Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution.
Note 2904480 patches a significant input validation vulnerability in REST XML APIs within SAP Commerce. This could impact the availability and confidentiality of web stores based on the eCommerce platform.
Note 2896682 delivers corrections for a high risk directory traversal vulnerability in Knowledge Management that could enable attackers to overwrite, delete, or corrupt files on SAP servers.
Note 2902645 removes a privilege escalation vulnerability impacting the SAP Host Agent. SAP recommends updating the Agent to at least version 7.21 PL46 to prevent attackers from gaining root privileges over the underlying operating system using the Agent’s Operation Framework. Note 1031096 provides instructions for upgrading the Host Agent.
Finally, notes 2495144 and 2495462 provide switchable authorization checks for specific, sensitive function modules in SAP Central Finance and SAP Leasing. Switchable checks supplement checks for authorization object S_RFC. They should be activated using transaction SACF after the notes are applied.
According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders.
Compliance Reporting in SAP Solution Manager enables organizations to automate audits for SAP systems and reallocate resources to projects and audits focused on other organizational goals. The continuous monitoring powered by the application also enables auditors to identify compliance gaps immediately rather than at the end of a reporting period. This can reduce regulatory risk by providing owners with more time to remediate control gaps.
Compliance Reporting is accessed from the Fiori launchpad in SAP Solution Manager. Results are automatically updated by daily scheduled scans.
Compliance frameworks and systems are selected in the report filter. There are optional filters to select specific control requirements and systems based on environment or priority. Reports can also be filtered to include or exclude controls based on risk rating and compliance result.
Compliance Reporting currently supports the frameworks below. This includes CIS, IT-SOX, NIST and PCI-DSS. Support for additional frameworks including GDPR and NERC CIP is expected at the end of Q2 2020. Customers can import custom frameworks to automate auditing for internal security policies and other requirements.
Results for applications and databases are reported in separate columns. The report provides an overall compliance score based on the selected framework and systems. Results are summarized for each requirement.
Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.
Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.
Layer Seven Security has been selected by a panel of experts and members of the CIO Applications editorial board for inclusion in the Top 25 Cyber Security Companies for 2020. The annual list is compiled by CIO Applications to recognize and promote organizations that provide cutting-edge cybersecurity solutions. CIO Applications is a Silicon Valley industry publication based in San Francisco, California. The recognition is based on an evaluation of Layer Seven Security’s innovative Cybersecurity Extension for SAP Solution Manager. The Extension is an add-on for the Solution Manager platform, delivering automated vulnerability management, threat detection and incident response for business-critical SAP systems. Read the full article at CIO Applications.
The surge in remote working has led to an increasing reliance on the SAProuter as a means to facilitate secure remote access to SAP applications. As a reverse proxy between external networks and SAP landscapes, the SAProuter enables organizations to apply more granular policies for filtering and securing connections to SAP systems than network firewalls. However, far from improving security, an improperly configured SAProuter can expose organizations to dangerous exploits that could lead to the compromise of SAP servers.
Since the SAProuter is an internet-facing proxy that provides a direct path to SAP systems, it is an accessible and high-value target for attackers. Port scans against exposed IP addresses will reveal SAProuters available on the standard port 3299. Attackers can send information requests to detected SAProuters to enumerate the scheme for internal IP addresses based on the details of connected hosts disclosed in the response. Once the internal IP address scheme is determined, attackers can then scan the internal network by sending connection requests from the SAProuter to connected hosts. The responses can enable attackers to discover open ports for not only SAP services but services such as HTTP, SMTP, FTP, and SSH if the SAProuter supports native connections.
The information can be used to connect to open and vulnerable services in SAP servers by pivoting through the SAProuter. Once connected, attackers can execute targeted exploits against the servers. For example, an unauthenticated SOAP request to the SAP Host Agent on port 1128 can disclose operating system users that can be targeted using brute force and other attacks. Attackers can also route malicious payloads to SAP servers through the SAProuter.
The secure configuration of the SAProuter can prevent or mitigate such attacks. The route permission table defined in the saprouttab file should specify the source hosts permitted to connect to specific services and target hosts. The use of wildcards in route strings should be avoided. Native connections should be blocked using S entries for the saprouttab rather than P entries. KT and KP entries are recommended to enforce SNC for connections. Information disclosure via the SAProuter should be prevented using the option -Z for info requests. Switching to a non-standard port for the SAProuter is advisable. SAProuter binaries should be updated to the latest available version to apply patches for program vulnerabilities. This includes critical vulnerabilities addressed by notes 1820666 and 1663732. Finally, the SAProuter should be installed in a Demilitarized Zone (DMZ) on a host with a hardened operating system. SAP recommends a C2 class compliant operating system.
