Layer Seven, Author at Layer Seven Security

RECON: Secure Your Systems with SAP Solution Manager

Layer Seven on July 15, 2020

US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated 10/10 using the Common Vulnerability Scoring System and can be exploited remotely by unauthenticated attackers to fully compromise SAP systems.

RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems including SAP ERP, CRM, SCM, and BW.

CISA strongly recommends SAP customers to apply SAP Note 2934135 to mitigate RECON. The note introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. The LM Configuration Wizard is required by SAP Landscape Management. According to SAP, “This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. You can temporarily activate or enable this application for executing the SAP lifecycle procedures.” Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

The implementation status of Notes 2934135 and 2939665 for impacted systems should be tracked using System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to discover relevant notes for SAP applications, databases and components.

Users can create custom tiles in SysRec to track the implementation status of RECON notes in their SAP landscape from the Fiori launchpad.

The Cybersecurity Extension for SAP Solution Manager monitors Java application logs to detect the signature of RECON exploits. This includes enabling and executing the vulnerable application. The Extension also detects the creation of new administrative users and connections by new users or source IP addresses using anomaly detection. RECON alerts can be investigated using the incident response procedures Preventing RECON Attacks and Investigating Suspected RECON Attacks.

Email and SMS notifications are triggered for RECON alerts. The alerts can also be monitored in Solution Manager using the Alert Inbox, System Monitoring, and other applications. They can also be integrated with SIEM solutions for cross-platform monitoring. Custom alarms can be added to the Fiori launchpad to notify users of suspected RECON exploits.

SAP Security Notes, June 2020

Layer Seven on July 3, 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in the Apache web server. This can be abused to perform remote code execution if web applications allow file uploads and the processing of files as JavaServer Pages. Apache Tomcat has been upgraded to harden the AJP Connector. However, SAP does not recommend upgrading the web server. Rather, note 2928570 provides manual procedures for disabling the AJP Connector or securing AJP connections with a secret key.

Note 2918924 provides instructions for removing hard-coded Credentials in SAP Commerce and SAP Commerce Datahub. The use of default passwords for admin and other built-in accounts has been discontinued for new installations of SAP Commerce. Since re-initializing SAP Commerce leads to the deletion of all data in the application, SAP recommends using the scripts in Note 2922193 to remove default credentials in existing installations.

Note 2933282 removes a missing authorization check that could lead to an escalation of privileges in SAP SuccessFactors Recruiting.

Notes 2906366 and 2734580 includes corrections for high priority information disclosure vulnerabilities in SAP Commerce and SAP NetWeaver Application Server ABAP (AS ABAP), respectively.

Anomaly Detection with Cybersecurity Extension for SAP

Layer Seven on June 26, 2020

Threat detection is commonly performed through rules or signature-based pattern matching. Detection engines compare actual events with patterns of malicious events to discover indicators of compromise (IOCs). IOCs discovered by detection engines typically trigger an alarm or alert for a suspected security breach.

Pattern matching is a tried and tested method to identify known exploits in systems including SAP applications. However, there are several drawbacks with the approach. Attackers can obfuscate their actions to bypass attack detection patterns. Also, since pattern matching detects IOCs based on known signatures, new or emerging IOCs that have not yet been registered are not detected.

Anomaly-based threat detection provides an alternative to pattern matching with greater protection against anti-forensics and the capability to detect previously unknown attacks. Anomaly-based systems rely on profiles of expected or normal user and system behavior. Actions by users or events in systems that deviate from the profiles generate an alarm or alert.

Unlike rules and signatures for patten matching, profiles for anomaly detection cannot be created and maintained manually. Anomaly detection is usually applied through machine learning platforms that automate profile building and analysis for large pools of data.

The Cybersecurity Extension for SAP uses a pattern matching approach for threat detection in SAP systems. IOCs detected by the solution using pattern matching are displayed and managed in applications such as Security Forensics, System Monitoring, and the Alert Inbox. For anomaly detection, event logs collected, filtered, and normalized by Solution Manager are forwarded to the Predictive Analysis Library (PAL) in SAP HANA.

PAL includes functions for applying complex analytic algorithms using SQLScript database procedures. The functions include procedures for clustering, regression, time series, and other algorithms that are used to detect outliers in security logs. Anomalies discovered by PAL are transmitted back from SAP HANA to the Anomaly Detection app in the Cybersecurity Extension for SAP. The application is accessed from the Fiori launchpad in SAP Solution Manager.

Anomaly results are summarized by period. Results can be analyzed by the week, day or hour.

Results are filtered using Advanced Search. This supports filtering by anomaly, date, time, system, user, and source IP/ terminal. Results can also be filtered by anomaly type to view anomalies based on either event data or alert data. Event anomalies include outliers such as high volume of transaction starts, report starts, or data downloads, or a user request from a new IP address or terminal. Alert anomalies include areas such as high volume of alerts for a specific system, user or source, or a new alert for a user or system.

