Layer Seven, Author at Layer Seven Security

Cybersecurity Extension for SAP, Version 5.2: Support for SAP BTP, Critical Access and SOD for SAP ECC, and More

Layer Seven on October 22, 2024

The new release of the Cybersecurity Extension for SAP is scheduled for general availability in October and includes several important enhancements.

Version 5.2 includes 40+ alerts for security related incidents in SAP BTP. This includes application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts monitor events logged in the BTP central audit log. Events in the log are replicated to the Cybersecurity Extension for SAP to support forensic analysis. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. Similar to existing alerts for ABAP, HANA, and Java system types, as well as databases, operating systems, and SAProuter and Web Dispatcher installations, BTP alerts can be integrated with SIEM solutions for centralized monitoring.

Earlier releases provided coverage for business-level critical access and segregation of duties in SAP S/4HANA. The new release extends the coverage to SAP ECC. Despite the scheduled end of mainstream maintenance for SAP ECC in 2027, many SAP customers have yet to migrate to S/4HANA and therefore ECC will be a mainstay within SAP landscapes of many organizations for several more years. Version 5.2 of the Cybersecurity Extension for SAP includes 350+ functional checks for access to sensitive ECC transactions and conflicting combinations of transactions. The checks cover processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in ECC. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for ECC. Users and user groups can be excluded for specific checks to tune the coverage and prevent false positives. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.

The new release also includes checks and alerts for the deactivation of SAP UI Masking & UI Data Protection Masking solutions. The solutions protect access to sensitive data in SAP user interfaces by masking or clearing fields. The contents of the fields containing sensitive data are only revealed to users with the required roles or attributes.

Finally, version 5.2 includes alerts for the execution of new ICF services with known security vulnerabilities. The services are not yet widely known or included in the scope of vulnerable ICF services that should be deactivated based on SAP recommendations in frameworks such as the SAP Security Baseline. There are also additional checks for the Secure Storage in the File System (SSFS), new sensitive transaction codes, dangerous function modules and external programs, and dynamic changes for specific security-related profile parameters.

SAP Security Notes, October 2024

Layer Seven on October 8, 2024

Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the Business Intelligence Platform Restful Web Services (BIPRWS) Web Application.

Note 3478615 patches a high-risk unrestricted file upload and malicious file execution vulnerability in BOBJ. In addition to applying the relevant support package patch detailed in the note, customers must create and maintain an access control list. The ACL should contain the list of folders that can contain personal data providers.

Note 3523541 addresses multiple vulnerabilities in Spring Framework and Log4j open-source libraries included in SAP Enterprise Project Connection. The patch included in the note updates the Spring framework and reload4j libraries to address the vulnerabilities.

Notes 3454858 and 3477359 deal with information disclosure vulnerabilities SAP NetWeaver Application Server (AS) ABAP and AS Java, respectively. The vulnerabilities could be exploited to access restricted file system information and usernames and passwords for new RFC destinations.

Security Logging and Alerting for SAP BTP

Layer Seven on September 24, 2024

SAP BTP is a cloud platform that is intended to decouple SAP customizations required by customers from underlying SAP solutions. As part of SAP’s drive for a clean core and to promote a modular architecture, BTP enables organizations to enhance and extend the capabilities of their SAP solutions by deploying custom code, integrations and other enhancements to a separate platform, without modifying standard SAP solutions. This is intended to realize more flexibility, easier scalability, faster upgrades, improved security, and, crucially, lower maintenance. Lower maintenance costs are especially important for SAP in the context of SAP RISE. Heavily customized environments increase the burden on SAP managed services for RISE customers. Therefore, RISE customers are provided with consumption credits for BTP by SAP.

On-premise customers can also benefit from BTP. They can access services for development, automation, integration, analytics, and artificial intelligence offered by both SAP and partners in BTP. For example, SAP Build Apps enables customers to rapidly develop and deploy applications with no-code or low-code using a drag-and-drop interface. This can dramatically lower development efforts for simple applications, More complex applications can be created using the SAP Business Application Studio cloud development environment together with the Cloud Application Programming Model and ABAP RESTful application model frameworks. The frameworks simplify application development by, for example, automatically generating required OData services based on data models. Developers can also leverage generative AI services in BTP to automatically generate ABAP code based on prompts.

Once developed, the applications can be deployed directly in BTP. Therefore, BTP supports both application development and application hosting for runtime services. Applications deployed to BTP can be integrated with on-premise solutions using the SAP Cloud Connector.

SAP BTP has a shared model of responsibility for security. Since BTP is a Platform-as-Service (PaaS), SAP is responsible for managing the infrastructure. Customers are responsible for application-level security including managing user authentication and role assignments, application maintenance and changes, and maintaining global account and sub-account settings. Sub-accounts are similar to environments in on-premise landscapes. They are used to separate development scenarios and projects. Each sub-account is a sandboxed environment. Users and roles are managed for each sub-account.

