Layer Seven Security

Securing Microsoft Platforms with the Cybersecurity Extension for SAP

SAP systems consist of multiple integrated technological layers. SAP solutions comprise the application layer. The application layer is supported by database and operating system layers. The layers are closely integrated to form a software ecosystem linked through several connections including trust relationships that bond the layers to form an SAP system. The layers are more tightly integrated in SAP HANA installations where application, database and OS functions can share physical resources.

Since SAP systems are comprised of multiple layers, security must be applied across all layers within a system. Threat actors can bypass secure SAP applications by targeting weaknesses at the database or OS level to compromise SAP systems. Ransomware, for example, can lead to a denial-of-service for SAP services by exploiting vulnerable operating systems. Application-level data protection mechanisms can be bypassed by exfiltrating data in SAP solutions directly from the database.

The need to secure databases and operating systems in SAP systems is more pressing when SAP applications are coupled with Microsoft platforms that are widely targeted by threat actors and suffer from a host of known vulnerabilities and exploits. The Cybersecurity Extension for SAP is the only security solution that secures all layers within SAP systems including databases and operating systems.

Together with over 2000 vulnerability checks for SAP solutions, the Cybersecurity Extension for SAP performs automated vulnerability scans for Microsoft SQL Server and Microsoft Server to detect more than 300 known security weaknesses in the platforms. This includes active vulnerable services that widen the attack surface for databases and hosts, authentication settings including password policies, file and table encryption, users with administrative privileges including system and user administration, the availability of standard users, logging and auditing, open ports and services, and host firewall settings.

The Cybersecurity Extension for SAP also monitors database and operating logs to detect indicators of compromise in Microsoft platforms and trigger alerts and email/ SMS notifications for security incidents. This includes system, role and user changes, direct access to user tables, changes to database schemas, user groups, scheduled tasks, stored procedures, passwords and firewall settings, failed logons including attempted remote logons, packets blocked by host firewalls, remote procedure calls, service activation, device and program installation, and changes to system auditing.

CISA, FBI Warn Organizations to Protect Against State-Sponsored Malware

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint statement to advise organizations to prepare for increased cyber activity in the wake of the Russian invasion of Ukraine. According to the advisory, there is a risk that Russian cyber attacks will spread to government and business networks in the US and other NATO countries as a result of the growing international support for Ukraine and anticipated retaliation for sanctions imposed on Russia.

Threat actors deployed destructive malware against organizations in Ukraine in the lead up to the invasion.  This included the wipers WhisperGate and HermeticWiper, designed to permanently corrupt data in infected hosts, rendering them unbootable.  Both strains of malware masquerade as ransomware but have no decryption or data-recovery capabilities.

In response, CISA and the FBI urge all organizations to adopt a heightened posture towards cybersecurity and protecting their critical assets. Specifically, organizations are advised to secure remote access to networks, patch software to address known vulnerabilities, limit the attack surface by disabling unnecessary ports and services, and monitor, detect and respond to potential intrusions.

During this time of heightened risk, organizations can license the Cybersecurity Extension for SAP from Layer Seven Security free of charge for up to three months. According to Ian Thomson, Chief Operating Officer at Layer7, “Layer Seven Security is committed to supporting organizations protect their crucial SAP assets during this critical period. Our flagship solution the Cybersecurity Extension for SAP will be provided to customers without charge to help them secure mission-critical SAP applications and infrastructure from advanced persistent threats”.   

The Cybersecurity Extension for SAP is an SAP-Certified addon for SAP Solution Manager. It implements leading-edge vulnerability management for SAP applications, databases, hosts and components, including application gateways such as the SAProuter and Web Dispatcher. It integrates with System Recommendations for detecting and managing the lifecycle of SAP security notes. The solution identifies vulnerabilities in custom ABAP code and monitors event logs in SAP systems to detect and alert for over 600 indicators of compromise. The solution also applies advanced anomaly detection powered by SAP HANA to detect unusual system and user behavior.

