyberattacks that target information systems through third party software. Threat actors compromise systems and data by exploiting software builds or interfaces for trusted software. This enables attackers to introduce malware without detection including backdoors.

The recent software supply chain attack experienced by SolarWinds is widely regarded as one of the most devastating cyber attacks in history.  It impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as thousands of organizations worldwide. The attack cost affected companies an average of $12M.

Download the whitepaper from Layer Seven Security for guidance on securing software supply chains in SAP landscapes. The whitepaper outlines the threat vectors that could be exploited by attackers to compromise third party software that support SAP applications. It provides practical steps for minimizing third party software and external connections in SAP landscapes, avoiding the use of open source components, and monitoring third party software. The steps are aligned to the Cyber Supply Chain Risk Management (C-SCRM) practices recommended by the National Institute of Standards and Technology (NIST).

Webinar Playback: Protecting SAP Systems from Ransomware Attacks

Layer Seven on June 30, 2021

Ransomware is headline news, and recent attacks have demonstrated the devastating impact of attacks that target critical infrastructure. According to the Department of Homeland Security ransomware attacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an attack is 21 days, but full recovery takes an average of 287 days. 

Ransomware can impact SAP systems through vulnerable operating systems. However, securing host systems alone does not safeguard SAP systems from ransomware. Attackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install, and execute ransomware tools. 

This webinar will discuss steps you can take to secure your business-critical SAP systems from ransomware. It will provide an integrated strategy for:

• Identifying and prioritizing critical SAP assets and infrastructure;

• Hardening SAP systems to reduce the attack surface;

• Activating and monitoring SAP logs to detect suspected attacks; and 

• Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The webinar will also discuss how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

You can view the webinar recording at SAPinsideronline.com.

SAP Security Notes, May 2021

Layer Seven on June 8, 2021

Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code.  The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note.  Access to SA38 and SE38 can be restricted as a workaround.

Notes 3049755 and 3049661 deal with multiple vulnerabilities in SAP Business One. This includes code injection, OS command injection, and information disclosure.

Notes 3012021 and 2745860 patch XML injection, information disclosure and unrestricted file upload vulnerabilities the Integration Builder Framework of SAP Process Integration.

Protecting SAP Systems from Ransomware

Layer Seven on May 14, 2021

The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware a­ttacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an att­ack is 21 days. Full recovery takes an average of 287 days.

Ransomware can impact SAP systems through vulnerable operating systems. However, securing SAP hosts alone does not safeguard SAP systems from ransomware. Att­ackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install and execute ransomware tools.

The newly released guide Protecting SAP Systems from Ransomware includes actions you can take to secure your business-critical SAP systems from ransomware. It provides an integrated strategy for:

  • Identifying and prioritizing critical SAP assets and infrastructure;
  • Hardening SAP systems to reduce the attack surface;
  • Activating and monitoring SAP logs to detect suspected attacks; and
  • Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The guide also discusses how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

DOWNLOAD