Layer Seven Security

Securing the Web Dispatcher with SAP Solution Manager

The SAP Web Dispatcher is an application gateway that filters Internet based traffic to SAP systems including HTTP requests. As an entry point for Web-based communications in SAP landscapes, the Web Dispatcher can help to secure remote access to SAP systems by enforcing security standards for external connections and filtering connection requests.

However, the Web Dispatcher can also be the focal point for attackers looking for an externally reachable pathway to SAP systems. Therefore, it is critical to secure the Web Dispatcher against misuse and prevent attackers from compromising SAP landscapes through poorly configured gateways.

The Web Dispatcher should be regularly patched and updated to prevent attackers from exploiting known program-level vulnerabilities. You should monitor composite note 538405 to stay up-to-date with the latest Web Dispatcher versions.  

Default error messages that disclose sensitive information to attackers should be blocked and replaced with custom messages.

The admin port for the Web Dispatcher should not be accessible from external networks. Administration should be restricted to internal hosts. Public monitoring information in the Web admin interface should be blocked.

SSL should be enforced for connections including communications between the Web Dispatcher and back-end systems and metadata exchange with message servers and application servers.

Finally, filtering should be enabled to enforce positive or negative lists for access requests. The Web Dispatcher supports multiple filtering mechanisms including ACL files and authentication handlers.  ACL files can be used if access should be filtered based on client IP address or IP range. Authentication handlers should be used if requests need to be filtered for specific URLs. Both approaches support logging of successful and unsuccessful requests.  Access to the following URLs should be blocked or restricted:

/sap/public/icman/*
/sap/public/ping
/sap/public/icf_info/*
/sap/wdisp/info

The Cybersecurity Extension for SAP monitors the security of the Web Dispatcher using the SAP Solution Manager platform. The SAP-certified addon detects vulnerable Web Dispatcher versions and patch levels, improper error handling that could lead to information disclosure, the use of insecure Web Dispatcher settings, protocols, and filters, and calls to critical URLs captured in Web Dispatcher logs.

SolarWinds Attack: Lessons Learned for SAP Cyber Security

The software supply chain attack suffered by SolarWinds may have impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as hundreds of organizations worldwide.

The attack targeted the Orion Platform used for SolarWinds products including tools for automated patch management and security & compliance. According to SolarWinds, the initial breach is suspected to have occurred in September 2019. The attackers subsequently modified an Orion plug-in that was distributed as trojanized updates to SolarWinds customers from February 2020. The attack remained undetected until December 2020.

The trojanized component was detected and labeled as SUNBURST by FireEye. According to FireEye, “After an initial dormant period of up to two weeks, (SUNBURST) retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services….The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

SUNBURST was used by attackers to move laterally within networks and target other servers and components. Backdoors were often created in compromised systems to install the malware dropper known as TEARDROP. This was used to deploy a version of the Cobalt Strike BEACON payload, a commercial penetration testing and post-exploitation agent.

SUNBURST is a highly sophisticated software supply-chain attack. Such attacks are difficult to detect since they exploit trust relationships between software vendors and customers that are the basis for server-to-server communications used to deliver software updates.

The attack has significant implications for SAP cyber security by dramatically increasing the risk associated with the use of third-party security platforms. Such platforms provide a direct channel to business-critical SAP applications and infrastructure. The agents, consoles and sensors installed in SAP landscapes for third party solutions could be exploited to compromise connected SAP systems. The risk is heightened when such solutions connect directly to external servers for software updates. Transport layer encryption and digitally signed certificates for delivering updates do not protect against software supply chain attacks if the updates are trojanized at source.

Open-source software packaged in third party security solutions also provide vulnerable targets for threat attackers targeting supply chain attacks. Certain cyber security solution providers include the open-source Ubuntu operating system in images powering their consoles or sensors. Ubuntu has approximately 1200 vulnerabilities disclosed in the National Vulnerability Database. SAP customers that rely on third party software are completely dependent on external vendors to ensure open-source platforms and components such as Ubuntu are hardened and patched regularly.

Finally, while third party solutions monitor the security of SAP applications, it is not clear if these solutions include capabilities to self-monitor and detect incidents and breaches that occur within the solutions.

SAP customers can avoid the risks of software supply chain attacks by using their SAP Solution Manager installations for security monitoring. Unlike third party security solutions, Solution Manager is updated through a direct connection to SAP Support. Updates for monitoring the patch level of SAP systems are therefore sourced directly from SAP rather than external sources.

