Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This vulnerability affects the DroolsRule item type of the ruleengine extension. The DroolsRule item type exposes scripting facilities via its ruleContent attribute. Changing of ruleContent should normally be limited to highly privileged users, such as members of admingroup. Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups can gain permissions to change DroolsRule ruleContents and access scripting facilities.
SAP Commerce installations that do not have the ruleengine extension installed are not affected. However, the extension is a common component of SAP Commerce installations. Note 3014121 improves the default permissions that govern change access to scripting facilities of DroolsRules. Script editing facilities for DroolsRules can be disabled in the SAP Commerce Backoffice as a second line of defense.
Note 2986980 was updated for SAP Business Warehouse releases 7.0x. The note patches SQL injection and missing authorization checks in the Database Interface of SAP BW.
Notes 2743329 and 2475705 introduce switchable authorization checks for sensitive RFC-enabled modules in S/4HANA and SAP ECC.
Toronto, Canada – March 8, 2021 – Layer Seven Security today announced its Cybersecurity Extension v3.4 for SAP®Solutions has achieved SAP®-certified integration with the SAP NetWeaver® technology platform. The solution has been proven to integrate with SAP solutions, providing automated vulnerability management, threat detection and incident response for SAP applications and infrastructure.
“We are delighted to announce that our Cybersecurity Extension v3.4 for SAP Solutions has achieved SAP-certified integration with SAP NetWeaver,” said Ian Thomson, Chief Operating Officer at Layer Seven Security. “The certification will support the successful integration of the extension in SAP landscapes, helping customers to protect business-critical SAP systems against the threat of cyber attacks.”
The SAP® Integration and Certification Center (SAP ICC) has certified that Cybersecurity Extension v3.4 for SAP Solutions integrates with SAP NetWeaver. Technology or infrastructure products that have SAP-certified integration with SAP NetWeaver have proven to interoperate with the technology platform.
Layer Seven Security is a partner in the SAP PartnerEdge® program. As such, it is empowered to build, market and sell software applications on top of market-leading technology platforms from SAP. The SAP PartnerEdge program provides the enablement tools, benefits, and support to facilitate building high-quality, disruptive applications focused on specific business needs – quickly and cost-effectively. The program provides access to all relevant SAP technologies in one simple framework under a single, global contract.
About Layer Seven Security
Layer Seven Security is an SAP partner, headquartered in Toronto, Canada. The company’s Cybersecurity Extension for SAP® Solutions performs advanced security diagnostics and monitoring for SAP systems. The Extension delivers real-time security intelligence for cloud and on-premise SAP systems including SAP HANA®, ABAP® and J2EE platforms. It supports security monitoring across the SAP system stack including application, database, operating system, and program layers, as well as components such as the SAProuter and SAP Web Dispatcher.
###
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see https://www.sap.com/copyright for additional trademark information and notices. All other product and service names mentioned are the trademarks of their respective companies.
Any statements in this release that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. All forward-looking statements are subject to various risks and uncertainties described in SAP’s filings with the U.S. Securities and Exchange Commission, including its most recent annual report on Form 20-F, that could cause actual results to differ materially from expectations. SAP cautions readers not to place undue reliance on these forward-looking statements which SAP has no obligation to update and which speak only as of their dates.
The SAP Web Dispatcher is an application gateway that filters Internet based traffic to SAP systems including HTTP requests. As an entry point for Web-based communications in SAP landscapes, the Web Dispatcher can help to secure remote access to SAP systems by enforcing security standards for external connections and filtering connection requests.
However, the Web Dispatcher can also be the focal point for attackers looking for an externally reachable pathway to SAP systems. Therefore, it is critical to secure the Web Dispatcher against misuse and prevent attackers from compromising SAP landscapes through poorly configured gateways.
The Web Dispatcher should be regularly patched and updated to prevent attackers from exploiting known program-level vulnerabilities. You should monitor composite note 538405 to stay up-to-date with the latest Web Dispatcher versions.
Default error messages that disclose sensitive information to attackers should be blocked and replaced with custom messages.
The admin port for the Web Dispatcher should not be accessible from external networks. Administration should be restricted to internal hosts. Public monitoring information in the Web admin interface should be blocked.
SSL should be enforced for connections including communications between the Web Dispatcher and back-end systems and metadata exchange with message servers and application servers.
