Layer Seven Security

License Auditing with SAP Solution Manager

SAP uses a variety of licensing models for its solutions including perpetual licenses, subscription licenses, and consumption-based term licenses. For perpetual licenses, usage rights for SAP software are restricted to a specific number of SAP Named Users. The number of Named Users is a key component of pricing metrics for such licenses. Compliance is an important aspect of SAP software licensing. SAP requires customers to periodically audit and report the number of Named Users for licensed solutions to ensure compliance. Compliance gaps discovered during audits can lead to increased licensing costs if customers are assigning usage rights to higher quantities of Named Users than allowed by their license agreements with SAP.

SAP provides several audit tools to measure and report license compliance. The License Administration Workbench (LAW) in SAP Solution Manager supports consolidated license measurement and reporting. This article outlines the steps for activating and utilizing the License Administration Workbench to automate and streamline your SAP license audits.

LAW supports license auditing for SAP NetWeaver 7.02 and higher. The ICF services LAW2_WD_ APPLICATION, LAW3_WD_UC_START and LAW3_WD_SLAT_MAIN should be activated to access LAW in SAP Solution Manager. Other relevant services are listed below.

/sap/public/bc/icons
/sap/public/bc/icons_rtl
/sap/public/bc/webdynpro/mimes
/sap/public/bc/webdynpro/ssr
/sap/public/bc/pictograms
/sap/public/bc/webdynpro
/sap/public/bc/webicons

Number ranges must be maintained for objects SLAW_SYST and SLAW_DTSET. The Internet Graphics Service (IGS) and the Adobe Document Services (ADS) must also be available and configured to access LAW. SAP user data required for license audits are automatically transferred by LAW using predefined RFC connections between target systems and SAP Solution Manager. This requires the creation of dedicated system users for LAW in systems. The users should be granted role SAP_BC_LAW_COMMUNICATION. The relevant system data (system number, installation number, hardware key, system ID) are captured by LAW and can be viewed in the System Overview.

Once the prerequisites are met and systems are connected and correctly mapped, you are ready to perform license audits. Audits can be initiated using the option to Start Measurement.

Users can be grouped using attributes maintained in Extended Mode. The next step is to consolidate users from multiple systems. Consolidation rules can also be maintained in Extended Mode.

During the final steps, you can view, export and save the results before selecting the option to transfer to SAP.

SAP Security Notes, June 2021

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules. Customers that do not wish to install the patch can apply a workaround by adjusting the permissions that grant create and change privileges to the SourceRule type. The goal of the workaround is to ensure that only highly trusted employees have such privileges.

Notes 3021197, 3020209 and 302010 deal with multiple high-risk memory corruption vulnerabilities in SAP NetWeaver ABAP. The multiples could be exploited to perform a denial of service using specially crafted requests targeted at the Dispatcher process, SAP Gateway, and SAP Enqueue Server.

Note 3053066 removes a missing XML validation vulnerability in SAP NetWeaver AS Java that could enable attackers to read files in the file system or crash SAP services using specially crafted XML files. The note enables blocking of external entities via the XML parser.

Securing Software Supply Chains for SAP Systems

Software supply chain attacks are advanced cyberattacks that target information systems through third party software. Threat actors compromise systems and data by exploiting software builds or interfaces for trusted software. This enables attackers to introduce malware without detection including backdoors.

The recent software supply chain attack experienced by SolarWinds is widely regarded as one of the most devastating cyber attacks in history.  It impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as thousands of organizations worldwide. The attack cost affected companies an average of $12M.

Download the whitepaper from Layer Seven Security for guidance on securing software supply chains in SAP landscapes. The whitepaper outlines the threat vectors that could be exploited by attackers to compromise third party software that support SAP applications. It provides practical steps for minimizing third party software and external connections in SAP landscapes, avoiding the use of open source components, and monitoring third party software. The steps are aligned to the Cyber Supply Chain Risk Management (C-SCRM) practices recommended by the National Institute of Standards and Technology (NIST).