SAP Solution Manager also does not include vulnerable open-source software such as Ubuntu. Solution Manager installations operate with closed-source, enterprise-level operating systems.

Finally, SAP Solution Manager performs self-monitoring. In a dual landscape, Solution Manager installations can monitor each other. Therefore, Solution Manager can detect vulnerabilities, missing patches, user anomalies, and security incidents occurring within the platform.

Overall, SAP Solution Manager provides a more robust, secure platform for protecting SAP landscapes from cyber threats than third-party solutions that are susceptible to software supply chain attacks.

Compliance Reporting for the SAP Security Baseline

The SAP Security Baseline is a widely used benchmark for securing SAP applications. The benchmark includes SAP recommendations for system hardening, authentication and authorization, logging and auditing, and other areas. The recommendations draw on SAP security notes, guides and whitepapers.  The SAP Security Baseline was updated by SAP earlier this year and provides an up-to-date framework for safeguarding SAP ABAP, HANA and Java systems against known vulnerabilities and threats. Note 2253549 includes a link to the latest version of the framework.

The Cybersecurity Extension for SAP Solution Manager performs automated gap assessments for SAP systems against the SAP Security Baseline. The extension identifies compliance gaps in SAP systems to highlight configuration, user and other issues that do not meet SAP requirements defined in the baseline. The extension eliminates the need for periodic, manual audits and supports on-demand compliance reporting.

Control gaps are automatically discovered via daily background jobs. The gaps are reported in the Compliance Report application, accessible from the Fiori launchpad for SAP Solution Manager.

The SAP Security Baseline template can be selected from the list of supported frameworks.

There are optional filters to select specific baseline requirements and systems based on environment or priority. Reports can also be filtered to include or exclude requirements based on risk rating and compliance result.  Once the framework and system is selected, users can select Go to view the results.

The overall compliance level for the system is displayed the report header. The results for each requirement of the SAP Security Baseline are displayed in the main body of the report.  

Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.

Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.

Users can also save shortcuts for prefiltered reports to the Fiori launchpad.

Job Monitoring with SAP Solution Manager

Security monitoring using SAP Solution Manager is driven by a series of background jobs that automate data collection and analysis for system vulnerabilities, security notes, and event logs. Vulnerability data is extracted daily, notes information is collected weekly, and event data can be collected as frequently as every minute. Any interruption to the background jobs for these areas could impact the coverage of security monitoring.

SAP Solution Manager supports centralized monitoring for jobs in SAP systems with automated detection and alerting for job errors. Monitoring for scheduled jobs is setup using a guided procedure that includes steps for selecting relevant jobs, activating alerts, and enabling email/ SMS notifications for alerts.

You can access Job Monitoring from Application Operations in SAP Solution Manager Configuration.

Steps 1-3 of the guided procedure prepare the infrastructure for job monitoring including setup of the required users.  Steps 4-6 involve the selection of scheduled jobs for monitoring and configuring alerts and notifications. In the following example, we will create a monitoring scenario for the standard job SM:SYSTEM RECOMMENDATIONS. This job connects to SAP Support on a weekly schedule to calculate required security, correction, performance, legal, and other notes for systems. It also connects to managed systems to determine the implementation status of calculated notes.

In the first step of the scenario configuration, we define a name and description for the scenario.

During the second step, we select the systems for the scenario. Since SM:SYSTEM RECOMMENDATIONS  runs from Solution Manager, we will select a SolMan installation.

Next, we maintain the scope for the scenario in terms of the specific job.

Once the job is selected, we can adjust the metric settings including thresholds for job errors, processing times, terminations and warnings.

Finally, we activate the alerting and select the required language, severity and description for the alert.

Recipients for email notifications triggered for alerts can be maintained in the Incident and Notifications tab.

Once the scenario is activated in the final step, we will be immediately alerted and notified by Solution Manager for any issue that interrupts the successful execution of the system recommendations job. The steps can be repeated for other scheduled jobs in SAP Solution Manager and managed systems.

Securing OS Platforms with SAP Solution Manager

Securing SAP hosts is a critical component of SAP system hardening. Vulnerable operating systems can provide a pathway to SAP applications, databases and other components, bypassing security mechanisms applied in such layers. This can lead to the compromise of SAP systems including the corruption of critical files and tables. It can also support ransomware attacks that disrupt the availability of SAP services.