The Identity Authentication service authenticates BTP users using a federated model that separates authentication mechanisms from applications. The service supports Single Sign-On (SSO) via SAML 2.0 and two-factor authentication.

BTP services and applications record security-related events to a central Audit Log. Events are categorized by data access, data modification, security events, and configuration changes. Logged events include actions such as user logons and logoffs, changes to user permissions, groups and trust relationships, transports, and application creation, deletion and crashes. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. The default retention period is 90 days for events in the Audit Log. A subscription to the premium edition of the Audit Log service is required to change the retention period and to log events from custom applications in BTP to the Audit Log.

The Audit Log can be analyzed using the Audit Log Viewer. The Viewer enables customers to query log data based on user, time, category, message content, and other fields. However, it returns a maximum of 500 records per query request. Records can be exported for offline analysis. A subscription to the Audit Log Viewer service is required to use the Viewer.

The Auditlog Management service can be activated for global accounts and/or subaccounts to integrate the BTP Audit Log with external systems using the Audit Log Retrieval API. The API is region-specific and secured by OAuth. Therefore, access tokens must be configured for external systems to consume the service. Request rates are throttled based on the region, ranging between 4-8 requests per second for each token and tenant. Log records are retrieved by HTTP GET requests from external systems to the BTP service.

The SAP Alert Notification Service provides an alternative method for monitoring and integrating BTP events with external systems. The service sends real-time notifications for events in BTP applications and services. It includes APIs to both create and consume alerts. Unlike the Audit Log Retrieval API, it supports native integration with incident management solutions such as ServiceNow, messaging channels such as email, and messaging platforms such as Slack and Microsoft Teams. It also supports feeds from cloud providers including Amazon CloudWatch, Microsoft Azure Monitor, and Google Cloud Platform Operations. Another benefit of the SAP Alert Notification Service over the Audit Log Retrieval API is built-in integration with the SAP Cloud Transport Management Service and SAP Automation Pilot. The latter is a BTP service that supports automated response handling for alerts.

The Cybersecurity Exten sion for SAP supports both the Audit Log Retrieval API and the SAP Alert Notification Service to monitor and alert for security events in SAP BTP. Security alerts for BTP are combined with alerts for other SAP applications, databases, hosts and services for end-to-end monitoring of SAP cloud and on-premise landscapes. Events and alerts for all SAP solutions including BTP are integrated by the Cybersecurity Extension for SAP with SIEM systems including Splunk, QRadar, LogRhythm, Sentinel and many more.

SAP Security Notes, September 2024

Layer Seven on September 10, 2024

Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are detailed in the note. The note includes patches for both the cloud and on-premise editions. A workaround is also included in the note if the corrections can not be implemented within a reasonable timeframe.

Note 3505503 addresses a Cross-Site Scripting (XSS) vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. The solution included in the note encodes parameters to address the vulnerability.

Notes 3501359 and 3498221 patch Cross-Site Scripting vulnerabilities in SAP CRM and SAP Enterprise Portal.

Note 3488039 deals with multiple missing authorizations in SAP NetWeaver Application Server (AS) ABAP and ABAP Platform. The authorizations impact function modules in function group SMTR_NAVIGATION_MODULES_BX. As a workaround, you may withdraw permission S_RFC with field RFC_TYPE with prefixed value for SMTR_NAVIGATION_MODULES_BX or field RFC_NAME with value of the function modules of the function group SMTR_NAVIGATION_MODULES_BX.

New Whitepaper: NIS2 Compliance for SAP Solutions

Layer Seven on August 20, 2024

The Network and Information Security (NIS2) Directive takes effect on October 17 and imposes significant requirements on organizations for cybersecurity and incident reporting. NIS2 mandates strict standards for cybersecurity and incident reporting for organizations that are based in the European Union or provide services within the EU. It is targeted at essential and important organizations in specific sectors considered part of the supply chain for critical infrastructure in member states.

The Directive includes requirements for protecting the confidentiality, integrity and availability of data in network and information systems against cyber threats, as well as detecting and reporting significant security incidents within prescribed time frames. This includes data and incidents impacting business-critical SAP solutions.

The newly-released whitepaper from Layer Seven Security simplifies the path to NIS2 compliance by providing guidance for complying with the Directive for SAP solutions. This includes sources for hardening standards to comply with cybersecurity requirements, and threat detection and response mechanisms to comply with the incident reporting requirements of the Directive. The guidance includes specific recommendations for solutions in SAP RISE.

