Layer Seven Security

64% of ERP Systems Have Experienced Security Breaches Between 2017-19

According to the findings of a recent independent survey of 430 IT decision makers, 64 percent of ERP deployments have experienced security breaches in the past 24 months. The findings are published in the report ERP Security: The Reality of Business Application Protection. In the words of the IDC, “ERP applications such as SAP can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays…..Cyber miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”

The survey revealed that of the 64% of organizations that reported security breaches in ERP systems, the majority included the compromise of sensitive data including sales data in 50%  of cases, as well as HR data (45%), customer data (41%), financial data (34%) and intellectual property (36%).  

The survey also revealed the following:

  • The estimated cost of downtimes in ERP applications is $50,000 or more per hour at almost two thirds of organizations
  • 62% of ERP systems may have critical vulnerabilities
  • 74% of ERP applications are accessible from the Internet
  • 56% of executives are concerned or very concerned about moving ERP applications to the cloud

According to the former Chairman of the Global Board of the Institute of Internal Auditors (IIA), “The findings of this independent survey should raise questions at the Board level about the adequacy of internal controls to prevent cyber attacks and the level of auditing taking place. The lack of these controls is one way for cyber insurance companies to deny claims….The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”

SAP ERP installations can be protected against cyber attack using the Cybersecurity Extension for SAP Solution Manager. The extension implements automated vulnerability and patch management, and security incident detection and response for SAP systems, without requiring additional hardware or agents.

SAP Security Notes, September 2019

Hot News Note 2798336 patches a critical code injection vulnerability in NetWeaver Application Server for Java (AS Java). A program error in the Web Container of AS Java could enable attackers to bypass input validation and execute dynamic content such as malicious code. The note includes updates for the J2EE Engine and API components.

Note 2823733 includes an important update for Hot News Note 2808158. The note provides greater coverage for possible attack scenarios targeting an OS Command Injection vulnerability in the SAP Diagnostics Agent.

Note 2817491 addresses high priority denial of service and information disclosure vulnerabilities in SAP HANA Extended Application Services (Advanced Model). Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to overload the server or enumerate open internal network ports. The vulnerabilities have been fixed with SAP HANA Extended Application Services (Advanced model) version 1.0.118.

SAP Vulnerability Assessment vs Penetration Testing

Vulnerability assessment and penetration testing both serve important functions for protecting business applications against security threats. The approaches are complementary but should be deployed sequentially. Penetration testing against systems and applications that have not been hardened based on the results of vulnerability assessments is inadvisable since the results are predictable.  The objective of penetration testing is to assess the strength of security defenses, not to exploit ill-equipped and unprepared systems and processes to prove a point.

Therefore, vulnerability assessments should be performed ahead of penetration tests. The results of comprehensive vulnerability scans inform organizations of configuration, program, user and other weaknesses that could be exploited to compromise systems during real or simulated attacks. The recommendations resulting from the assessments enable organizations to remediate security weaknesses using a prioritized approach. It also supports the implementation of counter measures to detect and respond to potential attacks.

Once systems are hardened and defenses are prepared, performing a penetration test is a valuable exercise to test the adequacy of security mechanisms. The lessons learned from the discovery and exploitation of vulnerabilities during penetration tests can be applied to address areas that may have been overlooked or inadequately secured after vulnerability assessments. Penetration testing against hardened systems that are actively monitored for attacks forces pen testers to exercise more complex and difficult attack vectors. It also compels pen testers to deploy evasive techniques to avoid detection. This improves the quality of penetration tests and the reliability of the results, providing a stronger litmus test for system security, threat detection and incident response.

SAP Security Notes, August 2019

Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. The NetWeaver UDDI Server is an XML-based registry for Web Services.

Note 2786035 patches another critical remote code execution vulnerability in SAP Commerce Cloud (previously SAP Hybris Commerce). The Mediaconversion and Virtualjdbc extensions in SAP Commerce Cloud could execute malicious code injected by attackers or authenticated users. Note that some of the Mediaconversion Conversion Command parameters may not work after the implementation of the recommended patch until they are added to a whitelist.

Note 2813811 deals with a dangerous Server-Side Request Forgery (SSRF) vulnerability in the Administrator System Overview of SAP NetWeaver Application Server for Java (AS Java). The vulnerability could enable attackers to scan internal networks, perform Remote File Inclusion attacks, retrieve server files including password files, bypass firewalls, and force vulnerable servers to execute malicious requests. Refer to SAP KBA 2577844 to resolve known side-effects of the corrections in Note 2813811.

