Layer Seven Security

Securing the SAP Cloud Connector

The SAP Cloud Connector is an agent that links SAP BTP applications with on-premise SAP systems. As a reverse proxy, it enables internal systems to connect securely with BTP services without exposing the systems to direct external access. Permitted connections between BTP resources and backend systems can be maintained directly in the Cloud Connector rather than network firewalls. The Cloud Connector supports HTTP and RFC connections between BTP and SAP systems, as well as direct database connections.

The Connector links directly to external services. Therefore, it should be positioned in a DMZ and segmented from internal SAP systems. Since the DMZ is a separate physical or logical network, segmentation would protect internal SAP systems in the event of a compromise in the Cloud Connector.  Systems in SAP landscapes should be configured to accept requests only from trusted Connectors. A failover instance of the Connector is recommended for high availability. This is known as a Shadow Connection, maintained in the High Availability section of the Connector UI.

The Connector should be installed in a dedicated server that does not share resources with other services, especially application services. Access to the Cloud Connector at the OS level should be restricted and OS auditing should be enabled to monitor file operations for the Connector. This includes the Secure Storage in the File System (SSFS) that stores encryption keys and other sensitive data for the Connector. It is also recommended to enable hard-drive encryption for the server hosting the Connector. This will safeguard sensitive configuration data against the unauthorized access and changes. Separate Cloud Connector instances are recommended for connecting to productive and non-productive subaccounts in BTP.

The Connector uses file-based authentication which cannot support multiple users. It is delivered with a single Administrator user that has full administrative rights for the Connector. LDAP-based user authentication should be configured to support multiple users and avoid the use of the Administrator user as a shared account. This would also support traceability for user actions and more granular access control by allowing the use of display and monitoring roles that do not include administrative privileges.

The Administrator user is shipped with a well-known default password. The password is stored as a hash in the file system. Although the Connector prompts users to change the password during installation, it is critical to monitor changes to the Administrator account to ensure that the password does not revert back to the default. This could lead to the compromise of the Administrator account and therefore the Cloud Connector.

Connections from SAP BTP to the Cloud Connector are SSL-encrypted. Currently, supported protocols are HTTP, HTTPS, RFC, RFC with SNC, LDAP, LDAPS, TCP, and TCP over TLS. Connections from the Connector to backend systems should be authenticated and encrypted. Therefore, HTTPS and RFC SNC are recommended over HTTP and RFC. Permissions for technical users should granted based on the principle of least privilege and should not include full administrative rights. Whitelisting is also recommended to restrict access to only the required BTP applications for each subaccount and resources in backend systems.

The self-signed X.509 certificate used for the Connector UI should be replaced by a certificate issued by a certificate authority. Supported TLS ciphers for UI certificates should be SHA256 or greater bit length. Support for less secure ciphers should be disabled in the configuration of the Connector.

The audit log level should be set to SECURITY (default) or ALL. It should not be set to OFF. The value SECURITY will lead the Connector to log blocked requests and configuration changes. The value ALL will enable the Connector to log all requests including successful connections. Logs are stored in the file system. A separate file is created for each day. Deletion of older log files can be enabled using the setting Automatic Cleanup setting in the Audits section of the Administration UI. The Cloud Connector includes a script to verify the integrity of the audit logs and protect against log tampering. The location of the log files can be modified from the default directory, although the performance of the Connector may be impacted if you change the location from the host for the Connector to another server in the network.

HTTP and RFC traces enabled through the Connector may disclose sensitive information such as passwords and credit card data to Administrators. This can be mitigated by requiring two separate users to activate a trace.  The file writeHexDump must be created in the scc_config directory for Connectors installed in Linux hosts. The owner of the file must be different than the OS user for Connector processes and not a member of the OS user group sccgroup. The owner of the file will be required to change the file content from allowed=false to allowed=true before an administrator can activate a trace.

Each version of the Cloud Connector is supported by SAP for only 12 months. Therefore, the Connector should be upgraded regularly. It should also be upgraded regularly in response to security notes for the Connector released by SAP. This includes Hot News note 2696233 that deals with multiple critical vulnerabilities in the Cloud Connector. Version 2.11.3 or higher is required to address the vulnerabilities in the note.