The Cybersecurity Extension for SAP Solution Manager performs daily automated scans to identify vulnerabilities in SAP hosts. For Linux operating systems, this includes authentication settings, firewall configurations, file and service permissions, root access, missing security patches, vulnerable packages and services, and misconfigured settings for logging and auditing. It also includes the detection of open TCP/ UDP ports that are targeted by attackers, including FTP, RPC, RDP, SSH, and Telnet.

OS findings are mapped to SAP systems, supporting holistic security across code, application, database and operating system layers.

The Extension also monitors OS logs to identify indicators of compromise in SAP hosts. Alerts and notifications are triggered for security incidents and channeled to SIEM and service desk systems. This includes the following scenarios:

  • Changes to operating system configuration, profile, and kernel parameters
  • Firewall and other network settings
  • File system mounts and unmounts
  • Group, user and password changes
  • Cron jobs
  • Daemon and service changes
  • OS scripts
  • External connections
  • Sudo users
  • Root and sudo commands
  • Failed logon and file access attempts
  • Critical file changes
  • File permission changes
  • OS code injection
  • User locks and unlocks
  • Changes to audit settings and records

Audit records from the Linux audit log are displayed in the alert details. The records include the audit event number and auid of the initial user that triggered the event.

The Cybersecurity Extension for SAP Solution Manager includes integrated incident response procedures to support forensic investigations. Users can select the Respond option from an alert to start an investigation and document the findings.

The Extension currently supports monitoring for Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES). Support for IBM AIX and Microsoft Windows Server is expected in 2021.

Secure Your Custom Code with SAP Solution Manager

The Cybersecurity Extension for SAP Solution Manager now supports static code analysis for custom SAP programs. Released in September, version 3.3 performs code vulnerability detection for hard coded users, passwords, hosts, systems, and clients, SQL injection, cross-site scripting, missing or insufficient authorization checks, directory traversal, sensitive table reads and writes, OS command injection, and insecure communication methods and passwords.

The ABAP checks are integrated with SAP Code Inspector (SCI) and ABAP Test Cockpit (ATC). They can be applied for new developments and existing custom programs. For existing programs, periodic scans are scheduled in the ATC. Scan results are also viewed using ATC. The results below are displayed in SAP Eclipse.

The details of vulnerabilities including the impacted lines of code in the relevant objects can viewed by clicking on each error.

Findings are integrated with the Vulnerability Report in SAP Solution Manager. Remediation plans can be recorded and tracked using action plans in Solution Manager. Alternatively, exemptions can be requested for vulnerabilities in the ATC.

Automatic blocking for transport requests containing security-related errors can be enforced in the Change and Transport System (CTS). Furthermore, the SAP BAdI CTS_REQUEST_CHECK can be implemented to trigger security checks during the release of a transport request.

Checks can be applied from central systems for remote systems. The procedures are outlined in SAP Note 2364916 and a Technical Article in the SAP Community.

Prevent and Detect Ransomware Attacks with SAP Solution Manager

Ransomware attacks accounted for one third of malware-based cyber attacks in the first quarter of 2020. Successful attacks encrypt and block access to files in compromised systems. Decryption keys for recovery of the files are typically only released after ransom demands are paid, usually in the form of untraceable cryptocurrencies. The impact of ransomware includes not only ransoms but also recovery costs. The cost of the ransomware attack experienced by Demant in 2019 is estimated at $95M. Costs at Norsk Hydro are expected to reach $70M.

Based on an analysis of telemetry records, there are several early indicators of ransomware operations performed by threat actors. Attackers often use legitimate administrative tools to prepare ransomware attacks. This includes network scanners to identify vulnerable targets and software removal tools to disable antivirus software. Threat actors also often install tools for credential theft on compromised systems.

Ransomware is usually packaged in zip files distributed through emails, trojans, and infected web sites. The ransomware WastedLocker, for example, is often disguised as zip files for legitimate software updates. WastedLocker infected digital infrastructure at Garmin in July, leading to a $10M ransom. Ransomware payloads can also be delivered through compromised SAP systems. Attackers can target remote code execution vulnerabilities in SAP GUI for client-side attacks. Ransomware can be installed directly in SAP servers using external operating system commands. OS commands performed by SAP users are executed by the operating system user <SID>ADM. The user has full administrative privileges for local SAP resources.