SAP Security Notes, July 2019

Hot News Note 2808158 patches a critical code injection vulnerability in the SAP Diagnostics Agent. The Agent is required to monitor operating systems and discover the database cluster topology from SAP Solution Manager. It is not required for monitoring the security of SAP systems with Solution Manager. Security-relevant data is collected or monitored primarily through RFC connections maintained between Solution Manager and managed systems.

The vulnerability impacts the OS Command Plugin in transaction GPA_ADMIN. The transaction is used to create and maintain guided procedures. Note 2808158 provides a patch for the LM_SERVICE in SP levels 05-09 of Solution Manager 7.2.

Note 2774489 addresses a high priority OS command injection vulnerability in SAP Process Integration (PI). ABAP Tests Modules of PI could enable attackers to execute privileged OS commands. The relevant support packages listed in the note should be applied to remove the vulnerable source code in the modules.

Monitoring Security Alerts with SAP Solution Manager

There are several apps available in SAP Solution Manager for monitoring security alerts for SAP systems. The most longstanding is the Alert Inbox which provides an overview of alerts by process area. Guided procedures for investigating security alerts are executed from the Alert Inbox. Another option is System Monitoring which provides a more user-friendly interface for navigating incidents than the Alert Inbox. System Monitoring includes the Alert Ticker displayed in the right pane of the app for monitoring incidents in real-time.

SAP Solution Manager 7.2 SP07 introduced a third option for monitoring alerts called Monitor Systems. The app is delivered in the new work center Application Operations.

System Monitoring and the Alert Inbox are Web Dynpro applications. Monitor Systems, however, is a SAPUI5 application based on the Fiori framework. Therefore, Monitor Systems delivers exceptional performance with alerts loading and refreshing at much faster rates than both the Alert Inbox and System Monitoring. The performance gains are considerable even for SAP Solution Manager installations running on conventional databases rather than SAP HANA.   

You can access Monitor Systems from the SAP Fiori Launchpad using the roles SAP_STUI_APPOPS_AUTH and SAP_STUI_APPOPS_TCR.

The initial screen summarizes alerts open alerts by systems and components.

Alerts are categorized by the groups below. Security alerts triggered by the Cybersecurity Extension for SAP Solution Manager are categorized in the Configuration and Exception classes.

Results can be filtered or sorted by clicking by system and category.

Systems can also be labeled as favorites for fast selection.

You can view details of open alerts for each system by clicking on the system. Below are alerts for security configuration issues impacting system AS2.

Below are security exceptions detected through real-time monitoring of event logs in the system.

We can drill down into the details of each alert by clicking on Critical Metrics. For example, we can investigate the alert below for the Actions by the Standard SAP* User Alert by reviewing the relevant metric.

The Metric Details reveals that there was an attempted logon with the SAP* user from IP address 10.8.91.2 at 12:51 on 2019-08-14. We can execute a guided procedure that will investigate other actions from the source IP directly in the Security Audit Log.

The results can be shared with security operations teams through email by clicking on the Notify option in the Metric Details.

In another example, we can drill down into the alert for active users logged into the system with SAP_ALL in their user buffer to investigate potential privilege escalation. The profile should not be used in productive systems.

Recommended Settings for SAP Logging and Auditing

The Cybersecurity Extension for SAP Solution Manager monitors SAP event logs to automatically detect and alert for indicators of compromise. The monitoring interval can be customized for each security metric based on risk and sizing. An interval of 60 seconds, for example, can support real-time threat detection. However, real-time detection is only useful when supported by real-time incident response. Organizations that lack rapid response capabilities should opt for collection intervals of 10-15 minutes to balance the need to minimize the mean to detect (MTTD) with the system impact of continuous monitoring.

Log settings also need to be carefully maintained to capture security-relevant events while preventing the accumulation of log data and the consumption of excessive disk or table space. The recommended settings and archiving procedures below for each log area will enable you to maintain comprehensive forensic logs with minimal system impact.

Security Audit Log
Maintain static filters to log all actions by the standard SAP* user, logons and transaction starts by the DDIC user, and Severe and Critical events for all audit classes and users. Also create a static filter to log the non-critical event IDs BU4, CUY, DU9, DUI, and FU1. The filters should be applied to all clients. If you have yet to remove the EarlyWatch client, also create a filter to monitor events for all audit classes and users in client 066.

Periodically export events older than 30 days using transaction SM20. Once the events are successfully exported and backed-up to a file server, trigger the background job RSAUPURG to delete events older than 30 days using transaction SM18.

Read Access Log
Configure or import logging purposes to log access to sensitive fields and tables including user tables. Archive SRAL objects using transaction SARA. RAL archives can exported and stored offline.

Change Documents
Change documents for user changes are triggered automatically. Similar to the Read Access Log, change documents are archived using transaction SARA.