DOWNLOAD

SAP Security Notes, August 2024

Layer Seven on August 16, 2024

Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build Apps. Applications should be rebuilt with version 4.11.130 or later in SAP Build Apps to address the vulnerability.

Hot news note 3479478 for CVE-2024-41730 patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by threat actors to compromise logon tickets used for single sign-on with a REST endpoint. The fix included in the note secures the default configuration of single sign-on enterprise authentication.

Note 3485284 addresses a high priority XML injection vulnerability in the Export Web Service of BEx Web Java Runtime in SAP Business Intelligence version 7.50. The issue is specific to PDF export only using Java ALV and ADS.

Note 3459935 fixes an information disclosure vulnerability in SAP Commerce Cloud that could lead to the leakage of Personally Identifiable Information (PII) data in query or path parameters. This includes passwords, email addresses, mobile numbers, coupon codes, and voucher codes. The vulnerability impacts specific API endpoints detailed in the note. A workaround is included in the note. Vulnerable endpoints should be replaced with the new secure variants detailed in the solution section of the note.

CrowdStrike Outage: Lessons Learned for SAP Solutions

Layer Seven on July 23, 2024

The fallout of the recent worldwide systems outage has far-reaching consequences for cybersecurity. The outage is estimated to impact 8.5 million devices powered by Microsoft Windows operating systems. The cause of the outage is a corrupted update for an agent used for the Falcon security platform from CrowdStrike. Falcon uses a cloud architecture with servers, workstations, containers, virtual machines, and other devices connected directly to CrowdStrike services through an agent installed in each host. The agent operates at the kernel level. The kernel is responsible for managing work processes in operating systems and mediating access to hardware resources.

Operating systems enable applications to run in two modes: user and kernel. Most applications operate in user mode without direct access to the underlying hardware or system resources. Kernel mode is far more privileged and provides applications with unrestricted access to the system including hardware control, memory management, and device drivers. Errors in applications running in user mode are isolated and do not impact the stability of the operating system. However, errors in applications running in kernel mode can crash the operating system. This is exactly what happened with the recent CrowdStrike/ Microsoft outage.

The Falcon agent operates in kernel mode as a device driver. This is most likely because the agent requires privileged access to system data structures to deliver the protection provided by CrowdStrike. Microsoft is well aware of the risk posed by applications running in kernel mode. The Windows Hardware Quality Labs (WHQL) program is intended to test and certify third party device drivers to manage the risk. The driver used by the Falcon agent was WHQL tested and certified. However, security products such as Falcon require continuous updates to counter the latest cyber threats. Since it’s not feasible to recertify the driver for each update, updates are applied through dynamic definition files that can include code executed by the driver. This code is not tested and signed as part of the WHQL program. A software bug in unsigned code packaged in a recent update for the Falcon driver running in kernel mode is the root cause of the large-scale system outage.

There are two obvious questions that arise from the events. The first is why was the software bug not discovered and removed before the update was released by CrowdStrike? This points to concerns around development and release management procedures on the part of the software vendor. Understandably, its not feasible to test software updates against for every possible scenario. For example, past CrowdStrike updates have been known to trigger crashes in the Central Management Console and Central Management Server of SAP BusinessObjects. However, given the widespread impact of the current bug, it’s likely that more comprehensive testing would have revealed the error. It also raises questions around inadequate parameter validation by the Falcon agent that may have detected and blocked errors in arguments passed to kernel functions to prevent system crashes. This points to concerns around software design.

The second question is why didn’t organisations analyze the impact of the updates in test machines or perform a staged rollout? Testing would have most likely revealed the issue and a staged rollout of the update would have lessened the impact even if the update wasn’t tested.

The answer to both questions is that both software vendors and customers are responding to a threat landscape that demands rapid response to new and emerging threats. Therefore, organizations are prioritizing speed of response for information security over preserving the availability of their systems. The outage provides a stark reminder of the dangers of this approach.

Systems outages can be especially severe if they impact business-critical SAP solutions. SAP customers should identify third party agents and programs that operate in kernel mode in SAP hosts. The continued use of such software should be reviewed in light of recent events, especially if the software is automatically updated by the vendor without any input from the customer.

The Cybersecurity Extension for SAP protects SAP solutions from advanced persistent threats without the use of kernel-level agents or programs. The solution operates in user mode to monitor and secure the application, database and operating system layers in SAP hosts.

SAP Security Notes, July 2024

Layer Seven on July 9, 2024

Note 3483344 addresses a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), included in the S4CORE component of SAP S/4HANA. The vulnerability can be exploited to escalate privileges and read sensitive information. The correction included in the note deactivates the affected functions to remove the vulnerability. There is no workaround provided by SAP. The note applies to versions 102-103 of S4CORE and 104-108 of S4COREOP.