Logging for the SAProuter should be enabled using option -G. Once enabled, the SAProuter log can be monitored using SAP Solution Manager to alert for suspected attacks against including accepted or rejected information requests, connection requests, port scans, and native connections.
Cyber attacks have risen by six-times the usual levels over
the past four weeks as the COVID-19 pandemic provides a new catalyst for attackers.
Hacking and phishing attempts increased by an unprecedented 37% in a single
month between February and March.
Remote working has led to an equally dramatic rise in the number
of servers using Remote Desktop Protocol (RDP) and Virtual Private Network (VPN)
services. The number of devices exposing RDP to the internet on standard ports grew
by 41.5% in March. The number of devices exposing RDP to the internet on
non-standard but often used alternate ports grew by 36.8%. The number of
servers running VPN protocols increased by 33% from 7.5M to 10M over the same
period.
RDP has several known security weaknesses and should not be publicly accessible without network gateways, firewalls, and two or multi-factor authentication. Recent ransomware attacks have demonstrated how RDP can be used by attackers as an effective entry point to corporate networks. RDP is the most dominant attack vector for ransomware attacks and is used in over 60% of ransomware campaigns. Compromised servers provide anonymity for attackers which impedes the detection of malicious activity. Furthermore, RDP vulnerabilities such as Bluekeep (CVE-2019-0708) are wormable and therefore can enable attackers to propagate to connected hosts.
VPNs are vulnerable to both client and server side vulnerabilities. The National Security Agency (NSA) issued an advisory in October for vulnerabilities in several VPN products that were actively targeted by state-sponsored and other threat actors. The products include Pulse Secure, Palo Alto GlobalProtect, and Fortinet Fortigate. The vulnerabilities could be exploited to perform remote code execution and intercept or hijack encrypted sessions. VPN-related vulnerabilities were identified as the root cause of the devastating cyber attack suffered by Travelex in January.
The increase in cyber attacks and remote working underscores the need to secure enterprise systems including business-critical SAP applications and infrastructure. The Cybersecurity Extension for SAP Solution Manager performs automated vulnerability scans to support effective hardening of SAP systems. It also continuously monitors SAP event logs to alert for indicators of compromise. Contact Layer Seven Security to learn how to leverage your Solution Manager installations to secure SAP systems from cyber attack.
Hot News note 2845377 patches a missing authentication check
in the Diagnostics Agent. The Agent is a component of the Solution Manager
landscape. It commonly connects to the Java server in Solution Manager through the
J2EE Message Server HTTP port. This is recommended by SAP. However, it can also
connect to Solution Manager using a direct P4 connection. P4 is a proprietary
SAP protocol based on Remote Method Invocation (RMI) and Common Object Request
Broker Architecture (CORBA). Direct P4 connections between Solution Manager and
Diagnostics Agents are not recommended by SAP for most scenarios.
The patch delivered in note 2845377 closes the P4 port and therefore prevents the ability to connect to the service. Leaving the port open could enable attackers to connect to the Agent and execute commands using the permissions of the <SID>adm user. It could also enable attackers to shut down the agent. This could interrupt monitoring in Solution Manager. However, the impact on security monitoring would be minimal since the Diagnostics Agent supports monitoring for AS Java and SAProuter log files only. Availability monitoring is performed using the SAP Host Agent. The Diagnostics Agent is used primarily for performance monitoring.
Hot News note 2890213 patches a missing authentication check in User-Experience Monitoring (UXMon). UXMon executes and analyzes the results of client-side scripts to monitor availability and performance metrics in endpoints. The note enables user authentication for the EemAdmin administration service.
Note 2806198 provides corrections for a critical directory traversal vulnerability in the SAP NetWeaver Universal Description Discovery and Integration (UDDI) Server. The UDDI Server is a Services Registry containing definitions for enterprise services and metadata references. It also provides information related to web service consumers and providers including physical systems.
Security Forensics in SAP Solution Manager supports centralized log monitoring for SAP landscapes. The Fiori application from Layer Seven Security enables users to analyze incidents across multiple logs and systems directly from Solution Manager, helping organizations to detect and respond to security breaches. It also protects against anti-forensics. Since event logs are replicated to a central log, attackers can not remove all traces of their actions to avoid detection.
Security Forensics is accessed from the Fiori launchpad for SAP Solution Manager.
The application currently supports the Security Audit Log, Gateway
Server log, HTTP log, Transaction log, Read Access Log, System Log, User Change
logs, and the HANA Audit log. Support for the Java Security Log and SAProuter
log is scheduled for Q3 2020.
Advanced Search supports complex queries based on system, log source, date, time, user, source terminal/ IP address, and event ID.
Log Source:
Source terminal/ IP address:
Date/Time:
The query below filters log events to isolate actions performed by the SAP* user. The query results reveal that the SAP* user was locked due to failed logon attempts in system AS2 at 10:30:00 on 23.03.2020.