Finally, filtering should be enabled to enforce positive or negative lists for access requests. The Web Dispatcher supports multiple filtering mechanisms including ACL files and authentication handlers. ACL files can be used if access should be filtered based on client IP address or IP range. Authentication handlers should be used if requests need to be filtered for specific URLs. Both approaches support logging of successful and unsuccessful requests. Access to the following URLs should be blocked or restricted:
The Cybersecurity Extension for SAP monitors the security of the Web Dispatcher using the SAP Solution Manager platform. The SAP-certified addon detects vulnerable Web Dispatcher versions and patch levels, improper error handling that could lead to information disclosure, the use of insecure Web Dispatcher settings, protocols, and filters, and calls to critical URLs captured in Web Dispatcher logs.
Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted function in BW/4HANA.
Hot news note 2999854 patches a similar code injection vulnerability in SAP Business Warehouse and SAP BW4HANA. The note improves input validation to prevent the injection and execution of malicious code through the impacted function module.
Note 3000306 removes a high-risk Denial of service (DOS) vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note blocks the parallel execution of demo examples from the web version of ABAP Keyword Documentation to prevent resource exhaustion.
Finally, note 2993132 is updated for a missing authorization check impacting a RFC-enabled function module in SAP NetWeaver AS ABAP and SAP S4 HANA.
The software supply chain attack suffered by SolarWinds may have impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as hundreds of organizations worldwide.
The attack targeted the Orion Platform used for SolarWinds products including tools for automated patch management and security & compliance. According to SolarWinds, the initial breach is suspected to have occurred in September 2019. The attackers subsequently modified an Orion plug-in that was distributed as trojanized updates to SolarWinds customers from February 2020. The attack remained undetected until December 2020.
The trojanized component was detected and labeled as SUNBURST by FireEye. According to FireEye, “After an initial dormant period of up to two weeks, (SUNBURST) retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services….The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
SUNBURST was used by attackers to move laterally within networks and target other servers and components. Backdoors were often created in compromised systems to install the malware dropper known as TEARDROP. This was used to deploy a version of the Cobalt Strike BEACON payload, a commercial penetration testing and post-exploitation agent.
SUNBURST is a highly sophisticated software supply-chain attack. Such attacks are difficult to detect since they exploit trust relationships between software vendors and customers that are the basis for server-to-server communications used to deliver software updates.
The attack has significant implications for SAP cyber security by dramatically increasing the risk associated with the use of third-party security platforms. Such platforms provide a direct channel to business-critical SAP applications and infrastructure. The agents, consoles and sensors installed in SAP landscapes for third party solutions could be exploited to compromise connected SAP systems. The risk is heightened when such solutions connect directly to external servers for software updates. Transport layer encryption and digitally signed certificates for delivering updates do not protect against software supply chain attacks if the updates are trojanized at source.
Open-source software packaged in third party security solutions also provide vulnerable targets for threat attackers targeting supply chain attacks. Certain cyber security solution providers include the open-source Ubuntu operating system in images powering their consoles or sensors. Ubuntu has approximately 1200 vulnerabilities disclosed in the National Vulnerability Database. SAP customers that rely on third party software are completely dependent on external vendors to ensure open-source platforms and components such as Ubuntu are hardened and patched regularly.
Finally, while third party solutions monitor the security of SAP applications, it is not clear if these solutions include capabilities to self-monitor and detect incidents and breaches that occur within the solutions.
SAP customers can avoid the risks of software supply chain attacks by using their SAP Solution Manager installations for security monitoring. Unlike third party security solutions, Solution Manager is updated through a direct connection to SAP Support. Updates for monitoring the patch level of SAP systems are therefore sourced directly from SAP rather than external sources.
SAP Solution Manager also does not include vulnerable open-source software such as Ubuntu. Solution Manager installations operate with closed-source, enterprise-level operating systems.
Finally, SAP Solution Manager performs self-monitoring. In a dual landscape, Solution Manager installations can monitor each other. Therefore, Solution Manager can detect vulnerabilities, missing patches, user anomalies, and security incidents occurring within the platform.
Overall, SAP Solution Manager provides a more robust, secure platform for protecting SAP landscapes from cyber threats than third-party solutions that are susceptible to software supply chain attacks.
Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether.
Note 2974774 deals with a missing authentication check in P2P Cluster Communication within SAP NetWeaver Application Server Java (AS Java). P2P Cluster Communication supports message exchange between server nodes within a cluster. The note provides a correction to prevent connections from outside the cluster that could be abused to perform administrative functions including system shutdowns. As a workaround, the message server access control list can be modified to allow P2P connections from only trusted IP addresses. Also, network firewall rules can be used to block external access to the P2P port.
Hot News note 2979062 includes an update for a critical privilege escalation vulnerability in the UDDI server of AS Java. The vulnerability can be exploited to completely compromise the confidentiality, integrity and availability of the server OS. The update provides fixes for version SR UI 7.40, SP 017 & SR UI 7.31, SP 022.