Contact Layer Seven Security using the link below to discuss licensing the Cybersecurity Extension for SAP free of charge to secure your SAP applications.

Security Advisory for Critical SAP ICMAD Vulnerabilities

International threat intelligence agencies including the U.S Cybersecurity & Infrastructure Security Agency (CISA) and the Computer Emergency Response Team for the EU (CERT-EU) issued security advisories last week for critical vulnerabilities in the SAP Internet Communication Manager (ICM). The ICM supports inbound and outbound communication with SAP systems using the HTTP(S) protocol. It is a standard component of the NetWeaver Application Server ABAP and Java and the SAP Web Dispatcher.

The advisories relate to CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, labelled ICMAD (Internet Communication Manager Advanced Desync). The most critical is CVE-2022-22536: a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers. CVE-2022-22532 impacts AS Java only. This vulnerability has a lower CVSS than CVE-2022-22536 due to a higher attack complexity, but ranks high in terms of impact to Confidentiality, Integrity, and Availability. CVE-2022-22533 is for a lower priority denial of service vulnerability in AS Java triggered by requests that exhaust Memory Pipes (MPI) used for communicating between the ICM and work processes in application servers.

There is evidence of active scanning for ICMAD. SAP systems exposed to the Internet are especially vulnerable. External-facing Web Dispatchers are equally vulnerable. Consequently, it is critical to apply the relevant security notes to patch SAP systems against ICMAD.

Note 3123396 patches AS ABAP and the Web Dispatcher for CVE-2022-22536. SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches AS Java for CVE-2022-22532 and CVE-2022-22533. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The Cybersecurity Extension for SAP discovers vulnerable ABAP, Java and Web Dispatcher installations that have not been successfully patched for ICMAD. It also identifies missing or incorrectly applied workarounds if the corrections in notes 3123396 and 3123427 have not been applied. The SAP-certified solution performs over 1800 checks for known vulnerabilities in SAP applications and components and supporting databases and operating systems.

Whitepaper: Securing SAP Solutions from Log4Shell

Log4JShell is one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility. A dangerous zero-day remote code execution vulnerability in Log4J was reported in November last year. The vulnerability was patched in December and published in the National Vulnerability Database on December 12 as CVE-2021-44228.

Log4Shell was added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA) due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Iran, Russia and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is bundled in multiple SAP solutions including products such as SAP HANA and SAP Process Orchestration. Download the new whitepaper from Layer Seven Security to learn to mitigate and detect Log4Shell in SAP applications. The whitepaper includes a detailed breakdown of the vulnerability, guidance for patching and securing SAP solutions, and recommendations for detecting Log4shell signatures and indicators of compromise.

DOWNLOAD

Securing SAP Systems from Log4J Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has designated the recent Log4J vulnerability as one of the most serious in decades and urged organizations to immediately address the vulnerability in applications.  

Log4j is an open-source logging framework maintained by the Apache Foundation. The framework includes the API Java Naming and Directory Interface (JNDI). Strings passed through JNDI can force Log4J to query remote LDAP or other servers, download serialized Java code from the malicious servers, and execute the code during deserialization if message lookup substitution is enabled. This can lead to the complete compromise of impacted applications and systems. The remote code execution vulnerability impacts all versions of Log4J2 up to and including 2.14.1 in Java 8 or higher.

Message lookup substitution is disabled by default in Log4j 2.15.0. It has been removed altogether from 2.16.0. Therefore, customers should upgrade to the latest version of Log4J. The vulnerability is addressed by CVE-2021-44228 which has a base CVSS score of 10.0.

CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Russia, Iran, and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is included in multiple SAP applications including SAP HANA XSA. The central note 3131047 includes available patches for impacted solutions. Refer to the SAP’s official response for details of all impacted products. Note 3129883 includes manual procedures for a workaround that will disable the loading of external code in Log4J using the J2EE Config Tool.