Anomalies calculated using standard deviation are scored based on distances from statistical averages. The further the distance from the mean, the higher the confidence level for the anomaly. The results displayed in Anomaly Detection are prefiltered for medium and high confidence anomalies. Anomaly-based threat detection can have a higher incidence of false positives than pattern-based detection. It can generate alarms for every deviation from expected norms. Therefore, an effective scoring mechanism is essential to enable security administrators to identify and focus on high-confidence anomalies.

Results can be sorted and exported to CSV/ PDF with the applied filters. The layout can be personalized by users to add, remove, and rearrange columns.

The details for each anomaly can be viewed by clicking on an anomaly in the summary. Anomaly times are in UTC. Timestamps for events are based on system time.

The Notify option can be used to append the anomaly details to an email for sharing.

The Cybersecurity Extension for SAP enables advanced threat detection for SAP systems by combining the benefits of both signature and pattern-based detection with anomaly detection using SAP HANA. Licensing for SAP HANA is included with the usage rights for SAP Solution Manager 7.2.

SAP Discloses Critical Vulnerabilities in ASE Databases

Layer Seven on June 4, 2020

SAP customers are urged to apply a series of recent patches released by SAP for the Adaptive Server Enterprise (ASE). SAP ASE, previously known as Sybase SQL Server and Sybase ASE, is a widely deployed database platform used for both SAP and non-SAP applications. According to SAP, ASE is used by over 30,000 customers worldwide, including 90 percent of the top 50 banks.

Four of the patches released by SAP are for critical or high-risk vulnerabilities in multiple components of ASE. The vulnerabilities impact ASE versions 15.7 and 16.0 and carry CVSS scores ranging between 7.2 and 9.1.

Note 2917275 patches the most severe of the vulnerabilities by applying input validation for DUMP and LOAD commands that could be exploited to overwrite critical configuration files during database backup operations. Attackers can run DUMP commands to overwrite database configuration files with corrupted versions that will replace the default configuration. This can be exploited to install backdoors to ASE using credentials stored in the corrupted configuration files. It can also be exploited to execute arbitrary commands and executables using local system privileges by modifying the sybmultbuf_binary Backup Server setting.

Note 2917090 impacts Windows installations of the SAP ASE 16. Credentials for SQL Anywhere packaged in ASE can be read by any Windows user. SQL Anywhere supports database creation and version management. The credentials can be used to perform code execution with local privileges.

Notes 2916927 and 2917273 deal with high-risk SQL injection vulnerabilities in global temporary tables and ASE Web Services. Both vulnerabilities can be exploited to escalate privileges in ASE.

Database security notes including patches for ASE should be regularly monitored and applied using System Recommendations in SAP Solution Manager. Solution Manager connects directly to SAP Support for patch updates and monitor the patch status of SAP applications and databases. SAP Solution Manager also supports comprehensive vulnerability management for SAP ASE. Automated, daily security scans for ASE should be configured using Solution Manager to check for vulnerabilities related to the database configuration, administrative privileges, stored procedures, and other areas. The ASE audit log can be monitored by the Monitoring and Alerting Infrastructure (MAI) in Solution Manager to detect and alert for suspected malicious commands. To learn more, contact Layer Seven Security.

SAP Security Notes, May 2020

Layer Seven on June 4, 2020

Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers. The vulnerability carries a base CVSS score of 9.9/10 and can be exploited over the network.

Hot News Note 2885244 carries a similar CVSS score of 9.8/10 and can be exploited to bypass authentication using REST Webservices (BIPRWS) for Live Data Connect in the SAP Business Intelligence Platform. The fix packaged with the note enables Live Data Connect to logon to the BI Central Management Server (CMS) with a shared key. This prevents logons to the CMS without a password when using trusted authentication. The fix is available for version 2.4 of Live Data Connect. Customers using earlier versions are advised to upgrade to version 2.4.

Notes 2917275 and 2917090 patch critical code injection and information disclosure vulnerabilities in the Backup Server and Cockpit of SAP Adaptive Server Enterprise (ASE), formerly Sybase ASE. ASE is a widely used database platform for SAP systems. Note 2917275 applies input validation checks for DUMP and LOAD commands to prevent the execution of malicious user-provided code. Note 2917090 prevents the disclosure of sensitive system and user data including account credentials. The impacted ASE versions are 16.0 SP02 and SP03.

Visualize Security Risks for SAP Systems with Threat Maps

Layer Seven on May 26, 2020

Threat Maps in SAP Solution Manager visualize security vulnerabilities, missing patches and open alerts for SAP systems across geolocations. They provide a fast and intuitive way to display and interact with security information for SAP landscapes that span multiple cities, countries, or regions.

System data is maintained in the Landscape Management Database (LMDB) of SAP Solution Manager. The LMDB stores information related to technical systems, hosts, databases and domains in SAP landscapes. This includes installed software components and versions, database types and releases, clients, instances, RFC destinations and OS details for SAP systems.

