Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against brute force attacks. This could lead to delayed responses to logon requests. Note 2841053 recommends blocking access from untrusted networks to the Host Agent ports 1128 and 1129. Alternatively, access to the Host Agent can be bound to specific IP addresses or hostnames defined in the value for profile parameter service/hostname or using an access control list specified in the host_profile of the agent. Another option is to disable username/password-based authentication and only allow certificate-based authentication using the value disabled for the host profile parameter saphostagent/authentication_method.
Notes 2878030 and 2877968 deal with missing input validation vulnerabilities in SAP Landscape Management. Attackers with admin privileges could exploit the vulnerabilities to execute malicious commands with root privileges in the SAP Host Agent through Landscape Management. The options for SAP Landscape Management Internal Operation Check and LVMIntOpOld should be enabled before applying the corrections in the support package referenced in the notes. RuntimeInternalOperationValidator should be executed after the corrections are applied to activate the fixes in all hosts.
Security Information and Event Management (SIEM) systems support centralized security monitoring across networks. They ingest and analyze data from hosts, routers, switches, firewalls and other components to identify and respond to security threats.
SIEM systems can ingest data directly from SAP application
logs. However, direct integration is complex and laborious. It also requires
high maintenance and may substantially increase costs if SIEM licensing is tied
to log size or events per second.
This challenge can be overcome by integrating SAP logs with
SIEM systems using SAP Solution Manager, a management server in SAP landscapes.
Solution Manager filters, structures and enriches security event data in SAP
logs to support fast, seamless integration with SIEM systems.
This webinar recording discusses the challenges of direct ingestion of SAP logs and the benefits of integration using Solution Manager. It also provides recommendations for configuring audit settings and policies for the following data sources in SAP:
Security Audit Log System Log ICM Log Business Transaction Analysis Gateway Log Change Documents Read Access Log Java Security Log HANA Audit Log SAProuter Log
The webinar is a digest of the whitepaper SIEM Integration
for SAP.
Maintaining system security in dynamic SAP environments is a constant challenge. New users are added every day. Permissions for existing users are constantly updated to keep up with changing requirements. Software updates, transports and other changes introduce new components or developments and often necessitate changes to system settings. With each change, even hardened systems can become less secure and more vulnerable to intrusion.
To some extent, the risk of configuration drift can be
managed through regular vulnerability scanning. However, scan results only identify
the consequences of changes, not the root cause. Periodic audits of system and
user changes can also help to address the risk. Audits can uncover compliance gaps
against change management protocols, but are limited in scope since they are usually
performed manually.
Change Analysis in SAP Solution Manager provides an
automated response to the risk of configuration drift in SAP systems. The
application tracks changes in systems including ABAP, HANA, Java parameters, database
and operating system settings, user privileges, notes, software updates, and transport
requests. The tool maintains a history of changes performed in each system for two
years.
Change Analysis is accessed from the Root Cause Analysis
work center in the Fiori launchpad for SAP Solution Manager.
Scope selection supports filtering of changes by system, type or environment.
Results can be filtered further to focus on changes within a specific time frame.
The filtered results are summarized in the dashboard below.
The dashboard supports drilldown from summarized results by system and category into detailed changes. In the example below, the results reveal that the value of parameter gw/accept_timeout was modified in system AS2 at 3.00PM on February 11, 2020.
In another example, the results reveal that the profile SAP_ALL was assigned to the user ATTACKER9 on the same day in the identical system.
Notifications for changes to critical areas can be configured using the monitoring and alerting framework within Solution Manager. The notification below is an alert for changes to RFC destinations. Email and SMS notifications for changes are also supported. Alerts can be integrated with SIEM systems or incident management systems for automated ticketing.
Change Reporting can be used to compare the configuration of different systems.
It can also be used to compare the configuration of the same system using different timestamps. In the example below, we are comparing the configuration of system ECP on February 6 with January 22 to identify changes that occurred in the system during the interval.
The comparison tool is useful for identifying not only changes that may lead to configuration drift within systems but also differences between settings in production environments and other environments such as quality or development. The comparison results are displayed in the Result Details and can be exported for analysis. According to the results below, the SAP_UI component was upgraded in ECP from version 751 to 753 during the interval.
Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a prerequisite for note 2822074 and therefore should be implemented in advance. The report SWO_RFC_AUTH_CHECK_STATE can be executed after the note is applied to check the activation of the checks.
