Layer Seven Security

CISA Issues Directive for Actively Exploited SAP Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 on November 3 to compel government departments and agencies to remediate specific vulnerabilities with known exploits. According to CISA, the vulnerabilities pose a significant risk to information systems. This includes several vulnerabilities for SAP applications that must be remediated by May 3, 2022. Agencies have 60 days to review and update their vulnerability management policies in accordance with the Directive.

The Directive addresses weaknesses with the Common Vulnerability Scoring System (CVSS) used for rating Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD). CVSS does not take into account active exploitations for vulnerabilities. Most critical CVEs are highly complex and have no known exploits. The Directive shifts the focus to CVEs with active threats. These vulnerabilities are prioritized for remediation and are classified in the CISA catalog for Known Exploited Vulnerabilities (KEV).

The catalog includes six CVEs for SAP applications.

CVE-2010-5326 is for the invoker servlet implemented in the InvokerServletclass within the Web Container of the J2EE for SAP NetWeaver Application Java (AS Java). The invoker servlet is vulnerable to authentication bypass, enabling remote attackers to execute arbitrary code via HTTP or HTTPS requests. The servlet is disabled by default in higher versions of AS Java. Refer to SAP note 1445998 for disabling the relevant property of the servlet_jsp service on server nodes. SAP also recommends scanning or reviewing application code to identify the usage of servlets with the prefix “/servlet/”. Applications should use local servlets only that are defined in web.xml files. Auth constraints in web xml files are recommended to restrict the invoking of the servlet to users with an administrative role.  

CVE-2016-3976 relates to a directory traversal vulnerability in AS Java that could be exploited to read arbitrary files from servers remotely and without authentication using CrashFileDownloadServlet. Note 2234971 provides a patch for the LM-CORE to address the CVE.

CVE-2020-6287 is for the RECON vulnerability in the LM Configuration Wizard of AS Java. Attackers can exploit a missing authentication check in the CTCWebService to perform administrative functions such as creating privileged users. Note 2934135 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2018-2380 relates to a directory traversal vulnerability in SAP CRM.  There is a publicly-available exploit for the CVE that could be deployed to perform remote code execution through log file injection. Note 2547431 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2016-9563 is for a Denial of Service vulnerability in a BPM service within AS Java. This CVE also has a publicly-available exploit. Note 2296909 disables the resolving of external entities during XML parsing to address the CVE.

CVE-2020-6207​ relates to a missing authentication check for the SAP EEM servlet in SAP Solution Manager. A module for the Metasploit penetration framework automates the exploitation of the CVE. This could be exploited to execute OS commands on connected SMDAgents via the /EemAdminService/EemAdmin page for User Experience Monitoring. Note 2890213 includes a patch for the impacted LM-SERVICE software component and instructions for a temporary workaround involving enabling authentication for the EemAdmin service in the Java stack of Solution Manager.

The Cybersecurity Extension for SAP is an SAP-certified solution that automates the discovery of applications vulnerable to the CVEs for SAP applications in the KEV catalog. It also monitors SAP logs to detect the signature of exploits targeting the CVEs and provides mechanisms to investigate and respond to the exploits.  

Securing Software Supply Chains for SAP Systems

Software supply chain attacks are advanced cyberattacks that target information systems through third party software. Threat actors compromise systems and data by exploiting software builds or interfaces for trusted software. This enables attackers to introduce malware without detection including backdoors.

The recent software supply chain attack experienced by SolarWinds is widely regarded as one of the most devastating cyber attacks in history.  It impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as thousands of organizations worldwide. The attack cost affected companies an average of $12M.

Download the whitepaper from Layer Seven Security for guidance on securing software supply chains in SAP landscapes. The whitepaper outlines the threat vectors that could be exploited by attackers to compromise third party software that support SAP applications. It provides practical steps for minimizing third party software and external connections in SAP landscapes, avoiding the use of open source components, and monitoring third party software. The steps are aligned to the Cyber Supply Chain Risk Management (C-SCRM) practices recommended by the National Institute of Standards and Technology (NIST).

Webinar Playback: Protecting SAP Systems from Ransomware Attacks

Ransomware is headline news, and recent attacks have demonstrated the devastating impact of attacks that target critical infrastructure. According to the Department of Homeland Security ransomware attacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an attack is 21 days, but full recovery takes an average of 287 days. 

Ransomware can impact SAP systems through vulnerable operating systems. However, securing host systems alone does not safeguard SAP systems from ransomware. Attackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install, and execute ransomware tools. 

