Layer Seven Security Blog
Stay up to date on the latest trends in SAP security, new threats and information on protecting your critical systems against an attack
SAP Security Notes, December 2020
Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether. Note …
Compliance Reporting for the SAP Security Baseline
The SAP Security Baseline is a widely used benchmark for securing SAP applications. The benchmark includes SAP recommendations for system hardening, authentication and authorization, logging and auditing, and other areas. The recommendations draw on SAP security notes, guides and whitepapers. The SAP Security Baseline was updated by SAP earlier this year and provides an up-to-date …
SAP Security Notes, November 2020
Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query. Attackers can abuse the function …
Job Monitoring with SAP Solution Manager
Security monitoring using SAP Solution Manager is driven by a series of background jobs that automate data collection and analysis for system vulnerabilities, security notes, and event logs. Vulnerability data is extracted daily, notes information is collected weekly, and event data can be collected as frequently as every minute. Any interruption to the background jobs …
SAP Security Notes, October 2020
Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions …
Securing OS Platforms with the Cybersecurity Extension for SAP
Securing SAP hosts is a critical component of SAP system hardening. Vulnerable operating systems can provide a pathway to SAP applications, databases and other components, bypassing security mechanisms applied in such layers. This can lead to the compromise of SAP systems including the corruption of critical files and tables. It can also support ransomware attacks …
SAP Security Notes, September 2020
Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on …
Secure Your Custom Code with the Cybersecurity Extension for SAP
The Cybersecurity Extension for SAP Solution Manager now supports static code analysis for custom SAP programs. Released in September, version 3.3 performs code vulnerability detection for hard coded users, passwords, hosts, systems, and clients, SQL injection, cross-site scripting, missing or insufficient authorization checks, directory traversal, sensitive table reads and writes, OS command injection, and insecure …
SAP Security Notes, August 2020
Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes …
Prevent and Detect Ransomware Attacks with SAP Solution Manager
Ransomware attacks accounted for one third of malware-based cyber attacks in the first quarter of 2020. Successful attacks encrypt and block access to files in compromised systems. Decryption keys for recovery of the files are typically only released after ransom demands are paid, usually in the form of untraceable cryptocurrencies. The impact of ransomware includes …
SAP Security Notes, July 2020
Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected …
RECON: Secure Your Systems with SAP Solution Manager
US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated …
SAP Security Notes, June 2020
Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in …
Anomaly Detection with Cybersecurity Extension for SAP
Threat detection is commonly performed through rules or signature-based pattern matching. Detection engines compare actual events with patterns of malicious events to discover indicators of compromise (IOCs). IOCs discovered by detection engines typically trigger an alarm or alert for a suspected security breach. Pattern matching is a tried and tested method to identify known exploits …
SAP Discloses Critical Vulnerabilities in ASE Databases
SAP customers are urged to apply a series of recent patches released by SAP for the Adaptive Server Enterprise (ASE). SAP ASE, previously known as Sybase SQL Server and Sybase ASE, is a widely deployed database platform used for both SAP and non-SAP applications. According to SAP, ASE is used by over 30,000 customers worldwide, …
SAP Security Notes, May 2020
Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers. The vulnerability carries a base CVSS score of 9.9/10 …
Visualize Security Risks for SAP Systems with Threat Maps
Threat Maps in SAP Solution Manager visualize security vulnerabilities, missing patches and open alerts for SAP systems across geolocations. They provide a fast and intuitive way to display and interact with security information for SAP landscapes that span multiple cities, countries, or regions. System data is maintained in the Landscape Management Database (LMDB) of SAP …
SAP Discloses Security Gaps in Cloud Solutions
SAP issued a statement last week to disclose security lapses in several cloud products including SAP Cloud Platform, SAP Analytics Cloud, SuccessFactors, and Concur. According to the statement, the disclosure was prompted by an internal security review. SAP does not believe customer data has been compromised as a result of the issues. The lapses impact …
SAP Security Notes, April 2020
Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution. Note 2904480 patches a significant input validation …
Automating SAP Audits with Solution Manager
According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders. Compliance Reporting in SAP Solution Manager enables organizations to automate …
Layer Seven Security Recognized as Top 25 Cyber Security Company
Layer Seven Security has been selected by a panel of experts and members of the CIO Applications editorial board for inclusion in the Top 25 Cyber Security Companies for 2020. The annual list is compiled by CIO Applications to recognize and promote organizations that provide cutting-edge cybersecurity solutions. CIO Applications is a Silicon Valley industry …
Securing the SAProuter from Remote Attacks
The surge in remote working has led to an increasing reliance on the SAProuter as a means to facilitate secure remote access to SAP applications. As a reverse proxy between external networks and SAP landscapes, the SAProuter enables organizations to apply more granular policies for filtering and securing connections to SAP systems than network firewalls. …
Dramatic Growth in Cyber Attacks Increases Enterprise Risk
Cyber attacks have risen by six-times the usual levels over the past four weeks as the COVID-19 pandemic provides a new catalyst for attackers. Hacking and phishing attempts increased by an unprecedented 37% in a single month between February and March. Remote working has led to an equally dramatic rise in the number of servers …
SAP Security Notes, March 2020
Hot News note 2845377 patches a missing authentication check in the Diagnostics Agent. The Agent is a component of the Solution Manager landscape. It commonly connects to the Java server in Solution Manager through the J2EE Message Server HTTP port. This is recommended by SAP. However, it can also connect to Solution Manager using a …