Note 2142551 is re-released with updated correction
instructions for implementing whitelists to protect against clickjacking
attacks in AS ABAP. Standard protective measures against clickjacking, including
the X-Frame-Options HTTP response header, are not suitable for common NetWeaver
integration scenarios. Therefore, SAP provides a whitelist-based framework for
NetWeaver technologies. The framework and its implementation are described in
SAP Note 2319727.
Note 2848498 provides a kernel patch to remove a Denial of
service (DOS) vulnerability in the Internet Communication Manager (ICM).
Attackers can exploit the vulnerability to crash the ICM by sending specially
crafted packets to the IIOP or P4 service that lead to a buffer overflow. The
corrections in note 2848498 will support the detection and prevention of the
buffer overflow.
Download the new whitepaper for SAP-SIEM integration from Layer Seven Security. The whitepaper outlines recommended settings for the Security Audit Log, HANA audit log, and other logs to support advanced threat detection. It discusses the challenges of direct integration of SAP logs with SIEM systems in terms of complexity, log volume, maintenance, and event correlation.
The whitepaper advocates SIEM integration using SAP Solution Manager based on benefits such as lower complexity, rapid deployment, reduced costs, ease of maintenance, and the enrichment of event data to support cross-platform correlation.
The SIEM Integrator for SAP is a software add-on for SAP Solution Manager that delivers automated threat detection for SAP systems. The add-on supports integration with SIEM platforms including Splunk, QRadar, ArcSight, LogRhythm and SolarWinds. The Integrator includes 300+ attack detection patterns for SAP platforms and logs.
Note 2871877 patches multiple high priority vulnerabilities in Maintenance, Repair, and Overhaul (MRO) Workbenches in SAP Enterprise Asset Management (EAM). This includes missing authorizations checks for authenticated users that could lead to an escalation of privileges, and directory traversal caused by insufficient path validation. The latter vulnerability could enable attackers to read, overwrite, delete, or corrupt files in effected servers. Corrections are packaged in a transport included in the Note.
Note 2734675 provides automated and manual corrections for missing authorization checks in SAP Cash Management. The corrections introduce checks for vulnerable function modules including BAPI_FCLM_BAM_AMD_BNKANT and BAPI_HOUSE_BANK_REPLICATE. The function modules support replication of Bank Account Management (BAM) master data between SAP S/4HANA Finance systems.
Finally, Note 2730227 removes missing authorization checks in the historical data processing component of SAP Central Payments introduced in Note 2651431. SAP Central Payments is part of SAP Central Finance and supports centralized payments and clearing activities in central systems instead of source systems.
2019 was a stellar year. In case you missed them, check out the enhancements we rolled out during the year
> CVA – SolMan Integration – Monitor vulnerabilities in your custom programs using SAP Code Vulnerability Analyzer and SAP Solution Manager > Fiori Reports & Dashboards – Manage vulnerabilities and threats directly from the SAP Fiori Launchpad for Solution Manager > SolMan – SIEM Integration – Connectors for Splunk, QRadar, ArcSight & LogRhythm to integrate alerts from SAP Solution Manager with SIEM platforms > Database Monitoring – Security frameworks for IBM, Oracle, Microsoft and Sybase databases
We’re hard at work preparing next year’s
enhancements. Watch out for the following in 2020
> Host Security Monitoring – Monitor Linux and Windows hosts for SAP applications with the Remote OS Script Collector in SAP Solution Manager > End User Monitoring – Real-time user monitoring with SAP Focused Run > Machine Learning – Predictive analytics for system anomalies using SAP Focused Run > FRUN – SolMan Integration – Monitor Focused Run alerts for system and user anomalies in SAP Solution Manager
Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.
Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.
Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.
Security Information and Event Management (SIEM) platforms
combine the ability to collect log data from applications, hosts, routers,
switches, firewalls and other endpoints with the ability to analyze events in
real time. They support threat detection, event correlation and incident
response with alerting and reporting capabilities.
SIEM platforms require complete coverage for maximum yield.
In other words, organizations reap the full benefits of SIEM platforms when
monitoring logs throughout the technological infrastructure. This includes SAP
application logs for organizations with SAP systems.
However, there are several challenges with integrating SAP application
logs with SIEM systems. The first is complexity. SAP systems typically contain
multiple logs that capture security-relevant events. The SAP NetWeaver
Application Server ABAP (AS ABAP) alone has at least seven such logs including
the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction
Log, Change Document Log, and the Read Access Log. The logs do not have a
standardized format or structure. Some are captured at the file level and
others are stored in SAP tables. The complexities involved in integrating
multiple and distinct logs from each SAP system should not be underestimated, especially
for large SAP landscapes.