The wget command can be used to download ransomware from remote hosts to a target directory in the SAP host. Ransomware payloads can also be loaded directly in servers using transactions CG3Z or CACS_FILE_COPY. Once loaded, the payloads can be extracted and then executed using bash commands in Linux systems. This method for delivering, installing and executing ransomware will encrypt files in folders accessible by the <SID>ADM user and crash SAP applications and services. It may also impact other files and services in the host if the ransomware successfully elevates privileges.

Such exploits can be mitigated or detected in several ways. Access to perform OS commands should be restricted. This includes authorization object S_LOG_COM, transactions SM49 and SM69, program RSBDCOS0, and function modules such as SXPG_COMMAND_EXECUTE. Successful execution of the transactions, programs and function modules should also be monitored, as well as OS commands and changes to custom commands. Refer to SAP Note 1612730 for enabling detailed logging for external commands.

The Cybersecurity Extension for SAP Solution Manager performs automated scans to detect users with OS command privileges. It also monitors SAP logs to alert for the execution of OS commands, new custom commands, and changes to existing commands. The extension also detects and alerts for the execution of transactions SM49, SM69, CG3Z and CACS_FILE_COPY, program RSBDCOS0, and relevant function modules. Alerts are automatically forwarded to SIEM systems with event details. To learn more, contact Layer Seven Security

RECON: Secure Your Systems with SAP Solution Manager

US-CERT issued Alert AA20-195A on Monday for the so-called RECON (Remotely Exploitable Code On NetWeaver) vulnerability in SAP NetWeaver Application Server Java (AS Java). RECON impacts versions 7.3 and higher of AS Java including an estimated 40,000 SAP systems. Based on a BinaryEdge search, 4,000 of the impacted systems are internet-facing. The vulnerability is rated 10/10 using the Common Vulnerability Scoring System and can be exploited remotely by unauthenticated attackers to fully compromise SAP systems.

RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems including SAP ERP, CRM, SCM, and BW.

CISA strongly recommends SAP customers to apply SAP Note 2934135 to mitigate RECON. The note introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. The LM Configuration Wizard is required by SAP Landscape Management. According to SAP, “This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. You can temporarily activate or enable this application for executing the SAP lifecycle procedures.” Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

The implementation status of Notes 2934135 and 2939665 for impacted systems should be tracked using System Recommendations (SysRec) in SAP Solution Manager. SysRec connects directly to SAP Support to discover relevant notes for SAP applications, databases and components.

Users can create custom tiles in SysRec to track the implementation status of RECON notes in their SAP landscape from the Fiori launchpad.

The Cybersecurity Extension for SAP Solution Manager monitors Java application logs to detect the signature of RECON exploits. This includes enabling and executing the vulnerable application. The Extension also detects the creation of new administrative users and connections by new users or source IP addresses using anomaly detection. RECON alerts can be investigated using the incident response procedures Preventing RECON Attacks and Investigating Suspected RECON Attacks.

Email and SMS notifications are triggered for RECON alerts. The alerts can also be monitored in Solution Manager using the Alert Inbox, System Monitoring, and other applications. They can also be integrated with SIEM solutions for cross-platform monitoring. Custom alarms can be added to the Fiori launchpad to notify users of suspected RECON exploits.

Anomaly Detection with SAP Solution Manager

Threat detection is commonly performed through rules or signature-based pattern matching. Detection engines compare actual events with patterns of malicious events to discover indicators of compromise (IOCs).  IOCs discovered by detection engines typically trigger an alarm or alert for a suspected security breach.

Pattern matching is a tried and tested method to identify known exploits in systems including SAP applications. However, there are several drawbacks with the approach. Attackers can obfuscate their actions to bypass attack detection patterns. Also, since pattern matching detects IOCs based on known signatures, new or emerging IOCs that have not yet been registered are not detected.

Anomaly-based threat detection provides an alternative to pattern matching with greater protection against anti-forensics and the capability to detect previously unknown attacks. Anomaly-based systems rely on profiles of expected or normal user and system behavior.  Actions by users or events in systems that deviate from the profiles generate an alarm or alert.   

Unlike rules and signatures for patten matching, profiles for anomaly detection cannot be created and maintained manually. Anomaly detection is usually applied through machine learning platforms that automate profile building and analysis for large pools of data.  