This webinar will discuss steps you can take to secure your business-critical SAP systems from ransomware. It will provide an integrated strategy for:

• Identifying and prioritizing critical SAP assets and infrastructure;

• Hardening SAP systems to reduce the attack surface;

• Activating and monitoring SAP logs to detect suspected attacks; and 

• Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The webinar will also discuss how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

You can view the webinar recording at SAPinsideronline.com.

Protecting SAP Systems from Ransomware

The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware a­ttacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an att­ack is 21 days. Full recovery takes an average of 287 days.

Ransomware can impact SAP systems through vulnerable operating systems. However, securing SAP hosts alone does not safeguard SAP systems from ransomware. Att­ackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install and execute ransomware tools.

The newly released guide Protecting SAP Systems from Ransomware includes actions you can take to secure your business-critical SAP systems from ransomware. It provides an integrated strategy for:

  • Identifying and prioritizing critical SAP assets and infrastructure;
  • Hardening SAP systems to reduce the attack surface;
  • Activating and monitoring SAP logs to detect suspected attacks; and
  • Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The guide also discusses how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

DOWNLOAD

Cybersecurity Extension for SAP Identifies Signatures of Active SAP Cyberattacks

Earlier this month, SAP issued a joint report with a security research firm to highlight active cyber threats targeting SAP applications. According to the report, there is conclusive evidence that attackers are actively targeting and exploiting unsecured SAP applications. The report also reveals that some SAP vulnerabilities are being weaponized in less than 72 hours from the release of SAP patches.  Unprotected cloud installations of SAP are being discovered and compromised in less than 3 hours.

The investigation performed for the report identified over 300 successful exploitations of SAP systems. This included attempts to modify users and configurations and exfiltrate business information. Most of the exploits targeted the six CVEs below. Although the vulnerabilities have been patched by SAP, many organizations have not applied the recommended mitigations to protect SAP systems.

CVE-2010-5326 (SAP Security Note 1445998)
CVE-2018-2380 (SAP Security Note 2547431)
CVE-2016-3976 (SAP Security Note 2234971)
CVE-2016-9563 (SAP Security Note 2296909)
CVE-2020-6287 (SAP Security Note 2934135)
CVE-2020-6207 (SAP Security Note 2890213)

SAP recommends customers to immediately assess vulnerable systems to identify indicators of compromise such as unauthorized privileged users. The assessment should include systems within SAP landscapes that are connected to the vulnerable targets. The related SAP security notes and recommendations should also be applied in impacted systems.

SAP also urges customers to implement appropriate cybersecurity measures to protect SAP applications. The Cybersecurity Extension for SAP is an SAP-certified solution that performs automated vulnerability management, threat detection and incident response to secure SAP systems from cyber threats. This includes exploits that target the CVEs highlighted in the report. The Extension detects misconfigured and unpatched systems. It also detects the signatures of exploits that target the CVEs, triggers alerts and notifications for suspected breaches, and provides guided procedures for investigating incidents. To learn more, contact Layer Seven Security.

Securing Linux Platforms for SAP HANA and S/4HANA

SUSE Linux Enterprise Server (SLES) is the leading operating system for SAP HANA and SAP S/4HANA solutions, supporting 85 percent of HANA deployments worldwide. SLES for SAP Applications is optimized to support high availability and persistent memory and endorsed by SAP.

Securing operating systems is a critical component of SAP system hardening. Vulnerable hosts can provide a pathway to SAP applications, databases and other components, bypassing security mechanisms applied in those layers. This can lead to the compromise of SAP systems including the corruption of critical files and tables. It can also support ransomware attacks that disrupt the availability of SAP services.

The Cybersecurity Extension for SAP performs daily automated scans to identify vulnerabilities in SAP hosts. For SLES, this includes authentication settings, firewall configurations, file and service permissions, root access, missing security patches, vulnerable packages and services, and misconfigured settings for logging and auditing. It also includes the detection of open TCP/ UDP ports that are targeted by attackers, including FTP, RPC, RDP, SSH, and Telnet.

SLES vulnerabilities are mapped to SAP systems, supporting holistic security across code, application, database and operating system layers.

The SAP-Certified extension also monitors SLES logs to identify indicators of compromise in SAP hosts. Alerts and notifications are triggered for security incidents and channeled to SIEM and service desk systems. This includes the following scenarios:

  • Changes to operating system configuration, profile, and kernel parameters
  • Firewall and other network settings
  • File system mounts and unmounts
  • Group, user and password changes
  • Cron jobs
  • Daemon and service changes
  • OS scripts
  • External connections
  • Sudo users
  • Root and sudo commands
  • Failed logon and file access attempts
  • Critical file changes
  • File permission changes
  • OS code injection
  • User locks and unlocks

Audit records from the SLES audit log are displayed in the alert details. The records include the audit event number and auid of the initial user that triggered the event.