Business Transaction Log
There are no specific settings required for STAD. Since data is retained for only 48 hours, STAD archiving is also not required.

System Log
Similarly, the system log does not require any specific settings or archiving. The system log is a ring buffer. When the log file reaches its maximum size, the system overwrites the oldest data.

HTTP Log
The LOGFORMAT option for HTTP logging should specify a format that includes the URL in log entries. An example is the CLF format. HTTP log files in the /usr/sap/SID/instance/work directory can be exported and archived offline.

Gateway Server
The ACTION option for gateway logging should include the actions SsZMP to capture security events, configuration changes, and monitor commands. Gateway log files are can also be found in the work directory of each instance and archived to an external location.

Java Security Log
The value of the following properties should be set to TRUE to include the client host address, object name and actor in logged events: ume.logon.security_policy.log_client_hostaddress, ume.secaudit.get_object_name, and ume.secaudit.log_actor. Automatic archiving should be activated using the Log Manager. Once activated, the compressed archives can be found in usr\sap\<SID>\JC<Instance number>\j2ee\cluster\<Dispatcher or server>\log\archive.

HANA Audit Log
The target audit trails should be set to CSTABLE and SYSLOGPROTOCOL to log events simultaneously to internal tables and the OS-level system log. Audit policies should be configured to log critical actions including all actions performed by the SYSTEM user, system changes, user changes, role changes, repository changes, and unsuccessful logons.

The contents of the AUDIT_LOG table can be exported using the AUDIT OPERATOR privilege in the HANA Studio. Once exported, navigate to the Auditing tab in the Security section and select the option to truncate the audit trail.

For detailed step-by-step instructions, refer to the section on Log Settings and Maintenance in the user manual for the Cybersecurity Extension for SAP Solution Manager.

SAP Security Notes, June 2019

Note 2748699 provides instructions for securing the credentials of the standard user SM_EXTERN_WS in SAP Solution Manager. SM_EXTERN_WS is used by CA Introscope Enterprise Manager (EM) to collect monitoring metrics from mainly non-ABAP components in SAP landscapes. The metrics are collected via the Introscope Push web service. The credentials for SM_EXTERN_WS including the automatically generated password are stored in a file that is referenced with property dpcpush.credentials.file in file <EM_install_dir>/sap/<SolMan_SID>.e2emai.properties. The credentials in the file are insufficiently protected against attackers. However, dialog logon with SM_EXTERN_WS is not possible since the user is a system user type. Also, SM_EXTERN_WS does not have administrative privileges.

Note 2748699 recommends deploying the LM-SERVICE software component and patching the Management Module for Enterprise Manager. Also, it includes instructions for enabling encryption to protect the password file.

Switchable authorization checks were introduced by notes 2524203, 2527346 and 2496977 to supplement checks performed using authorization object S_RFC for critical Remote-enabled Function Modules (RFMs) in components of SAP ERP. This includes RFMs in Accounts Receivable and Payable, Materials Management, and Sales and Distribution.

Webinar Playback: Holistic SAP Cybersecurity with CVA & SolMan

Watch the playback of this month’s webinar to learn how you can implement holistic cybersecurity for your SAP systems with Code Vulnerability Analyzer and Solution Manager.

CVA performs static code analysis to detect vulnerabilities in custom code. SAP Solution Manager detects vulnerabilities and threats in SAP systems including components such as the gateway server, message server and SAProuter, targeted by the recent 10KBLAZE exploits. 

Together, CVA and Solution Manager provide an integrated platform to secure custom code and SAP systems against cyber threats.

SAP Security Notes, May 2019

Note 1408081 was updated in May in response to the recent 10KBLAZE exploits targeting vulnerabilities in the gateway server. The note includes revised instructions for maintaining access control lists in the gateway security files reg_info and sec_info for different kernel versions. The access control lists should be configured to control external server registrations and program starts. The note recommends restricting registrations and starts to within the same system or SID cluster using the options ‘local’ and ‘internal’. However, the updates do not mention the risk that the security mechanisms applied by the recommended entries could be bypassed by attackers that register as internal servers with the message server. Therefore, it is critical to maintain access control lists for the message server to support the secure configuration of the gateway server.

For additional security against 10KBLAZE exploits, a separate port should be configured for internal message server communications, external monitor commands should be rejected, communications between kernel components should be encrypted, and the bit mask value for the profile parameter gw/reg_no_con_info should be set to a value of 255.

Note 2756453 provides manual instructions and automated corrections for removing a high-risk cross-site scripting vulnerability in S/4HANA.

Note 2784307 deals with another high-risk vulnerability in the REST Interface that could be exploited to escalate privileges in SAP Identity Management.