Note 3490515 patches a vulnerability in SAP Commerce which enables users to misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. The issue materializes when both early login and registration are set to true. It does not affect setups that utilize classic accelerator storefronts and is specific to B2B scenarios. A workaround in the note includes steps for disabling early login and registration.

Note 3454858 addresses an information disclosure vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note updates function module F4_DXFILENAME_TOPRECURSION to restrict access to the file system and prevent users from traversing to unauthorized directories.

Note 3456952 patches SAP NetWeaver AS ABAP and ABAP Platform to prevent developers bypassing an API configured for malware scanning using classes CL_HTTP_REQUEST and CL_HTTP_ENTITY.

Notes 3482217 and 3468681 address multiple cross-site scripting vulnerabilities in SAP Business Warehouse and SAP Knowledge Management, respectively.

Cybersecurity Extension for SAP with SAP Focused Run

Layer Seven on June 19, 2024

SAP Focused Run (FRUN) is a Application Lifecycle Management (ALM) solution designed for real-time and high-volume system monitoring. It benefits from a more simplified and scalable architecture than other ALM platforms such as SAP Solution Manager (SolMan). Also, unlike SolMan, it runs exclusively with SAP HANA.

System monitoring using FRUN is supported through the deployment of the Simple Diagnostics Agent (SDA) to target systems. The SDA is integrated with the SAP Host Agent in SAP solutions. It collects and forwards metrics from systems to FRUN using HTTPS. System connections are routed through reverse proxies such as the Web Dispatcher. The SAP Host Agent, SDA and Web Dispatcher are included in RISE system builds and landscapes. Therefore, RISE systems can be monitored by both customers and service providers using SAP Focused Run.

FRUN supports monitoring for all SAP solutions and cloud services. This includes the public and private editions of SAP S/4HANA, SAP Business Suite, ECC, HANA platform, SAP Cloud, SuccessFactors/ HXM, Ariba, Concur, AS ABAP/ Java, Cloud Connector, Business Objects, Enterprise Portal, Mobile Platform, CRM, Business Warehouse, PI/PO, MII and Web Dispatcher. It also supports monitoring for OS and database platforms, and SAP BTP. Steps for monitoring the ABAP, Cloud Foundry, and Neo environments of BTP are detailed in the FRUN Expert Portal.

SAP Focused Run supports advanced monitoring capabilities such as Real User Monitoring. This can be used to monitor user actions for detailed forensics. It also supports System Anomaly Prediction for detecting and investigating anomalies based on predefined models and risks, and advanced Integration and Exception Monitoring for analyzing the usage of system interfaces.

The Cybersecurity Extension for SAP integrates with FRUN to perform advanced security monitoring for SAP solutions, including vulnerability and compliance management, patch management, custom code scanning, and threat detection and response. The SAP-certified solution leverages FRUN applications and components to discover system, code and user-related vulnerabilities, calculate required security notes, and detect security incidents and anomalies.

The Cybersecurity Extension for SAP is accessed from the Fiori launchpad for SAP Focused Run. FRUN users with the required roles can access the solution using the workgroup below. Systems are automatically mapped from the Landscape and Management Database (LMDB). Also, multi-tenancy for customer separation is automatically enforced through network and customer IDs configured by service providers in FRUN.

Deploying the Cybersecurity Extension for SAP to FRUN provides a more reliable and scalable option than deploying to Solution Manager. It also delivers improved performance with lower maintenance in comparison to SolMan. SAP Focused Run and SAP Solution Manager are the current deployment options supported for the standard edition of the Cybersecurity Extension for SAP. A third option is planned for early 2025 that would enable SAP customers to deploy the solution to NetWeaver AS ABAP systems such as SAP GRC. For SAP RISE customers, the cloud edition of the Cybersecurity Extension for SAP provides a SaaS option that does not require deployment to an SAP system.

SAP Security Notes, June 2024

Layer Seven on June 11, 2024

Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available.

Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and CVE-2024-37178. The note encodes URL parameters to prevent the exploitation of the vulnerabilities.

Note 3466175 patches an access control issue related to the management of incoming payment files in SAP S/4HANA that could lead to an escalation of privileges. The impacted versions of S4CORE are 102-108.

A similar vulnerability is patched by note 3465455 in SAP BW/4HANA. After applying the note, it will not be possible to execute arbitrary functions within SAP BW/4HANA Transformation and DTP. Only functions/methods explicitly defined in the allowlist mentioned in the manual correction instructions can be executed to avoid any misuse.

Note 3425571 fixes an information disclosure vulnerability in NetWeaver AS Java that could lead to the leakage of server information. A workaround is detailed in the note to disable the impacted caf~eu~gp~model~eap application in the Guided Procedures component of AS Java.