The SAP Cloud Connector is an important interface between SAP cloud services and on-premise systems in today’s hybrid SAP landscapes. As an external-facing agent with access to business-critical internal SAP systems, securing the Connector is essential to protect SAP solutions from targeted attacks. The Cybersecurity Extension for SAP automatically scans and detects security misconfigurations and user-related issues in the SAP Cloud Connector that may expose the Connector to such attacks. It also monitors the patch level to ensure the Connector stays updated to the recommended version in response to security vulnerabilities. Finally, the Cybersecurity Extension for SAP monitors the audit log for the Cloud Connector to automatically alert for security incidents. This includes configuration changes, changes to the Administrator account including passwords, changes to connected BTP subaccounts and backend systems, the activation of traces, settings for logging and auditing, role changes, certificates, LDAP, SNC, and many other areas.

SAP Security Notes, February 2025

Note 3417627 was updated in February to patch a high-risk cross-site scripting  vulnerability in the User Admin application of SAP NetWeaver AS Java. The vulnerability is to due to insufficient input validation and improper encoding. This allows an unauthenticated attacker to craft links containing malicious scripts. When a victim clicks on such a link, the script executes in the victim’s browser, potentially leading to unauthorized access or modification of sensitive information. Note 3557138 provides updated corrections to address the vulnerability.

Note 3525794 deals with an information disclosure vulnerability in the Central Management Console of the SAP BusinessObjects Business Intelligence platform. Attackers with administrative rights can generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. The correction in the note removes the ability of administrators to access passphrases.

Note 3567551 resolves a path traversal vulnerability in the Master Data Management Catalog of SAP Supplier Relationship Management. The correction in the note sanitizes the triggered Input URL path and prevents attackers from downloading arbitrary files from remote systems.

Note 3563929 patches a Open Redirect Vulnerability in SAP HANA extended application services. The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. The note applies validation of redirect URLs to prevent exploitation.

ERP Disruption Leads Stoli to File for Bankruptcy

The recent impact of the ransomware attack at Stoli Group USA serves as a stark reminder of the importance of protecting ERP systems against cyber attack. Stoli Group USA, which imports and distributes liquor brands in the U.S., filed for Chapter 11 protection at the end of November.

Stoli suffered a data breach as a result of a ransomware attack in August 2024 that caused severe disruptions to its global business. The attack disabled the organizations Enterprise Resource Planning (ERP) system, forcing it to rely on manual bookkeeping for critical business activities. Stoli said that its centralized ERP systems would not be restored until at least the first quarter of 2025. The reliance on manual processes for business functions including accounting meant that the company could not comply with debt reporting requirements for its lenders, leading directly to the bankruptcy filing.

According to annual State of Ransomware report based on a study of 5,000 organizations across 14 countries, 59% of organizations experience ransomware attacks. Recovery costs increased by 50% in 2024 from the prior year. 56% of organizations report paying ransoms to recover data. Average ransom payments rose from $400,000 in 2023 to $2M in 2024.

The Cybersecurity Extension for SAP provides industry-leading protection for SAP ERP solutions including S/4HANA against cyber attacks including ransomware. The SAP-certified solution automates vulnerability management, patch management, custom code security, and threat detection and response to protect business-critical SAP solutions.

SAP Security Notes, January 2025

Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials.  The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the vulnerability are relatively non-complex and do not require any privileges in target SAP systems. The solution requires the implementation of a kernel patch. There are no workarounds for the vulnerability.

Hot news note 3550708 addresses an equally high-risk information disclosure vulnerability in NetWeaver AS ABAP. Attackers can exploit insufficient authentication in the Internet Communication Framework (ICF) to access restricted information. This can have a significant impact on confidentiality, integrity, and availability. The root cause of the vulnerability is the inclusion of a testing utility in NetWeaver AS ABAP that was not intended for customer delivery. The solution included in the note disables the execution of transaction SA38 by the impacted programs. Access to transaction SA38 can be restricted as a workaround.

Note 3550816 deals with a high-risk SQL injection vulnerability in NetWeaver AS ABAP. Attackers can exploit vulnerable RFC functions to access Informix databases. The solution deactivates the vulnerable functions. A workaround can be implemented to mitigate the vulnerability by restricting access to the execution of remote-enabled function modules in function group SDBI. This can be performed using authorization object S_RFC.  