The Cybersecurity Extension for SAP identifies vulnerable SAP systems that have not been patched for the Log4J vulnerability. It also detects and alerts for suspected exploits targeted against SAP Java and Web Dispatcher installations based on exploit signatures. This includes known obfuscations and bypass methods.

CISA Issues Directive for Actively Exploited SAP Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 on November 3 to compel government departments and agencies to remediate specific vulnerabilities with known exploits. According to CISA, the vulnerabilities pose a significant risk to information systems. This includes several vulnerabilities for SAP applications that must be remediated by May 3, 2022. Agencies have 60 days to review and update their vulnerability management policies in accordance with the Directive.

The Directive addresses weaknesses with the Common Vulnerability Scoring System (CVSS) used for rating Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD). CVSS does not take into account active exploitations for vulnerabilities. Most critical CVEs are highly complex and have no known exploits. The Directive shifts the focus to CVEs with active threats. These vulnerabilities are prioritized for remediation and are classified in the CISA catalog for Known Exploited Vulnerabilities (KEV).

The catalog includes six CVEs for SAP applications.

CVE-2010-5326 is for the invoker servlet implemented in the InvokerServletclass within the Web Container of the J2EE for SAP NetWeaver Application Java (AS Java). The invoker servlet is vulnerable to authentication bypass, enabling remote attackers to execute arbitrary code via HTTP or HTTPS requests. The servlet is disabled by default in higher versions of AS Java. Refer to SAP note 1445998 for disabling the relevant property of the servlet_jsp service on server nodes. SAP also recommends scanning or reviewing application code to identify the usage of servlets with the prefix “/servlet/”. Applications should use local servlets only that are defined in web.xml files. Auth constraints in web xml files are recommended to restrict the invoking of the servlet to users with an administrative role.  

CVE-2016-3976 relates to a directory traversal vulnerability in AS Java that could be exploited to read arbitrary files from servers remotely and without authentication using CrashFileDownloadServlet. Note 2234971 provides a patch for the LM-CORE to address the CVE.

CVE-2020-6287 is for the RECON vulnerability in the LM Configuration Wizard of AS Java. Attackers can exploit a missing authentication check in the CTCWebService to perform administrative functions such as creating privileged users. Note 2934135 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2018-2380 relates to a directory traversal vulnerability in SAP CRM.  There is a publicly-available exploit for the CVE that could be deployed to perform remote code execution through log file injection. Note 2547431 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2016-9563 is for a Denial of Service vulnerability in a BPM service within AS Java. This CVE also has a publicly-available exploit. Note 2296909 disables the resolving of external entities during XML parsing to address the CVE.

CVE-2020-6207​ relates to a missing authentication check for the SAP EEM servlet in SAP Solution Manager. A module for the Metasploit penetration framework automates the exploitation of the CVE. This could be exploited to execute OS commands on connected SMDAgents via the /EemAdminService/EemAdmin page for User Experience Monitoring. Note 2890213 includes a patch for the impacted LM-SERVICE software component and instructions for a temporary workaround involving enabling authentication for the EemAdmin service in the Java stack of Solution Manager.

The Cybersecurity Extension for SAP is an SAP-certified solution that automates the discovery of applications vulnerable to the CVEs for SAP applications in the KEV catalog. It also monitors SAP logs to detect the signature of exploits targeting the CVEs and provides mechanisms to investigate and respond to the exploits.  

Securing Software Supply Chains for SAP Systems

Software supply chain attacks are advanced cyberattacks that target information systems through third party software. Threat actors compromise systems and data by exploiting software builds or interfaces for trusted software. This enables attackers to introduce malware without detection including backdoors.

The recent software supply chain attack experienced by SolarWinds is widely regarded as one of the most devastating cyber attacks in history.  It impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as thousands of organizations worldwide. The attack cost affected companies an average of $12M.