The second is log volume. Raw event logs can grow to gigabytes
and even terabytes within a relatively short period of time in SAP systems that
often support thousands of end users and hundreds of cross-system connections. Transmitting
large volumes of log data from SAP systems to SIEM platforms could consume high
levels of network bandwidth. The need to store such data for analysis could
also increase resource requirements and licensing costs for SIEM systems.
The third challenge with directly integrating SAP logs is
maintenance. Monitoring and supporting the numerous integration points between
SAP systems and SIEM platforms, as well as regular archiving to deal with the
accumulation of log data, could lead to high maintenance costs.
Finally, many SAP logs do not natively include information to support cross-platform correlation using SIEM tools. This includes source and destination IPs for security events. Values for sources and destinations in SAP logs are often terminal names and SAP Systems IDs (SIDs) rather than IP addresses. Therefore, Security Operation Centers (SOCs) are not able to easily correlate SAP events with non-SAP events in SIEM platforms.
The Cybersecurity Extension for SAP Solution Manager overcomes such obstacles by filtering, normalizing and enriching security event data from SAP logs. The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor logs at source without extracting and replicating event logs to external repositories. This reduces both bandwidth and storage requirements. MAI data providers support monitoring for all SAP logs including file and table logs in ABAP, HANA, and Java systems, and standalone components such as the SAProuter. MAI periodically parses event logs using attack detection patterns configured in metrics. The frequency of metric checks is customizable and can range from every 60 seconds to several minutes apart. Intervals can be adjusted at the metric level which means metrics can have different monitoring intervals.
A pattern match triggers the MAI to generate alerts and email or SMS notifications for security events. Security alerts generated by Solution Manager are managed using applications such as Monitor Systems, System Monitoring and the Alert Inbox. Alerts can also be written to an external file by Solution Manager. Solution Manager enriches event data by including source and IP addresses for each alert written to the file. This is intended to support correlation once the data is ingested by SIEM platforms. Event data is also normalized using a standardized structure for all log sources. The fields and separators for event details within each file are customizable and include values for alert name, description, date, time, system, system type, and event details. The event details can include information such as the event ID, username, source and destination IP addresses, and objects accessed by the user such as transactions, reports, function modules or URLs. The example below includes <DATE>::<TIME>::<SYSTEM>::<MANAGED OBJECT TYPE>::<ALERT TYPE>::<PRIORITY>::<ALERT NAME>::<ALERT DESCRIPTION>::<ALERT DETAILS>. Each value is separated by ::
Since event details are written to and stored within alerts
in Solution Manager, attackers will not be able to remove all traces of their
malicious actions by modifying event logs alone. They will also need to delete alerts and stop
the triggering of email/ SMS notifications of alerts in Solution Manager. This
would be challenging since alerts cannot be deleted in Solution Manager. They
can only be confirmed. All alerts are retained and only removed by periodic
housekeeping jobs designed to delete aged alerts.
Event files can be stored on the Solution Manager host or an
external host or file server. A new event file is created by Solution Manager
for each day. The contents of the newest file can be periodically pushed to
SIEM platforms or pulled by SIEM systems directly from relevant directories. Since
there is a single point of integration for event data between SAP and SIEM
systems, maintenance efforts are relatively low.
This article outlines the benefits of integrating security event data from SAP applications with SIEM platforms using the Cybersecurity Extension for Solution Manager. The benefits include lower costs, rapid deployment, ease of maintenance, and the enrichment of event data to support cross-platform correlation. The example below is for SIEM integration with Solution Manager for Splunk Enterprise. However, the approach can also be used to integrate security event data with other SIEM systems including QRadar, ArcSight and Log Rhythm.
Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, the corrections in the note include manual instructions for removing confidential information from insecure locations such as logs and archives, and sensitive data exported from XML files.
Note 2826015 patches a critical missing authentication check in the AS2 Adapter of the B2B Add-On for SAP NetWeaver Process Integration. The Note provides support package patches for AS2 Adapter 1.0 and 2.0. SAP also recommends confirming the property named default.security.provider for the application named com.sap.aii.adapter.as2.app is set to its default value IAIK.
Note 2792430 addresses a high risk binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. The platforms use a file search algorithm that can result in the inadvertent access of files located in directories outside of the paths specified by users. The successful exploitation of binary planting vulnerabilities can lead to information disclosure, file corruption or deletion, privilege elevation and DLL hijacking.