The Monitoring and Alerting Infrastructure (MAI) in SAP Solution Manager uses a pattern matching approach for threat detection in SAP systems. IOCs detected by the Event Calculation Engine in Solution Manger using pattern matching are displayed and managed in applications such as Security Forensics, System Monitoring, and the Alert Inbox. For anomaly detection, event logs collected, filtered, and normalized by Solution Manager are forwarded to the Predictive Analysis Library (PAL) in SAP HANA.

PAL includes functions for applying complex analytic algorithms using SQLScript database procedures. The functions include procedures for clustering, regression, time series, and other algorithms that are used to detect outliers in security logs. Anomalies discovered by PAL are transmitted back from SAP HANA to SAP Solution Manager for analysis using the Anomaly Detection application in the Cybersecurity Extension for SAP. The application is accessed from the Fiori launchpad in SAP Solution Manager.

Anomaly results are summarized by period. Results can be analyzed by the week, day or hour.

Results are filtered using Advanced Search. This supports filtering by anomaly, date, time, system, user, and source IP/ terminal. Results can also be filtered by anomaly type to view anomalies based on either event data or alert data. Event anomalies include outliers such as high volume of transaction starts, report starts, or data downloads, or a user request from a new IP address or terminal. Alert anomalies include areas such as high volume of alerts for a specific system, user or source, or a new alert for a user or system.

Anomalies calculated using standard deviation are scored based on distances from statistical averages. The further the distance from the mean, the higher the confidence level for the anomaly. The results displayed in Anomaly Detection are prefiltered for medium and high confidence anomalies. Anomaly-based threat detection can have a higher incidence of false positives than pattern-based detection. It can generate alarms for every deviation from expected norms. Therefore, an effective scoring mechanism is essential to enable security administrators to identify and focus on high-confidence anomalies.

Results can be sorted and exported to CSV/ PDF with the applied filters. The layout can be personalized by users to add, remove, and rearrange columns.

The details for each anomaly can be viewed by clicking on an anomaly in the summary. Anomaly times are in UTC. Timestamps for events are based on system time.

The Notify option can be used to append the anomaly details to an email for sharing.

SAP Solution Manager enables advanced threat detection for SAP systems by combining the benefits of both signature and pattern-based detection with anomaly detection using SAP HANA. Licensing for SAP HANA is included with the usage rights for SAP Solution Manager 7.2.

SAP Discloses Critical Vulnerabilities in ASE Databases

SAP customers are urged to apply a series of recent patches released by SAP for the Adaptive Server Enterprise (ASE).  SAP ASE, previously known as Sybase SQL Server and Sybase ASE, is a widely deployed database platform used for both SAP and non-SAP applications. According to SAP, ASE is used by over 30,000 customers worldwide, including 90 percent of the top 50 banks.

Four of the patches released by SAP are for critical or high-risk vulnerabilities in multiple components of ASE. The vulnerabilities impact ASE versions 15.7 and 16.0 and carry CVSS scores ranging between 7.2 and 9.1.

Note 2917275 patches the most severe of the vulnerabilities by applying input validation for DUMP and LOAD commands that could be exploited to overwrite critical configuration files during database backup operations. Attackers can run DUMP commands to overwrite database configuration files with corrupted versions that will replace the default configuration. This can be exploited to install backdoors to ASE using credentials stored in the corrupted configuration files. It can also be exploited to execute arbitrary commands and executables using local system privileges by modifying the sybmultbuf_binary Backup Server setting.

Note 2917090 impacts Windows installations of the SAP ASE 16. Credentials for SQL Anywhere packaged in ASE can be read by any Windows user. SQL Anywhere supports database creation and version management. The credentials can be used to perform code execution with local privileges.

Notes 2916927 and 2917273 deal with high-risk SQL injection vulnerabilities in global temporary tables and ASE Web Services. Both vulnerabilities can be exploited to escalate privileges in ASE.

Database security notes including patches for ASE should be regularly monitored and applied using System Recommendations in SAP Solution Manager. Solution Manager connects directly to SAP Support for patch updates and monitor the patch status of SAP applications and databases. SAP Solution Manager also supports comprehensive vulnerability management for SAP ASE. Automated, daily security scans for ASE should be configured using Solution Manager to check for vulnerabilities related to the database configuration, administrative privileges, stored procedures, and other areas. The ASE audit log can be monitored by the Monitoring and Alerting Infrastructure (MAI) in Solution Manager to detect and alert for suspected malicious commands. To learn more, contact Layer Seven Security.