Download the whitepaper from Layer Seven Security for guidance on securing software supply chains in SAP landscapes. The whitepaper outlines the threat vectors that could be exploited by attackers to compromise third party software that support SAP applications. It provides practical steps for minimizing third party software and external connections in SAP landscapes, avoiding the use of open source components, and monitoring third party software. The steps are aligned to the Cyber Supply Chain Risk Management (C-SCRM) practices recommended by the National Institute of Standards and Technology (NIST).

Webinar Playback: Protecting SAP Systems from Ransomware Attacks

Ransomware is headline news, and recent attacks have demonstrated the devastating impact of attacks that target critical infrastructure. According to the Department of Homeland Security ransomware attacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an attack is 21 days, but full recovery takes an average of 287 days. 

Ransomware can impact SAP systems through vulnerable operating systems. However, securing host systems alone does not safeguard SAP systems from ransomware. Attackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install, and execute ransomware tools. 

This webinar will discuss steps you can take to secure your business-critical SAP systems from ransomware. It will provide an integrated strategy for:

• Identifying and prioritizing critical SAP assets and infrastructure;

• Hardening SAP systems to reduce the attack surface;

• Activating and monitoring SAP logs to detect suspected attacks; and 

• Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The webinar will also discuss how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

You can view the webinar recording at SAPinsideronline.com.

Protecting SAP Systems from Ransomware

The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware a­ttacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an att­ack is 21 days. Full recovery takes an average of 287 days.

Ransomware can impact SAP systems through vulnerable operating systems. However, securing SAP hosts alone does not safeguard SAP systems from ransomware. Att­ackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install and execute ransomware tools.

The newly released guide Protecting SAP Systems from Ransomware includes actions you can take to secure your business-critical SAP systems from ransomware. It provides an integrated strategy for:

  • Identifying and prioritizing critical SAP assets and infrastructure;
  • Hardening SAP systems to reduce the attack surface;
  • Activating and monitoring SAP logs to detect suspected attacks; and
  • Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The guide also discusses how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

DOWNLOAD

Cybersecurity Extension for SAP Identifies Signatures of Active SAP Cyberattacks

Earlier this month, SAP issued a joint report with a security research firm to highlight active cyber threats targeting SAP applications. According to the report, there is conclusive evidence that attackers are actively targeting and exploiting unsecured SAP applications. The report also reveals that some SAP vulnerabilities are being weaponized in less than 72 hours from the release of SAP patches.  Unprotected cloud installations of SAP are being discovered and compromised in less than 3 hours.

The investigation performed for the report identified over 300 successful exploitations of SAP systems. This included attempts to modify users and configurations and exfiltrate business information. Most of the exploits targeted the six CVEs below. Although the vulnerabilities have been patched by SAP, many organizations have not applied the recommended mitigations to protect SAP systems.

CVE-2010-5326 (SAP Security Note 1445998)
CVE-2018-2380 (SAP Security Note 2547431)
CVE-2016-3976 (SAP Security Note 2234971)
CVE-2016-9563 (SAP Security Note 2296909)
CVE-2020-6287 (SAP Security Note 2934135)
CVE-2020-6207 (SAP Security Note 2890213)

SAP recommends customers to immediately assess vulnerable systems to identify indicators of compromise such as unauthorized privileged users. The assessment should include systems within SAP landscapes that are connected to the vulnerable targets. The related SAP security notes and recommendations should also be applied in impacted systems.

SAP also urges customers to implement appropriate cybersecurity measures to protect SAP applications. The Cybersecurity Extension for SAP is an SAP-certified solution that performs automated vulnerability management, threat detection and incident response to secure SAP systems from cyber threats. This includes exploits that target the CVEs highlighted in the report. The Extension detects misconfigured and unpatched systems. It also detects the signatures of exploits that target the CVEs, triggers alerts and notifications for suspected breaches, and provides guided procedures for investigating incidents. To learn more, contact Layer Seven Security.