Note 3474398 patches multiple vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ) Platform. This includes information disclosure that can lead to session hijacking, and code injection that can enable attackers to inject and execute malicious JavaScript code.

Note 3542533 resolves a DLL hijacking vulnerability in SAPSetup that could enable attackers to escalate privileges in Windows servers and compromise active directories. SAPSetup supports the installation, updating, and maintenance of SAP software in Microsoft Windows. The solution in the note fixes permissions for relevant temporary directories.

The Most Critical SAP Security Notes of 2024

Security notes are released by SAP on the second Tuesday of every month to address vulnerabilities in SAP solutions. The vulnerabilities are discovered by external security researchers and reported as part of SAP’s disclosure program. They are also discovered directly by SAP through its’s ongoing research and testing. Security notes are scored by SAP using version 3.0 of the Common Vulnerability Scoring System (CVSS). CVSS generates a score from 0 to 10 based on the severity of the vulnerability. SAP also assigns a priority level for each note. Critical notes are categorized as hot news.

There were over 150 security notes released in 2024 to address vulnerabilities in SAP solutions. The average CVSS score was 5.9. Approximately 1 in 4 of the notes were categorized as hot news or high priority. This article reviews the most important security notes of 2024, based on CVSS score. Hot news notes should be prioritized for implementation. Often, workarounds included in some notes can be applied to mitigate risks if the corrections cannot be applied immediately.

Note 3479478 [CVE-2024-41730] is the one of the highest rated notes of 2024 with a CVSS score of 9.8. The note patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by attackers to compromise logon tickets using a REST endpoint if Single Sign-On is enabled. The property Trusted_Auth_Shared_Secret can be set to Disabled in the effected files to mitigate the vulnerability if BOBJ cannot be upgraded to the required patch level immediately.

Note 3455438 also has a CVSS score of 9.8. The note addresses code injection and remote code execution vulnerabilities in open-source components bundled in SAP CX Commerce. This includes API tools in Swagger UI and database drivers in Apache Calcite Avatica. The solutions referenced in the note remove the vulnerable components in Swagger UI and upgrade Apache Calcite Avatica to the recommended version. There are no workarounds.

Note 3448171 patches CVE-2024-33006 for a critical file upload vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). The CVE is rated 9.6. The vulnerability can be exploited to bypass malware scanning and completely compromise SAP systems. The correction and workaround detailed in the note apply signature checks for the FILESYSTEM and SOMU_DB content repositories. The vulnerability impacts most version of the SAP_BASIS component in AS ABAP.

Note 3425274 [CVE-2019-10744] patches a code injection vulnerability in SAP Build Apps. The vulnerability arises from specific versions of the Lodash open-source JavaScript library used for programming tasks included in SAP Build Apps. Applications should be rebuilt with version 4.9.145 or later to prevent the vulnerability.

SAP Build Apps is also vulnerable to CVE-2024-29415, a severe Server-Side Request Forgery (SSRF) vulnerability detailed in note 3477196.

Note 3536965 [CVE-2024-47578] addresses SSRF and information disclosure vulnerabilities in Adobe Document Services of SAP NetWeaver AS for JAVA (AS Java). Updating the ADSSAP software component to the recommended patch level will remove the vulnerabilities in the relevant web applications and services in AS Java.

Note 3433192 [CVE-2024-22127] deals with a code injection vulnerability in the Administrator Log Viewer plug-in of AS Java. The vulnerability requires administrative privileges for successful exploitation. Therefore, restricting the use of the Administrators role can mitigate the vulnerability.

Note 3420923 [CVE-2024-22131] patches a vulnerable RFC service in AS ABAP to prevent a critical code injection vulnerability. The workaround in the note recommends restricting access to function modules for CA-SUR using authorization object S_RFC.

Other important notes include 3413475 for multiple CVEs in SAP Edge Integration Cell and 3412456 [CVE-2023-49583] which addresses an escalation of privileges vulnerability in node.js applications created using SAP Business Application Studio, SAP Web IDE Full-Stack or SAP Web IDE for SAP HANA.

