Layer Seven, Author at Layer Seven Security

Cybersecurity Extension for SAP with SAP Focused Run

Layer Seven on June 19, 2024

SAP Focused Run (FRUN) is a Application Lifecycle Management (ALM) solution designed for real-time and high-volume system monitoring. It benefits from a more simplified and scalable architecture than other ALM platforms such as SAP Solution Manager (SolMan). Also, unlike SolMan, it runs exclusively with SAP HANA.

System monitoring using FRUN is supported through the deployment of the Simple Diagnostics Agent (SDA) to target systems. The SDA is integrated with the SAP Host Agent in SAP solutions. It collects and forwards metrics from systems to FRUN using HTTPS. System connections are routed through reverse proxies such as the Web Dispatcher. The SAP Host Agent, SDA and Web Dispatcher are included in RISE system builds and landscapes. Therefore, RISE systems can be monitored by both customers and service providers using SAP Focused Run.

FRUN supports monitoring for all SAP solutions and cloud services. This includes the public and private editions of SAP S/4HANA, SAP Business Suite, ECC, HANA platform, SAP Cloud, SuccessFactors/ HXM, Ariba, Concur, AS ABAP/ Java, Cloud Connector, Business Objects, Enterprise Portal, Mobile Platform, CRM, Business Warehouse, PI/PO, MII and Web Dispatcher. It also supports monitoring for OS and database platforms, and SAP BTP. Steps for monitoring the ABAP, Cloud Foundry, and Neo environments of BTP are detailed in the FRUN Expert Portal.

SAP Focused Run supports advanced monitoring capabilities such as Real User Monitoring. This can be used to monitor user actions for detailed forensics. It also supports System Anomaly Prediction for detecting and investigating anomalies based on predefined models and risks, and advanced Integration and Exception Monitoring for analyzing the usage of system interfaces.

The Cybersecurity Extension for SAP integrates with FRUN to perform advanced security monitoring for SAP solutions, including vulnerability and compliance management, patch management, custom code scanning, and threat detection and response. The SAP-certified solution leverages FRUN applications and components to discover system, code and user-related vulnerabilities, calculate required security notes, and detect security incidents and anomalies.

The Cybersecurity Extension for SAP is accessed from the Fiori launchpad for SAP Focused Run. FRUN users with the required roles can access the solution using the workgroup below. Systems are automatically mapped from the Landscape and Management Database (LMDB). Also, multi-tenancy for customer separation is automatically enforced through network and customer IDs configured by service providers in FRUN.

Deploying the Cybersecurity Extension for SAP to FRUN provides a more reliable and scalable option than deploying to Solution Manager. It also delivers improved performance with lower maintenance in comparison to SolMan. SAP Focused Run and SAP Solution Manager are the current deployment options supported for the standard edition of the Cybersecurity Extension for SAP. A third option is planned for early 2025 that would enable SAP customers to deploy the solution to NetWeaver AS ABAP systems such as SAP GRC. For SAP RISE customers, the cloud edition of the Cybersecurity Extension for SAP provides a SaaS option that does not require deployment to an SAP system.

SAP Security Notes, June 2024

Layer Seven on June 11, 2024

Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available.

Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and CVE-2024-37178. The note encodes URL parameters to prevent the exploitation of the vulnerabilities.

Note 3466175 patches an access control issue related to the management of incoming payment files in SAP S/4HANA that could lead to an escalation of privileges. The impacted versions of S4CORE are 102-108.

A similar vulnerability is patched by note 3465455 in SAP BW/4HANA. After applying the note, it will not be possible to execute arbitrary functions within SAP BW/4HANA Transformation and DTP. Only functions/methods explicitly defined in the allowlist mentioned in the manual correction instructions can be executed to avoid any misuse.

Note 3425571 fixes an information disclosure vulnerability in NetWeaver AS Java that could lead to the leakage of server information. A workaround is detailed in the note to disable the impacted caf~eu~gp~model~eap application in the Guided Procedures component of AS Java.