Webinar Playback: Protecting SAP Systems from Ransomware Attacks

Ransomware is headline news, and recent attacks have demonstrated the devastating impact of attacks that target critical infrastructure. According to the Department of Homeland Security ransomware attacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an attack is 21 days, but full recovery takes an average of 287 days. 

Ransomware can impact SAP systems through vulnerable operating systems. However, securing host systems alone does not safeguard SAP systems from ransomware. Attackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install, and execute ransomware tools. 

This webinar will discuss steps you can take to secure your business-critical SAP systems from ransomware. It will provide an integrated strategy for:

• Identifying and prioritizing critical SAP assets and infrastructure;

• Hardening SAP systems to reduce the attack surface;

• Activating and monitoring SAP logs to detect suspected attacks; and 

• Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The webinar will also discuss how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

You can view the webinar recording at SAPinsideronline.com.

SAP Security Notes, May 2021

Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code.  The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note.  Access to SA38 and SE38 can be restricted as a workaround.

Notes 3049755 and 3049661 deal with multiple vulnerabilities in SAP Business One. This includes code injection, OS command injection, and information disclosure.

Notes 3012021 and 2745860 patch XML injection, information disclosure and unrestricted file upload vulnerabilities the Integration Builder Framework of SAP Process Integration.

Protecting SAP Systems from Ransomware

The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware a­ttacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an att­ack is 21 days. Full recovery takes an average of 287 days.

Ransomware can impact SAP systems through vulnerable operating systems. However, securing SAP hosts alone does not safeguard SAP systems from ransomware. Att­ackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install and execute ransomware tools.

The newly released guide Protecting SAP Systems from Ransomware includes actions you can take to secure your business-critical SAP systems from ransomware. It provides an integrated strategy for:

  • Identifying and prioritizing critical SAP assets and infrastructure;
  • Hardening SAP systems to reduce the attack surface;
  • Activating and monitoring SAP logs to detect suspected attacks; and
  • Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The guide also discusses how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

DOWNLOAD

SAP Security Notes, April 2021

Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute the function module can inject malicious ABAP code. The code is saved persistently in a report in the ABAP repository. The report can then be executed to inject the code, leading to the loss of sensitive data, modification of critical data, or denial of service. Note 2999854 introduces input validation for the effected functions to prevent code injection.

Hot news note 3040210 patches a remote code injection vulnerability in Source Rules of SAP Commerce. SAP Commerce Backoffice allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application. SAP Commerce installations that do not include any extensions from the Rule Engine module are not affected. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules.

Note 3022422 includes an updated FAQ for a critical missing authorization check in the MigrationService of SAP NetWeaver Application Server Java (AS Java). The vulnerability could be exploited by attackers to grant administrative privileges by accessing specific configuration objects. The solution included in the note requires a system restart. Note 3030298 includes a temporary workaround if a restart is not possible.

Note 3001824 patches an information disclosure vulnerability in AS Java. Attackers can invoke telnet commands to access NTLM hashes of privileged users. Possible workarounds for the vulnerability include disabling outgoing NTLM traffic by group policy, blocking outgoing SMB requests via appropriate firewall rules, and, for Linux systems, disabling the Samba protocol on all the hosts in a cluster.

Cybersecurity Extension for SAP Identifies Signatures of Active SAP Cyberattacks

Earlier this month, SAP issued a joint report with a security research firm to highlight active cyber threats targeting SAP applications. According to the report, there is conclusive evidence that attackers are actively targeting and exploiting unsecured SAP applications. The report also reveals that some SAP vulnerabilities are being weaponized in less than 72 hours from the release of SAP patches.  Unprotected cloud installations of SAP are being discovered and compromised in less than 3 hours.

The investigation performed for the report identified over 300 successful exploitations of SAP systems. This included attempts to modify users and configurations and exfiltrate business information. Most of the exploits targeted the six CVEs below. Although the vulnerabilities have been patched by SAP, many organizations have not applied the recommended mitigations to protect SAP systems.