The Cybersecurity Extension for SAP includes integrated incident response procedures to support forensic investigations. Users can select the Respond option from an alert to start an investigation and document the findings.

Securing the Web Dispatcher with the Cybersecurity Extension for SAP

The SAP Web Dispatcher is an application gateway that filters Internet based traffic to SAP systems including HTTP requests. As an entry point for Web-based communications in SAP landscapes, the Web Dispatcher can help to secure remote access to SAP systems by enforcing security standards for external connections and filtering connection requests.

However, the Web Dispatcher can also be the focal point for attackers looking for an externally reachable pathway to SAP systems. Therefore, it is critical to secure the Web Dispatcher against misuse and prevent attackers from compromising SAP landscapes through poorly configured gateways.

The Web Dispatcher should be regularly patched and updated to prevent attackers from exploiting known program-level vulnerabilities. You should monitor composite note 538405 to stay up-to-date with the latest Web Dispatcher versions.  

Default error messages that disclose sensitive information to attackers should be blocked and replaced with custom messages.

The admin port for the Web Dispatcher should not be accessible from external networks. Administration should be restricted to internal hosts. Public monitoring information in the Web admin interface should be blocked.

SSL should be enforced for connections including communications between the Web Dispatcher and back-end systems and metadata exchange with message servers and application servers.

Finally, filtering should be enabled to enforce positive or negative lists for access requests. The Web Dispatcher supports multiple filtering mechanisms including ACL files and authentication handlers.  ACL files can be used if access should be filtered based on client IP address or IP range. Authentication handlers should be used if requests need to be filtered for specific URLs. Both approaches support logging of successful and unsuccessful requests.  Access to the following URLs should be blocked or restricted:

/sap/public/icman/*
/sap/public/ping
/sap/public/icf_info/*
/sap/wdisp/info

The Cybersecurity Extension for SAP monitors the security of the Web Dispatcher using the SAP Solution Manager platform. The SAP-certified addon detects vulnerable Web Dispatcher versions and patch levels, improper error handling that could lead to information disclosure, the use of insecure Web Dispatcher settings, protocols, and filters, and calls to critical URLs captured in Web Dispatcher logs.

SolarWinds Attack: Lessons Learned for SAP Cyber Security

The software supply chain attack suffered by SolarWinds may have impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as hundreds of organizations worldwide.

The attack targeted the Orion Platform used for SolarWinds products including tools for automated patch management and security & compliance. According to SolarWinds, the initial breach is suspected to have occurred in September 2019. The attackers subsequently modified an Orion plug-in that was distributed as trojanized updates to SolarWinds customers from February 2020. The attack remained undetected until December 2020.

The trojanized component was detected and labeled as SUNBURST by FireEye. According to FireEye, “After an initial dormant period of up to two weeks, (SUNBURST) retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services….The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

SUNBURST was used by attackers to move laterally within networks and target other servers and components. Backdoors were often created in compromised systems to install the malware dropper known as TEARDROP. This was used to deploy a version of the Cobalt Strike BEACON payload, a commercial penetration testing and post-exploitation agent.

SUNBURST is a highly sophisticated software supply-chain attack. Such attacks are difficult to detect since they exploit trust relationships between software vendors and customers that are the basis for server-to-server communications used to deliver software updates.

The attack has significant implications for SAP cyber security by dramatically increasing the risk associated with the use of third-party security platforms. Such platforms provide a direct channel to business-critical SAP applications and infrastructure. The agents, consoles and sensors installed in SAP landscapes for third party solutions could be exploited to compromise connected SAP systems. The risk is heightened when such solutions connect directly to external servers for software updates. Transport layer encryption and digitally signed certificates for delivering updates do not protect against software supply chain attacks if the updates are trojanized at source.

Open-source software packaged in third party security solutions also provide vulnerable targets for threat attackers targeting supply chain attacks. Certain cyber security solution providers include the open-source Ubuntu operating system in images powering their consoles or sensors. Ubuntu has approximately 1200 vulnerabilities disclosed in the National Vulnerability Database. SAP customers that rely on third party software are completely dependent on external vendors to ensure open-source platforms and components such as Ubuntu are hardened and patched regularly.

Finally, while third party solutions monitor the security of SAP applications, it is not clear if these solutions include capabilities to self-monitor and detect incidents and breaches that occur within the solutions.

SAP customers can avoid the risks of software supply chain attacks by using their SAP Solution Manager installations for security monitoring. Unlike third party security solutions, Solution Manager is updated through a direct connection to SAP Support. Updates for monitoring the patch level of SAP systems are therefore sourced directly from SAP rather than external sources.