Cybersecurity Extension for SAP version 5.1

Layer Seven on May 16, 2024

S/4HANA Access Risk Analysis, SAP RISE Compliance, SAP ETD Benchmarking and More

The new release of the Cybersecurity Extension for SAP is scheduled for general availability in May and includes several important enhancements.

Version 5.1 includes coverage for critical access and segregation of duties in SAP S/4HANA. It performs more than 700 checks for access to sensitive transactions and conflicting combinations of transactions for business processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in S/4HANA. Exclusions can be maintained for users and groups to tune checks and exclude permitted users. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for S/4HANA. The checks are included in the new areas S/4HANA Critical Access and S/4HANA Segregation of Duties. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.

The new release also includes support for monitoring the compliance of SAP RISE systems with information security standards defined by SAP Enterprise Cloud Services (ECS) in note 3250501. The standards include required settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must comply with for RISE solutions managed by ECS.

Version 5.1 includes several new threat detection patterns to bridge the gap with SAP Enterprise Threat Detection Cloud Edition (ETD CE). As a result, the Cybersecurity Extension for SAP now provides coverage for the same patterns as ETD CE. It also includes more than 750 patterns that are not included in ETD CE. Similar to ETD CE, the Cybersecurity Extension for SAP is available as Software-as-a-Service (SaaS) for RISE customers.

Finally, the new release includes new tiles for Actively Exploited Vulnerabilities and Known Exploited Vulnerabilities. The former can be used to display open vulnerabilities that have associated alerts. The latter can display calculated security notes for systems that are required to address Known Exploited Vulnerabilities (KEV) for SAP solutions in the CISA KEV catalog.

SAP Security Notes, May 2024

Layer Seven on May 14, 2024

Hot news note 3448171 patches a critical file upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. The correction delivered in the note changes the default configuration to prevent file uploads without signatures in the FILESYSTEM and SOMU_DB of the Content Repository. The workaround detailed in the note provides manual steps for applying the secure configuration using transaction OAC0.

Note 3455438 addresses CSS injection and remote code execution vulnerabilities in SAP CX Commerce. Swagger UI in CX Commerce is using is vulnerable to CVE-2019-17495 (CSS injection). This vulnerability enables the attackers to perform Relative Path Overwrite (RPO) in the CSS-based input fields. Apache Calcite Avatica 1.18.0 in CX Commerce is vulnerable to CVE-2022-36364 (Remote code execution). The note removes extensions that use Swagger UI. It also updates Avatica to a secure version.

Note 3431794 fixes a high-risk cross site scripting vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) Platform. BOBJ is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL. User input is sanitized by the correction delivered via the note to address the vulnerability.

Notes 3450286 and 3448445 addresses stored cross site scripting vulnerabilities in SAP NetWeaver AS ABAP that can lead to code injection and session hijacking due to insufficient encoding of URL parameters.

Note 2174651 patches an information disclosure vulnerability in the Integration Directory of SAP Process Integration (PI) that could enable attackers to discover sensitive information such as usernames and passwords.

Artificial Intelligence Exploits Vulnerabilities in Systems with a 87 percent Success Rate

Layer Seven on April 18, 2024

Based on a newly-released paper published by researchers at the University of Illinois, AI agents can combine large language models with automation software to autonomously analyze and exploit security vulnerabilities. During the research, OpenAI’s GPT-4 large language model was able to successfully exploit 87 percent of vulnerabilities when provided with a CVE advisory describing the flaws. The dataset included 15 one-day vulnerabilities taken from the Common Vulnerabilities and Exposures (CVE) database. One-day vulnerabilities are vulnerabilities that have been disclosed but not patched. More than 50 percent of the dataset were critical or high-rated vulnerabilities. Vulnerability exploitation was performed by GPT-4 using the ReAct automation framework.

Large language models are AI programs that use deep learning to recognize and interpret complex data such as human language. GPT-4 failed to exploit just two of the 15 vulnerabilities in the dataset. This included CVE-2023-51653 for Hertzbeat RCE. The cause of the failure to exploit this particular CVE was due to differences between the language available for the detailed description of the vulnerability and the language deployed for the AI agent.