CVE-2010-5326 (SAP Security Note 1445998)
CVE-2018-2380 (SAP Security Note 2547431)
CVE-2016-3976 (SAP Security Note 2234971)
CVE-2016-9563 (SAP Security Note 2296909)
CVE-2020-6287 (SAP Security Note 2934135)
CVE-2020-6207 (SAP Security Note 2890213)

SAP recommends customers to immediately assess vulnerable systems to identify indicators of compromise such as unauthorized privileged users. The assessment should include systems within SAP landscapes that are connected to the vulnerable targets. The related SAP security notes and recommendations should also be applied in impacted systems.

SAP also urges customers to implement appropriate cybersecurity measures to protect SAP applications. The Cybersecurity Extension for SAP is an SAP-certified solution that performs automated vulnerability management, threat detection and incident response to secure SAP systems from cyber threats. This includes exploits that target the CVEs highlighted in the report. The Extension detects misconfigured and unpatched systems. It also detects the signatures of exploits that target the CVEs, triggers alerts and notifications for suspected breaches, and provides guided procedures for investigating incidents. To learn more, contact Layer Seven Security.

SAP Security Notes, March 2021

Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are executed by MII when dashboards are opened by users. The solution applied via note 3022622 blocks the saving of files as JSP through SSCE. There is no workaround for the vulnerability.

Hot news note 3022422 removes a missing authorization check in the MigrationService of the SAP NetWeaver Application Server Java (AS Java). This could provide unauthorized access to configuration objects including objects that grant administrative privileges. The solution requires a system restart. The workaround in note 3030298 can be applied if a system restart is not possible.

Note 3017378 addresses a high priority authentication bypass vulnerability in SAP HANA installations using external authentication via LDAP directory services. SAP HANA systems and users configured for LDAP are only vulnerable if the connected LDAP directory server is enabled for unauthenticated binds. Some directory servers can be configured to offer an unauthenticated bind via LDAP. In these cases, the SAP HANA database’s handling of LDAP authentication can be misused. An attacker can gain access to an SAP HANA database system without proper authentication through users enabled for LDAP-based authentication.

Securing Linux Platforms for SAP HANA and S/4HANA

SUSE Linux Enterprise Server (SLES) is the leading operating system for SAP HANA and SAP S/4HANA solutions, supporting 85 percent of HANA deployments worldwide. SLES for SAP Applications is optimized to support high availability and persistent memory and endorsed by SAP.

Securing operating systems is a critical component of SAP system hardening. Vulnerable hosts can provide a pathway to SAP applications, databases and other components, bypassing security mechanisms applied in those layers. This can lead to the compromise of SAP systems including the corruption of critical files and tables. It can also support ransomware attacks that disrupt the availability of SAP services.

The Cybersecurity Extension for SAP performs daily automated scans to identify vulnerabilities in SAP hosts. For SLES, this includes authentication settings, firewall configurations, file and service permissions, root access, missing security patches, vulnerable packages and services, and misconfigured settings for logging and auditing. It also includes the detection of open TCP/ UDP ports that are targeted by attackers, including FTP, RPC, RDP, SSH, and Telnet.

SLES vulnerabilities are mapped to SAP systems, supporting holistic security across code, application, database and operating system layers.

The SAP-Certified extension also monitors SLES logs to identify indicators of compromise in SAP hosts. Alerts and notifications are triggered for security incidents and channeled to SIEM and service desk systems. This includes the following scenarios:

  • Changes to operating system configuration, profile, and kernel parameters
  • Firewall and other network settings
  • File system mounts and unmounts
  • Group, user and password changes
  • Cron jobs
  • Daemon and service changes
  • OS scripts
  • External connections
  • Sudo users
  • Root and sudo commands
  • Failed logon and file access attempts
  • Critical file changes
  • File permission changes
  • OS code injection
  • User locks and unlocks

Audit records from the SLES audit log are displayed in the alert details. The records include the audit event number and auid of the initial user that triggered the event.

The Cybersecurity Extension for SAP includes integrated incident response procedures to support forensic investigations. Users can select the Respond option from an alert to start an investigation and document the findings.