SAP Solution Manager also does not include vulnerable open-source software such as Ubuntu. Solution Manager installations operate with closed-source, enterprise-level operating systems.

Finally, SAP Solution Manager performs self-monitoring. In a dual landscape, Solution Manager installations can monitor each other. Therefore, Solution Manager can detect vulnerabilities, missing patches, user anomalies, and security incidents occurring within the platform.

Overall, SAP Solution Manager provides a more robust, secure platform for protecting SAP landscapes from cyber threats than third-party solutions that are susceptible to software supply chain attacks.

Prevent and Detect Ransomware Attacks with SAP Solution Manager

Ransomware attacks accounted for one third of malware-based cyber attacks in the first quarter of 2020. Successful attacks encrypt and block access to files in compromised systems. Decryption keys for recovery of the files are typically only released after ransom demands are paid, usually in the form of untraceable cryptocurrencies. The impact of ransomware includes not only ransoms but also recovery costs. The cost of the ransomware attack experienced by Demant in 2019 is estimated at $95M. Costs at Norsk Hydro are expected to reach $70M.

Based on an analysis of telemetry records, there are several early indicators of ransomware operations performed by threat actors. Attackers often use legitimate administrative tools to prepare ransomware attacks. This includes network scanners to identify vulnerable targets and software removal tools to disable antivirus software. Threat actors also often install tools for credential theft on compromised systems.

Ransomware is usually packaged in zip files distributed through emails, trojans, and infected web sites. The ransomware WastedLocker, for example, is often disguised as zip files for legitimate software updates. WastedLocker infected digital infrastructure at Garmin in July, leading to a $10M ransom. Ransomware payloads can also be delivered through compromised SAP systems. Attackers can target remote code execution vulnerabilities in SAP GUI for client-side attacks. Ransomware can be installed directly in SAP servers using external operating system commands. OS commands performed by SAP users are executed by the operating system user <SID>ADM. The user has full administrative privileges for local SAP resources.

The wget command can be used to download ransomware from remote hosts to a target directory in the SAP host. Ransomware payloads can also be loaded directly in servers using transactions CG3Z or CACS_FILE_COPY. Once loaded, the payloads can be extracted and then executed using bash commands in Linux systems. This method for delivering, installing and executing ransomware will encrypt files in folders accessible by the <SID>ADM user and crash SAP applications and services. It may also impact other files and services in the host if the ransomware successfully elevates privileges.

Such exploits can be mitigated or detected in several ways. Access to perform OS commands should be restricted. This includes authorization object S_LOG_COM, transactions SM49 and SM69, program RSBDCOS0, and function modules such as SXPG_COMMAND_EXECUTE. Successful execution of the transactions, programs and function modules should also be monitored, as well as OS commands and changes to custom commands. Refer to SAP Note 1612730 for enabling detailed logging for external commands.

The Cybersecurity Extension for SAP Solution Manager performs automated scans to detect users with OS command privileges. It also monitors SAP logs to alert for the execution of OS commands, new custom commands, and changes to existing commands. The extension also detects and alerts for the execution of transactions SM49, SM69, CG3Z and CACS_FILE_COPY, program RSBDCOS0, and relevant function modules. Alerts are automatically forwarded to SIEM systems with event details. To learn more, contact Layer Seven Security

RECON: Secure Your Systems with SAP Solution Manager

US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated 10/10 using the Common Vulnerability Scoring System and can be exploited remotely by unauthenticated attackers to fully compromise SAP systems.

RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems including SAP ERP, CRM, SCM, and BW.

CISA strongly recommends SAP customers to apply SAP Note 2934135 to mitigate RECON. The note introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. The LM Configuration Wizard is required by SAP Landscape Management. According to SAP, “This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. You can temporarily activate or enable this application for executing the SAP lifecycle procedures.” Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

The implementation status of Notes 2934135 and 2939665 for impacted systems should be tracked using System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to discover relevant notes for SAP applications, databases and components.

Users can create custom tiles in SysRec to track the implementation status of RECON notes in their SAP landscape from the Fiori launchpad.

The Cybersecurity Extension for SAP Solution Manager monitors Java application logs to detect the signature of RECON exploits. This includes enabling and executing the vulnerable application. The Extension also detects the creation of new administrative users and connections by new users or source IP addresses using anomaly detection. RECON alerts can be investigated using the incident response procedures Preventing RECON Attacks and Investigating Suspected RECON Attacks.

Email and SMS notifications are triggered for RECON alerts. The alerts can also be monitored in Solution Manager using the Alert Inbox, System Monitoring, and other applications. They can also be integrated with SIEM solutions for cross-platform monitoring. Custom alarms can be added to the Fiori launchpad to notify users of suspected RECON exploits.