The SAP Security Baseline is a widely used benchmark for securing SAP applications. The benchmark includes SAP recommendations for system hardening, authentication and authorization, logging and auditing, and other areas. The recommendations draw on SAP security notes, guides and whitepapers. The SAP Security Baseline was updated by SAP earlier this year and provides an up-to-date framework for safeguarding SAP ABAP, HANA and Java systems against known vulnerabilities and threats. Note 2253549 includes a link to the latest version of the framework.
The Cybersecurity Extension for SAP Solution Manager performs automated gap assessments for SAP systems against the SAP Security Baseline. The extension identifies compliance gaps in SAP systems to highlight configuration, user and other issues that do not meet SAP requirements defined in the baseline. The extension eliminates the need for periodic, manual audits and supports on-demand compliance reporting.
Control gaps are automatically discovered via daily background jobs. The gaps are reported in the Compliance Report application, accessible from the Fiori launchpad for SAP Solution Manager.
The SAP Security Baseline template can be selected from the list of supported frameworks.
There are optional filters to select specific baseline requirements and systems based on environment or priority. Reports can also be filtered to include or exclude requirements based on risk rating and compliance result. Once the framework and system is selected, users can select Go to view the results.
The overall compliance level for the system is displayed the report header. The results for each requirement of the SAP Security Baseline are displayed in the main body of the report.
Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.
Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.
Users can also save shortcuts for prefiltered reports to the Fiori launchpad.
Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query. Attackers can abuse the function module to inject malicious ABAP code that could lead to the complete compromise of the affected system.
Note 2982840 addresses multiple critical vulnerabilities in SAP Data Services, including remote execution and denial of service.
Hot News notes 2985866 and 2890213 remove missing authentication checks in the LM-SERVICE within the Java stack of SAP Solution Manager.
Finally, note 2979062 deals with a privilege escalation vulnerability in the UDDI Server of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary OS commands and compromise the operating system.
Security monitoring using SAP Solution Manager is driven by a series of background jobs that automate data collection and analysis for system vulnerabilities, security notes, and event logs. Vulnerability data is extracted daily, notes information is collected weekly, and event data can be collected as frequently as every minute. Any interruption to the background jobs for these areas could impact the coverage of security monitoring.
SAP Solution Manager supports centralized monitoring for jobs in SAP systems with automated detection and alerting for job errors. Monitoring for scheduled jobs is setup using a guided procedure that includes steps for selecting relevant jobs, activating alerts, and enabling email/ SMS notifications for alerts.
You can access Job Monitoring from Application Operations in SAP Solution Manager Configuration.
Steps 1-3 of the guided procedure prepare the infrastructure for job monitoring including setup of the required users. Steps 4-6 involve the selection of scheduled jobs for monitoring and configuring alerts and notifications. In the following example, we will create a monitoring scenario for the standard job SM:SYSTEM RECOMMENDATIONS. This job connects to SAP Support on a weekly schedule to calculate required security, correction, performance, legal, and other notes for systems. It also connects to managed systems to determine the implementation status of calculated notes.
In the first step of the scenario configuration, we define a name and description for the scenario.
During the second step, we select the systems for the scenario. Since SM:SYSTEM RECOMMENDATIONS runs from Solution Manager, we will select a SolMan installation.
Next, we maintain the scope for the scenario in terms of the specific job.
Once the job is selected, we can adjust the metric settings including thresholds for job errors, processing times, terminations and warnings.
Finally, we activate the alerting and select the required language, severity and description for the alert.
Recipients for email notifications triggered for alerts can be maintained in the Incident and Notifications tab.
Once the scenario is activated in the final step, we will be immediately alerted and notified by Solution Manager for any issue that interrupts the successful execution of the system recommendations job. The steps can be repeated for other scheduled jobs in SAP Solution Manager and managed systems.
Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions need to be upgraded to version 10.5.2.113 before applying the patch. The EM service can be stopped in systems if the patch can not be immediately applied. Stopping the service will not impact the Cybersecurity Extension for SAP Solution Manager since the service is not required by the extension.
Note 2969457 removes a missing XML Validation in Compare Systems within SAP NetWeaver that can be exploited to read arbitrary OS files and provoke a denial of service.
Note 2972661 patches a high priority reflected cross site scripting vulnerability in the SAP NetWeaver Composite Application Framework.
Notes 2941315 and 2898077 contain important updates for a missing authentication check in SAP NetWeaver AS JAVA and information disclosure in SAP Business Objects Business Intelligence Platform, respectively.