Researchers calculated the cost of successful AI agent attacks at just $8.80 per exploit. The agent consists of only 91 lines of code and has not been publicly released at the request of OpenAI.

The ground-breaking research demonstrates the risk posed by AI to automate the discovery and exploitation of security vulnerabilities. It reduces the complexity and cost of vulnerability exploitation and increases the reach of threat actors.

The details of SAP vulnerabilities are publicly available in sources such as the CVE database and the NIST National Vulnerability Database (NVD). AI agents using large language models can analyze CVEs in the databases including details revealed in links for each CVE. SAP vulnerabilities are also documented and explained in depth in security forums. This often includes disclosure of sample code for vulnerability exploitation.

According to another recent study performed by Flashpoint and Onapsis, ransomware incidents impacting SAP systems increased by 400% over the last three years. Conversations on SAP vulnerabilities and exploits increased by 490% across the open, deep, and dark web between 2021 and 2023.

SAP customers can actively manage the risk of the successful discovery and exploitation of vulnerabilities including attacks leveraging artificial intelligence by regularly patching SAP solutions and through on-going vulnerability management. The Cybersecurity Extension for SAP automates the detection of both required SAP security notes and vulnerabilities in SAP solutions and infrastructure. It also detects vulnerabilities in custom SAP applications and programs.

SAP Security Notes, April 2024

Layer Seven on April 9, 2024

Note 3434839 deals with a high-priority security misconfiguration in the User Management Engine of SAP NetWeaver AS Java. User passwords created using self-registration are not subject to password complexity requirements defined in UME settings. The misconfiguration impacts version 7.50 of AS Java. The password policy can be enforced by updating the impacted software components to the recommended versions specified in the note. Disabling user self-registration and the ability of users to modify their profiles is recommended a temporary workaround if the components cannot be upgraded in a reasonable timeframe.

Note 3421384 patches an information disclosure vulnerability in the Web Intelligence application of SAP BusinessObjects Business Intelligence that could enable attackers to access sensitive operating system information. The note includes support package patches to address the vulnerability. Since the vulnerability arises from the reading of arbitrary Excel files, a workaround can be applied by removing the service Excel Data Access from all Adaptive Processing Servers.

Note 3438234 addresses a directory traversal vulnerability in SAP Asset Accounting caused by insufficient validation of user-provided path information. The correction included in the note verifies the path information against logical filenames. The vulnerable programs RAALTE00 and RAALTD01 can be protected using authorization groups as a workaround.

FBI and CISA Issue Alert for Threat Actors Actively Exploiting SQL Injection Vulnerabilities

Layer Seven on March 26, 2024

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week to urge organizations to urgently address SQL injection vulnerabilities in software. The alert is based on recent exploits performed by the CL0P cybercrime group, also known as TA505. The Russian group has exploited SQL injection vulnerabilities to propagate ransomware that has extorted an estimated $100M from organizations.

TA505 provides Ransomware-as-a-Service (RaaS) to other threat actors, sells access to compromised corporate networks as an initial access broker, and operates botnets specializing in financial fraud. The group is actively exploiting SQL injection vulnerabilities to install web shells in compromised servers. The web shells are used to execute operating system commands, install malicious ransomware programs, and exfiltrate data. TA505 is believed to have breached 130 organizations in just 10 days.

SQL injection vulnerabilities arise when user inputs are included in SQL commands to execute database queries. The processing of database queries containing malicious commands can enable threat actors to access and modify sensitive data, change programs and system configurations, and install and execute programs such as ransomware.

The risk of SQL injection can be mitigated using a combination of input validation and output encoding, escaping and quoting. Input validation reviews user-provided data before it is included in database queries and rejects data that does not conform with expected specifications such as character types, length, and syntax. Output encoding, escaping, and quoting can be more effective than input validation since programs often need to support free-form text containing arbitrary characters.