Attributes for systems are maintained directly in the LMDB. Systems can be assigned to business units using the Description attribute. The environment and priority level for systems are maintained using the attributes IT Admin Role and Priority. The coordinates for business units in terms of longitude and latitude are maintained in the Location attribute, separated by a comma.

The system attributes maintained in the LMDB integrate directly with the Threat Map, accessible from the Fiori launchpad in Solution Manager.

Users can switch between results for vulnerabilities, patches and alerts using the toolbar at the top of the application.

The size and opacity of geocircles is driven by quantitative and qualitative factors including volume, rating, environment and system priority.

Results are summarized for each business unit. However, users can drilldown to detailed results by clicking on the geocircles.

Map filters support filtering based on system, environment and priority.

Results can also be filtered by period to display results from the current day to the prior year.

The Threat Map can be customized to focus on specific countries or regions. Navigation tools support zoom in and out. The map also supports click and drag for navigation.

Map filters and positions can be saved to the Fiori launchpad as custom tiles.

The Threat Map is bundled in the Cybersecurity Extension for SAP Solution Manager available from Layer Seven Security.

SAP Discloses Security Gaps in Cloud Solutions

Layer Seven on May 13, 2020

SAP issued a statement last week to disclose security lapses in several cloud products including SAP Cloud Platform, SAP Analytics Cloud, SuccessFactors, and Concur. According to the statement, the disclosure was prompted by an internal security review. SAP does not believe customer data has been compromised as a result of the issues. The lapses impact 9% of the company’s 440,000 customers.

The announcement is expected to dampen customer support for digital transformation initiatives intended to shift the hosting of SAP applications from on-premise data centers to cloud providers.

SAP also announced that the organization is updating security-related terms and conditions for its cloud solutions. In response to concerns that such changes may be intended to reduce SAP’s legal risk for security issues and shift more responsibility for security to customers, SAP declared that the terms and conditions will “remain in line with market peers”.

Furthermore, SAP denied any link between the announcement and security breaches attributed to the Cloud Hopper hacking campaign. Cloud Hopper successfully exfiltrated sensitive data from multiple organizations by penetrating HPE’s cloud computing service. The campaign is suspected to be sponsored by the Chinese Ministry of State Security.

SAP Security Notes, April 2020

Layer Seven on May 7, 2020

Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution.

Note 2904480 patches a significant input validation vulnerability in REST XML APIs within SAP Commerce. This could impact the availability and confidentiality of web stores based on the eCommerce platform.

Note 2896682 delivers corrections for a high risk directory traversal vulnerability in Knowledge Management that could enable attackers to overwrite, delete, or corrupt files on SAP servers.

Note 2902645 removes a privilege escalation vulnerability impacting the SAP Host Agent. SAP recommends updating the Agent to at least version 7.21 PL46 to prevent attackers from gaining root privileges over the underlying operating system using the Agent’s Operation Framework. Note 1031096 provides instructions for upgrading the Host Agent.

Finally, notes 2495144 and 2495462 provide switchable authorization checks for specific, sensitive function modules in SAP Central Finance and SAP Leasing. Switchable checks supplement checks for authorization object S_RFC. They should be activated using transaction SACF after the notes are applied.

Automating SAP Audits with Solution Manager

Layer Seven on April 28, 2020

According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders.

Compliance Reporting in SAP Solution Manager enables organizations to automate audits for SAP systems and reallocate resources to projects and audits focused on other organizational goals. The continuous monitoring powered by the application also enables auditors to identify compliance gaps immediately rather than at the end of a reporting period. This can reduce regulatory risk by providing owners with more time to remediate control gaps.

Compliance Reporting is accessed from the Fiori launchpad in SAP Solution Manager. Results are automatically updated by daily scheduled scans.

Compliance frameworks and systems are selected in the report filter. There are optional filters to select specific control requirements and systems based on environment or priority. Reports can also be filtered to include or exclude controls based on risk rating and compliance result.

Compliance Reporting currently supports the frameworks below. This includes CIS, IT-SOX, NIST and PCI-DSS. Support for additional frameworks including GDPR and NERC CIP is expected at the end of Q2 2020. Customers can import custom frameworks to automate auditing for internal security policies and other requirements.

Results for applications and databases are reported in separate columns. The report provides an overall compliance score based on the selected framework and systems. Results are summarized for each requirement.

Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.

Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.

Layer Seven Security Recognized as Top 25 Cyber Security Company

Layer Seven on April 23, 2020

Layer Seven Security has been selected by a panel of experts and members of the CIO Applications editorial board for inclusion in the Top 25 Cyber Security Companies for 2020. The annual list is compiled by CIO Applications to recognize and promote organizations that provide cutting-edge cybersecurity solutions. CIO Applications is a Silicon Valley industry publication based in San Francisco, California. The recognition is based on an evaluation of Layer Seven Security’s innovative Cybersecurity Extension for SAP Solution Manager. The Extension is an add-on for the Solution Manager platform, delivering automated vulnerability management, threat detection and incident response for business-critical SAP systems. Read the full article at CIO Applications.