Layer Seven Security Blog
Stay up to date on the latest trends in SAP security, new threats and information on protecting your critical systems against an attack
SAP Security Notes, May 2021
Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code. The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note. Access to …
Protecting SAP Systems from Ransomware
The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware attacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an attack is 21 days. Full recovery takes an average of 287 days. …
SAP Security Notes, April 2021
Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute …
Cybersecurity Extension for SAP Identifies Signatures of Active SAP Cyberattacks
Earlier this month, SAP issued a joint report with a security research firm to highlight active cyber threats targeting SAP applications. According to the report, there is conclusive evidence that attackers are actively targeting and exploiting unsecured SAP applications. The report also reveals that some SAP vulnerabilities are being weaponized in less than 72 hours …
SAP Security Notes, March 2021
Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are …
Securing Linux Platforms for SAP HANA and S/4HANA
SUSE Linux Enterprise Server (SLES) is the leading operating system for SAP HANA and SAP S/4HANA solutions, supporting 85 percent of HANA deployments worldwide. SLES for SAP Applications is optimized to support high availability and persistent memory and endorsed by SAP. Securing operating systems is a critical component of SAP system hardening. Vulnerable hosts can …
SAP Security Notes, February 2021
Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This …
Layer Seven Security’s Cybersecurity Extension for SAP® Solutions Achieves SAP® Certification as Integrated with SAP NetWeaver®
Toronto, Canada – March 8, 2021 – Layer Seven Security today announced its Cybersecurity Extension v3.4 for SAP® Solutions has achieved SAP®-certified integration with the SAP NetWeaver® technology platform. The solution has been proven to integrate with SAP solutions, providing automated vulnerability management, threat detection and incident response for SAP applications and infrastructure. “We are delighted to …
Securing the Web Dispatcher with the Cybersecurity Extension for SAP
The SAP Web Dispatcher is an application gateway that filters Internet based traffic to SAP systems including HTTP requests. As an entry point for Web-based communications in SAP landscapes, the Web Dispatcher can help to secure remote access to SAP systems by enforcing security standards for external connections and filtering connection requests. However, the Web …
SAP Security Notes, January 2021
Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted …
SolarWinds Attack: Lessons Learned for SAP Cyber Security
The software supply chain attack suffered by SolarWinds may have impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as hundreds of organizations worldwide. …
SAP Security Notes, December 2020
Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether. Note …
Compliance Reporting for the SAP Security Baseline
The SAP Security Baseline is a widely used benchmark for securing SAP applications. The benchmark includes SAP recommendations for system hardening, authentication and authorization, logging and auditing, and other areas. The recommendations draw on SAP security notes, guides and whitepapers. The SAP Security Baseline was updated by SAP earlier this year and provides an up-to-date …
SAP Security Notes, November 2020
Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query. Attackers can abuse the function …
Job Monitoring with SAP Solution Manager
Security monitoring using SAP Solution Manager is driven by a series of background jobs that automate data collection and analysis for system vulnerabilities, security notes, and event logs. Vulnerability data is extracted daily, notes information is collected weekly, and event data can be collected as frequently as every minute. Any interruption to the background jobs …
SAP Security Notes, October 2020
Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions …
Securing OS Platforms with the Cybersecurity Extension for SAP
Securing SAP hosts is a critical component of SAP system hardening. Vulnerable operating systems can provide a pathway to SAP applications, databases and other components, bypassing security mechanisms applied in such layers. This can lead to the compromise of SAP systems including the corruption of critical files and tables. It can also support ransomware attacks …
SAP Security Notes, September 2020
Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on …
Secure Your Custom Code with the Cybersecurity Extension for SAP
The Cybersecurity Extension for SAP Solution Manager now supports static code analysis for custom SAP programs. Released in September, version 3.3 performs code vulnerability detection for hard coded users, passwords, hosts, systems, and clients, SQL injection, cross-site scripting, missing or insufficient authorization checks, directory traversal, sensitive table reads and writes, OS command injection, and insecure …
SAP Security Notes, August 2020
Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes …
Prevent and Detect Ransomware Attacks with SAP Solution Manager
Ransomware attacks accounted for one third of malware-based cyber attacks in the first quarter of 2020. Successful attacks encrypt and block access to files in compromised systems. Decryption keys for recovery of the files are typically only released after ransom demands are paid, usually in the form of untraceable cryptocurrencies. The impact of ransomware includes …
SAP Security Notes, July 2020
Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected …
RECON: Secure Your Systems with SAP Solution Manager
US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated …
SAP Security Notes, June 2020
Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in …