Layer Seven Security Blog
Stay up to date on the latest trends in SAP security, new threats and information on protecting your critical systems against an attack
Season’s Greetings
2019 was a stellar year. In case you missed them, check out the enhancements we rolled out during the year > CVA – SolMan Integration – Monitor vulnerabilities in your custom programs using SAP Code Vulnerability Analyzer and SAP Solution Manager > Fiori Reports & Dashboards – Manage vulnerabilities and threats directly from the SAP Fiori …
SAP Security Notes, November 2019
Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the …
SIEM Integration with SAP Solution Manager
Security Information and Event Management (SIEM) platforms combine the ability to collect log data from applications, hosts, routers, switches, firewalls and other endpoints with the ability to analyze events in real time. They support threat detection, event correlation and incident response with alerting and reporting capabilities. SIEM platforms require complete coverage for maximum yield. In …
SAP Security Notes, October 2019
Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, …
64% of ERP Systems Have Experienced Security Breaches Between 2017-19
According to the findings of a recent independent survey of 430 IT decision makers, 64 percent of ERP deployments have experienced security breaches in the past 24 months. The findings are published in the report ERP Security: The Reality of Business Application Protection. In the words of the IDC, “ERP applications such as SAP can …
SAP Security Notes, September 2019
Hot News Note 2798336 patches a critical code injection vulnerability in NetWeaver Application Server for Java (AS Java). A program error in the Web Container of AS Java could enable attackers to bypass input validation and execute dynamic content such as malicious code. The note includes updates for the J2EE Engine and API components. Note …
SAP Vulnerability Assessment vs Penetration Testing
Vulnerability assessment and penetration testing both serve important functions for protecting business applications against security threats. The approaches are complementary but should be deployed sequentially. Penetration testing against systems and applications that have not been hardened based on the results of vulnerability assessments is inadvisable since the results are predictable. The objective of penetration testing …
SAP Security Notes, August 2019
Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the …
SAP Security Notes, July 2019
Hot News Note 2808158 patches a critical code injection vulnerability in the SAP Diagnostics Agent. The Agent is required to monitor operating systems and discover the database cluster topology from SAP Solution Manager. It is not required for monitoring the security of SAP systems with Solution Manager. Security-relevant data is collected or monitored primarily through …
Monitoring Security Alerts with SAP Solution Manager
There are several apps available in SAP Solution Manager for monitoring security alerts for SAP systems. The most longstanding is the Alert Inbox which provides an overview of alerts by process area. Guided procedures for investigating security alerts are executed from the Alert Inbox. Another option is System Monitoring which provides a more user-friendly interface …
Recommended Settings for SAP Logging and Auditing
The Cybersecurity Extension for SAP Solution Manager monitors SAP event logs to automatically detect and alert for indicators of compromise. The monitoring interval can be customized for each security metric based on risk and sizing. An interval of 60 seconds, for example, can support real-time threat detection. However, real-time detection is only useful when supported …
SAP Security Notes, June 2019
Note 2748699 provides instructions for securing the credentials of the standard user SM_EXTERN_WS in SAP Solution Manager. SM_EXTERN_WS is used by CA Introscope Enterprise Manager (EM) to collect monitoring metrics from mainly non-ABAP components in SAP landscapes. The metrics are collected via the Introscope Push web service. The credentials for SM_EXTERN_WS including the automatically generated …
Webinar Playback: Holistic SAP Cybersecurity with CVA & SolMan
Watch the playback of this month’s webinar to learn how you can implement holistic cybersecurity for your SAP systems with Code Vulnerability Analyzer and Solution Manager. CVA performs static code analysis to detect vulnerabilities in custom code. SAP Solution Manager detects vulnerabilities and threats in SAP systems including components such as the gateway server, message server …
SAP Security Notes, May 2019
Note 1408081 was updated in May in response to the recent 10KBLAZE exploits targeting vulnerabilities in the gateway server. The note includes revised instructions for maintaining access control lists in the gateway security files reg_info and sec_info for different kernel versions. The access control lists should be configured to control external server registrations and program …
10KBLAZE: Secure Your Systems with SAP Solution Manager
On May 2, the Department of Homeland Security issued an alert for SAP customers in response to the disclosure of new exploits targeting vulnerable SAP components. According to some reports, the so-called 10KBLAZE exploits could impact 90% of SAP installations worldwide. The exploits target misconfigurations in the gateway server and message server installed in most …
Webinar: 10KBLAZE – Secure Your SAP Systems with CVA and SolMan
According to a recent report, thousands of SAP installations may be vulnerable to 10KBLAZE exploits targeting SAP applications. Join SAP and Layer Seven Security to learn how to secure your SAP systems against the exploits with SAP Code Vulnerability Analyzer (CVA) and SAP Solution Manager. CVA performs static code analysis to detect vulnerabilities in custom …
SAP Security Notes, April 2019
Note 2747683 patches a vulnerability in the signature security mechanism of the Adapter Engine in SAP NetWeaver Process Integration (PI). The vulnerability could enable attackers to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. Such requests will be accepted by the PI Axis adapter even if the payload has …
Securing Administrative Access in SAP AS Java
The misuse of administrative privileges is a common method used by attackers to compromise applications and propagate attacks to connected systems. The elevated privileges granted to administrative accounts are a prized target for attackers and provide a fast path to accessing or modifying sensitive data, programs and system settings. User privileges for Java applications are …
SAP Security Notes, March 2019
Note 2764283 addresses an XML External Entity vulnerability in SAP HANA extended application services (XS), advanced. HANA XS does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space. Successful exploitation of the vulnerability could lead to the leading of arbitrary files in SAP servers or denial of …
Code Vulnerability Management with SAP Solution Manager
Custom Code Management (CCM) in SAP Solution Manager can enable you to take control of custom developments by providing transparency into custom objects in your SAP systems and analyzing the usage of custom code. It can also provide insights into security vulnerabilities in custom objects and packages. CCM provides an overview of the custom developments …
SAP Security Notes, February 2019
Hot News Note 2742027 patches a critical broken authentication check in SAP HANA Extended Application Services, advanced model. The vulnerability could lead to unauthorized administrative access and the exfiltration, modification or deletion of sensitive data in HANA XS. The vulnerability carries a CVSS score of 9.4/10. It ranks relatively low in terms of attack complexity …
Cyber Espionage Warning: 30% Growth in Targeted Attacks
The findings of the annual Internet Security Threat Report indicate that the number of organizations targeted by advanced hacking groups increased by almost one third between 2015 and 2018. The groups have not only substantially increased their cyber-espionage operations, they are also deploying increasingly sophisticated tactics against a growing number of sectors. National hacking groups such …
SAP Security Notes, January 2019
Hot News Note 2696233 deals with multiple vulnerabilities in the SAP Cloud Connector. The Connector is an agent that connects on premise systems with applications operating on the SAP Cloud Platform. The agent supports HTTP, RFC, JDBC/ODBC and other connections between on-premise and cloud installations using reverse invoke without requiring inbound ports to be opened …
Database Security with the Cybersecurity Extension for SAP
Protecting SAP systems against cyber threats requires integrated measures applied not just within the SAP layer but across the technology stack including network, operating system, and database components. As repositories of business-critical and sensitive information, databases warrant specific attention for hardening and monitoring efforts. This includes identifying and addressing configuration weaknesses, excessive privileges, and weak …