SAP Security Notes, December 2024

Hot news note 3536965 addresses multiple high risk vulnerabilities in Adobe Document Services (ADS) of SAP NetWeaver Application Server for JAVA (AS Java). This includes vulnerabilities for Server-Side Request Forgery (SSRF) and information disclosure. ADS should be updated to the recommended patch levels detailed in the note. There are no workarounds provided by SAP.

Note 3542543 deals with a SSRF vulnerability in the NetWeaver Administrator of AS Java. The vulnerability is caused by insufficient authentication checks for a specific servlet. The note includes details for disabling the servlet as a workaround.

Note 3520281 was re-released with updated information for a cross-site scripting vulnerability in SAP Web Dispatcher. The note includes several workarounds if Web Dispatchers and Kernels cannot be upgraded to the recommended patch levels within a reasonable timeframe.

Note 3469791 patches an information disclosure vulnerability that could lead to the compromise of credentials for RFC destinations in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability can be mitigated by setting profile parameter rfc/dynamic_dest_api_only to the value 1. This will deactivate the legacy dynamic destination.

Finally, note 3504390 addresses a NULL Pointer Dereference (NPD) vulnerability in AS ABAP that can be exploited by attackers to trigger a denial of service.

Buyers Guide to SAP Enterprise Threat Detection

SAP Enterprise Threat Detection (ETD) is the premier solution from SAP for identifying and responding to cyber attacks in SAP applications. ETD collects and analyzes log data from SAP systems and uses predefined patterns to detect Indicators of Compromise (IOCs) and trigger alerts for suspected security incidents. ETD includes graphical tools to support log analysis and detailed forensic investigation. Users can also create and publish custom patterns and alerts.

In addition to identifying potential threats, SAP ETD monitors the implementation status of required security notes in SAP solutions. Users can review the details of relevant notes including CVSS information and maintain the processing status of each note.

Anomaly detection is also supported by SAP ETD. The solution includes several patterns for anomalies, defined as events that deviate from normal or usual behavior in system landscapes.

ETD is a powerful solution capable of detecting and responding to cyber threats against SAP solutions in real time. It is available as an on-premise or cloud deployment, and can even be licensed as a managed service.

However, there are several drawbacks with SAP ETD, especially in comparison to alternative solutions available from SAP partners.

Unlike solutions such as the Cybersecurity Extension for SAP that use an addon approach to implementing advanced threat and response for SAP applications, ETD requires additional servers and infrastructure to host required components including SAP HANA, Kafka, Zookeeper, and streaming tools. This leads to more complex installation and maintenance procedures compared to software addons that can be installed and maintained in existing systems within SAP landscapes with comparatively low effort.

ETD is also bundled with relatively few attack detection patterns. The most current version and support package level of the on-premise edition of ETD includes approximately 175 patterns. The cloud edition of ETD provides fewer than 50 patterns. The recent release of the Cybersecurity Extension for SAP delivers far more coverage with over 1000 built-in patterns.

Furthermore, although ETD is capable of monitoring SAP infrastructure including third party databases and operating systems, standard patterns in ETD include very few patterns for the database and OS layer. In contrast, the Cybersecurity Extension for SAP includes hundreds of patterns not only for SAP databases such as HANA and ASE but operating systems including SUSE Enterprise Linux, Red Hat Enterprise Linux, and Windows Server.

However, the most important drawback of SAP ETD is that it does not support the full suite of cybersecurity capabilities to address cyber risks in SAP solutions.  ETD provides coverage for treat detection and patch management. However, it does not provide any support for other important areas such as access control, vulnerability management, custom code security, and compliance monitoring. Coverage for such areas would require the licensing of additional solutions from SAP or integrating capabilities from other platforms such as SAP Solution Manager. Full-suite solutions such as the Cybersecurity Extension for SAP provide integrated capabilities across all cybersecurity scenarios through a single, unified product and license. In addition to comprehensive threat detection and response with anomaly detection, the Cybersecurity Extension for SAP monitors critical access and segregation of duties risks for SAP solutions such as ECC and S/4HANA. It also performs automated vulnerability scans to detect more than 5000 vulnerabilities in SAP applications and infrastructure. Finally, it performs automated audits to detect compliance gaps with more than 15 regulatory and security frameworks and standards, including GDPR, NIST, PCI-DSS and the SAP Security Baseline.