SAP software is subjected to static code analysis and other forms of security testing to detect and remove potential SQL injection vulnerabilities. However, SAP is not responsible for securing custom programs and applications deployed to SAP systems. Securing custom programs is the responsibility of each SAP customer. The Cybersecurity Extension for SAP is an SAP-certified addon that automatically detects SQL injection vulnerabilities in custom SAP ABAP programs and SAP UI5 applications. This includes SQL injection vulnerabilities in SELECT, INSERT, UPDATE, MODIFY, DELETE and other statements, as well as GROUP, JOIN, SET, WHERE, and other conditions and clauses. It also detects SQL injection issues in ADBC, DDL, DML and other statements executed by APIs in SAP systems.

The Cybersecurity Extension for SAP integrates with the ABAP Test Cockpit (ATC) and SAP Code Inspector (SCI). It also integrates with the Transport Management System (TMS) to automatically scan and block requests containing SQL injection and other security vulnerabilities.

SAP Security Notes, March 2024

Layer Seven on March 13, 2024

Hot news note 3425274 deals with a critical code injection vulnerability in applications developed with SAP Build Apps. The note recommends rebuilding applications with version 4.9.145 or later.

Hot news note 3433192 patches a code injection vulnerability in the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. The plug-in allows threat actors with the Administrator role to upload potentially dangerous files that could be exploited to run arbitrary commands. The corrections included in the note block the upload of dangerous file types and supports virus scanning for uploaded files.

Note 3414195 includes support package patches for SAP BusinessObjects Business Intelligence (BOBJ) version 4.3 SP02 – 05 to address a high-priority path traversal vulnerability in the Central Management Console. The vulnerability arises from a version of Apache Struts included in BOBJ which is vulnerable to CVE-2023-50164.

Note 3410615 corrects a Denial-of-Service vulnerability impacting SAP HANA XS. The DoS can be triggered by a high volume of HTTP/2 requests. The HTTP/1 protocol is not affected. A workaround can be applied by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false to disable support for the HTTP/2 protocol.

Note 3346500 was updated with revised solution information for a high-risk authentication vulnerability in SAP Commerce Cloud. The solution changes the default value of the property user.password.acceptEmpty to false to prevent the use of empty passphrases for user authentication.

Security Compliance for SAP RISE Solutions

Layer Seven on February 19, 2024

S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).

The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.

The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.

SAP RISE should be selected from the framework selection screen.

Once the framework is selected, you can select a target system from the available systems in your SAP RISE landscape and click on Execute.

The results are summarized for each requirement and an overall compliance score is calculated for the system.

You can drilldown into each requirement to navigate the detailed findings.

You can click on the > icon for each finding to view further information and create an action plan to manage the remediation of compliance issues.

The report filters can be used to focus on specific requirements or results. For example, you can suppress compliant areas to isolate compliance failures.

Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results.

The shortcuts can be published as custom tiles to existing or new work groups.

Compliance reports can also be scheduled to run on regular intervals. The reports are automatically distributed in PDF or CSV to recipients by email during each run.

The Cybersecurity Extension for SAP is an SAP-certified addon for SAP Solution Manager and SAP Focused Run. An addon version for other SAP NetWeaver AS ABAP systems such as SAP GRC is expected in Q4 this year.

SAP Security Notes, February 2024

Layer Seven on February 15, 2024

Hot news note 3420923 patches a critical code injection vulnerability in the Web Survey component of Application Basis. Prerequisite note 1110803 is required to apply the correction for versions 700-710 and note 1354949 is required for version 711. As a workaround, remote calls to function modules of CA-SUR can be restricted using authorization object S_RFC.

Note 3417627 addresses a high-risk cross-site scripting vulnerability in the User Admin Application of SAP NetWeaver Application Server Java (AS Java). The vulnerability is a side effect of improper encoding and validation introduced with note 3251396.

Note 3426111 secures an XML parser in the Guided Procedures component of AS Java to patch an XML External Entity (XXE) injection vulnerability. The vulnerability can be exploited by threat actors to read sensitive files. The note includes details of a workaround that requires disabling the vulnerable caf-eu-gp-model-iforms-eap application.

Notes 3424610 and 3410875 deal with broken authentication and cross-site scripting vulnerabilities in the SAP Cloud Connector and SAP CRM, respectively.