The results can be exported to a csv file to support offline analysis and collaboration. Event details can also be appended directly to an email by selecting the Notify option from the drilldown.
Personalized alarms for events can be configured using the Save As Tile option for filter selections.
Alarms are displayed as custom tiles in the launchpad. Below we have added an alarm for log events related to the SAP* user in production systems. The tile will automatically update to display the number of matching records. Users can click on the alarm to view the details of the events.
Security Forensics is available for SAP Solution Manager 7.2 SP07 or higher. The application is available for both HANA and conventional database platforms. For the latter, customizing options are provided to activate log monitoring for only specific managed systems and adjust the log retention period.
Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against brute force attacks. This could lead to delayed responses to logon requests. Note 2841053 recommends blocking access from untrusted networks to the Host Agent ports 1128 and 1129. Alternatively, access to the Host Agent can be bound to specific IP addresses or hostnames defined in the value for profile parameter service/hostname or using an access control list specified in the host_profile of the agent. Another option is to disable username/password-based authentication and only allow certificate-based authentication using the value disabled for the host profile parameter saphostagent/authentication_method.
Notes 2878030 and 2877968 deal with missing input validation vulnerabilities in SAP Landscape Management. Attackers with admin privileges could exploit the vulnerabilities to execute malicious commands with root privileges in the SAP Host Agent through Landscape Management. The options for SAP Landscape Management Internal Operation Check and LVMIntOpOld should be enabled before applying the corrections in the support package referenced in the notes. RuntimeInternalOperationValidator should be executed after the corrections are applied to activate the fixes in all hosts.
Security Information and Event Management (SIEM) systems support centralized security monitoring across networks. They ingest and analyze data from hosts, routers, switches, firewalls and other components to identify and respond to security threats.
SIEM systems can ingest data directly from SAP application
logs. However, direct integration is complex and laborious. It also requires
high maintenance and may substantially increase costs if SIEM licensing is tied
to log size or events per second.
This challenge can be overcome by integrating SAP logs with
SIEM systems using SAP Solution Manager, a management server in SAP landscapes.
Solution Manager filters, structures and enriches security event data in SAP
logs to support fast, seamless integration with SIEM systems.
This webinar recording discusses the challenges of direct ingestion of SAP logs and the benefits of integration using Solution Manager. It also provides recommendations for configuring audit settings and policies for the following data sources in SAP:
Security Audit Log System Log ICM Log Business Transaction Analysis Gateway Log Change Documents Read Access Log Java Security Log HANA Audit Log SAProuter Log
The webinar is a digest of the whitepaper SIEM Integration
for SAP.
Maintaining system security in dynamic SAP environments is a constant challenge. New users are added every day. Permissions for existing users are constantly updated to keep up with changing requirements. Software updates, transports and other changes introduce new components or developments and often necessitate changes to system settings. With each change, even hardened systems can become less secure and more vulnerable to intrusion.
To some extent, the risk of configuration drift can be
managed through regular vulnerability scanning. However, scan results only identify
the consequences of changes, not the root cause. Periodic audits of system and
user changes can also help to address the risk. Audits can uncover compliance gaps
against change management protocols, but are limited in scope since they are usually
performed manually.
Change Analysis in SAP Solution Manager provides an
automated response to the risk of configuration drift in SAP systems. The
application tracks changes in systems including ABAP, HANA, Java parameters, database
and operating system settings, user privileges, notes, software updates, and transport
requests. The tool maintains a history of changes performed in each system for two
years.
Change Analysis is accessed from the Root Cause Analysis
work center in the Fiori launchpad for SAP Solution Manager.
Scope selection supports filtering of changes by system, type or environment.
Results can be filtered further to focus on changes within a specific time frame.
The filtered results are summarized in the dashboard below.
The dashboard supports drilldown from summarized results by system and category into detailed changes. In the example below, the results reveal that the value of parameter gw/accept_timeout was modified in system AS2 at 3.00PM on February 11, 2020.
In another example, the results reveal that the profile SAP_ALL was assigned to the user ATTACKER9 on the same day in the identical system.
Notifications for changes to critical areas can be configured using the monitoring and alerting framework within Solution Manager. The notification below is an alert for changes to RFC destinations. Email and SMS notifications for changes are also supported. Alerts can be integrated with SIEM systems or incident management systems for automated ticketing.
Change Reporting can be used to compare the configuration of different systems.
It can also be used to compare the configuration of the same system using different timestamps. In the example below, we are comparing the configuration of system ECP on February 6 with January 22 to identify changes that occurred in the system during the interval.
The comparison tool is useful for identifying not only changes that may lead to configuration drift within systems but also differences between settings in production environments and other environments such as quality or development. The comparison results are displayed in the Result Details and can be exported for analysis. According to the results below, the SAP_UI component was upgraded in ECP from version 751 to 753 during the interval.