SAP Security Notes, November 2024

Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be performed by deleting the content of directory /usr/sap/data/icmandir/admin/. The administration UI can also be deleted by removing icm/HTTP/admin_x parameters from the DEFAULT and instance profile and setting profile parameter icm/HTTP/admin_0 to an empty value. Another option is to remove administrative roles for all users. The admin role can be removed from users and replaced with the monitor role. The SAP Kernel and Web Dispatcher should be upgraded to required patch level for each version detailed in the note to fix the vulnerability. The correction will implement encoding to prevent a successful XSS attack.

Note 3483344 was updated with revised correction instructions to patch a high risk missing authorization check that could be exploited to escalate privileges in SAP PDCE. The note deactivates the vulnerable functions.

Note 3509619 patches a privilege escalation vulnerability in some versions of the SAP Host Agent installed in Unix platforms that enable attackers belonging to the sapsys group to replace local files usually protected by privileged access.

Note 3335394 resolves a missing authorization check in SAP NetWeaver AS Java that could lead to unauthorized access and changes to the System Landscape Directory (SLD).

Notes 3522953 and 3393899 deal with information disclosure vulnerabilities in the Software Update Manager and Logon Application of NetWeaver AS Java.

Cybersecurity Extension for SAP, Version 5.2: Support for SAP BTP, Critical Access and SOD for SAP ECC, and More

The new release of the Cybersecurity Extension for SAP is scheduled for general availability in October and includes several important enhancements.

Version 5.2 includes 40+ alerts for security related incidents in SAP BTP. This includes application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts monitor events logged in the BTP central audit log. Events in the log are replicated to the Cybersecurity Extension for SAP to support forensic analysis. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. Similar to existing alerts for ABAP, HANA, and Java system types, as well as databases, operating systems, and SAProuter and Web Dispatcher installations, BTP alerts can be integrated with SIEM solutions for centralized monitoring.

Earlier releases provided coverage for business-level critical access and segregation of duties in SAP S/4HANA. The new release extends the coverage to SAP ECC. Despite the scheduled end of mainstream maintenance for SAP ECC in 2027, many SAP customers have yet to migrate to S/4HANA and therefore ECC will be a mainstay within SAP landscapes of many organizations for several more years. Version 5.2 of the Cybersecurity Extension for SAP includes 350+ functional checks for access to sensitive ECC transactions and conflicting combinations of transactions. The checks cover processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in ECC. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for ECC. Users and user groups can be excluded for specific checks to tune the coverage and prevent false positives. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.

The new release also includes checks and alerts for the deactivation of SAP UI Masking & UI Data Protection Masking solutions. The solutions protect access to sensitive data in SAP user interfaces by masking or clearing fields. The contents of the fields containing sensitive data are only revealed to users with the required roles or attributes.

Finally, version 5.2 includes alerts for the execution of new ICF services with known security vulnerabilities. The services are not yet widely known or included in the scope of vulnerable ICF services that should be deactivated based on SAP recommendations in frameworks such as the SAP Security Baseline. There are also additional checks for the Secure Storage in the File System (SSFS), new sensitive transaction codes, dangerous function modules and external programs, and dynamic changes for specific security-related profile parameters.

SAP Security Notes, October 2024

Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the Business Intelligence Platform Restful Web Services (BIPRWS) Web Application.

Note 3478615 patches a high-risk unrestricted file upload and malicious file execution vulnerability in BOBJ. In addition to applying the relevant support package patch detailed in the note, customers must create and maintain an access control list. The ACL should contain the list of folders that can contain personal data providers.

Note 3523541 addresses multiple vulnerabilities in Spring Framework and Log4j open-source libraries included in SAP Enterprise Project Connection. The patch included in the note updates the Spring framework and reload4j libraries to address the vulnerabilities.

Notes 3454858 and 3477359 deal with information disclosure vulnerabilities SAP NetWeaver Application Server (AS) ABAP and AS Java, respectively. The vulnerabilities could be exploited to access restricted file system information and usernames and passwords for new RFC destinations.