Layer Seven Security

SAP Discloses Critical Vulnerabilities in ASE Databases

SAP customers are urged to apply a series of recent patches released by SAP for the Adaptive Server Enterprise (ASE).  SAP ASE, previously known as Sybase SQL Server and Sybase ASE, is a widely deployed database platform used for both SAP and non-SAP applications. According to SAP, ASE is used by over 30,000 customers worldwide, including 90 percent of the top 50 banks.

Four of the patches released by SAP are for critical or high-risk vulnerabilities in multiple components of ASE. The vulnerabilities impact ASE versions 15.7 and 16.0 and carry CVSS scores ranging between 7.2 and 9.1.

Note 2917275 patches the most severe of the vulnerabilities by applying input validation for DUMP and LOAD commands that could be exploited to overwrite critical configuration files during database backup operations. Attackers can run DUMP commands to overwrite database configuration files with corrupted versions that will replace the default configuration. This can be exploited to install backdoors to ASE using credentials stored in the corrupted configuration files. It can also be exploited to execute arbitrary commands and executables using local system privileges by modifying the sybmultbuf_binary Backup Server setting.

Note 2917090 impacts Windows installations of the SAP ASE 16. Credentials for SQL Anywhere packaged in ASE can be read by any Windows user. SQL Anywhere supports database creation and version management. The credentials can be used to perform code execution with local privileges.

Notes 2916927 and 2917273 deal with high-risk SQL injection vulnerabilities in global temporary tables and ASE Web Services. Both vulnerabilities can be exploited to escalate privileges in ASE.

Database security notes including patches for ASE should be regularly monitored and applied using System Recommendations in SAP Solution Manager. Solution Manager connects directly to SAP Support for patch updates and monitor the patch status of SAP applications and databases. SAP Solution Manager also supports comprehensive vulnerability management for SAP ASE. Automated, daily security scans for ASE should be configured using Solution Manager to check for vulnerabilities related to the database configuration, administrative privileges, stored procedures, and other areas. The ASE audit log can be monitored by the Monitoring and Alerting Infrastructure (MAI) in Solution Manager to detect and alert for suspected malicious commands. To learn more, contact Layer Seven Security.

SAP Discloses Security Gaps in Cloud Solutions

SAP issued a statement last week to disclose security lapses in several cloud products including SAP Cloud Platform, SAP Analytics Cloud, SuccessFactors, and Concur. According to the statement, the disclosure was prompted by an internal security review. SAP does not believe customer data has been compromised as a result of the issues. The lapses impact 9% of the company’s 440,000 customers.

The announcement is expected to dampen customer support for digital transformation initiatives intended to shift the hosting of SAP applications from on-premise data centers to cloud providers.

SAP also announced that the organization is updating security-related terms and conditions for its cloud solutions.  In response to concerns that such changes may be intended to reduce SAP’s legal risk for security issues and shift more responsibility for security to customers, SAP declared that the terms and conditions will “remain in line with market peers”.

Furthermore, SAP denied any link between the announcement and security breaches attributed to the Cloud Hopper hacking campaign. Cloud Hopper successfully exfiltrated sensitive data from multiple organizations by penetrating HPE’s cloud computing service. The campaign is suspected to be sponsored by the Chinese Ministry of State Security.

Layer Seven Security Recognized as Top 25 Cyber Security Company

Layer Seven Security has been selected by a panel of experts and members of the CIO Applications editorial board for inclusion in the Top 25 Cyber Security Companies for 2020. The annual list is compiled by CIO Applications to recognize and promote organizations that provide cutting-edge cybersecurity solutions. CIO Applications is a Silicon Valley industry publication based in San Francisco, California. The recognition is based on an evaluation of Layer Seven Security’s innovative Cybersecurity Extension for SAP Solution Manager. The Extension is an add-on for the Solution Manager platform, delivering automated vulnerability management, threat detection and incident response for business-critical SAP systems. Read the full article at CIO Applications.

Securing the SAProuter from Remote Attacks

The surge in remote working has led to an increasing reliance on the SAProuter as a means to facilitate secure remote access to SAP applications. As a reverse proxy between external networks and SAP landscapes, the SAProuter enables organizations to apply more granular policies for filtering and securing connections to SAP systems than network firewalls. However, far from improving security, an improperly configured SAProuter can expose organizations to dangerous exploits that could lead to the compromise of SAP servers.

Since the SAProuter is an internet-facing proxy that provides a direct path to SAP systems, it is an accessible and high-value target for attackers. Port scans against exposed IP addresses will reveal SAProuters available on the standard port 3299. Attackers can send information requests to detected SAProuters to enumerate the scheme for internal IP addresses based on the details of connected hosts disclosed in the response. Once the internal IP address scheme is determined, attackers can then scan the internal network by sending connection requests from the SAProuter to connected hosts. The responses can enable attackers to discover open ports for not only SAP services but services such as HTTP, SMTP, FTP, and SSH if the SAProuter supports native connections.

The information can be used to connect to open and vulnerable services in SAP servers by pivoting through the SAProuter. Once connected, attackers can execute targeted exploits against the servers. For example, an unauthenticated SOAP request to the SAP Host Agent on port 1128 can disclose operating system users that can be targeted using brute force and other attacks. Attackers can also route malicious payloads to SAP servers through the SAProuter.

The secure configuration of the SAProuter can prevent or mitigate such attacks. The route permission table defined in the saprouttab file should specify the source hosts permitted to connect to specific services and target hosts. The use of wildcards in route strings should be avoided. Native connections should be blocked using S entries for the saprouttab rather than P entries. KT and KP entries are recommended to enforce SNC for connections. Information disclosure via the SAProuter should be prevented using the option -Z for info requests. Switching to a non-standard port for the SAProuter is advisable. SAProuter binaries should be updated to the latest available version to apply patches for program vulnerabilities. This includes critical vulnerabilities addressed by notes 1820666 and 1663732. Finally, the SAProuter should be installed in a Demilitarized Zone (DMZ) on a host with a hardened operating system. SAP recommends a C2 class compliant operating system.

Logging for the SAProuter should be enabled using option -G. Once enabled, the SAProuter log can be monitored using SAP Solution Manager to alert for suspected attacks against including accepted or rejected information requests, connection requests, port scans, and native connections.

Dramatic Growth in Cyber Attacks Increases Enterprise Risk

Cyber attacks have risen by six-times the usual levels over the past four weeks as the COVID-19 pandemic provides a new catalyst for attackers. Hacking and phishing attempts increased by an unprecedented 37% in a single month between February and March.

Remote working has led to an equally dramatic rise in the number of servers using Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services. The number of devices exposing RDP to the internet on standard ports grew by 41.5% in March. The number of devices exposing RDP to the internet on non-standard but often used alternate ports grew by 36.8%. The number of servers running VPN protocols increased by 33% from 7.5M to 10M over the same period.

RDP has several known security weaknesses and should not be publicly accessible without network gateways, firewalls, and two or multi-factor authentication. Recent ransomware attacks have demonstrated how RDP can be used by attackers as an effective entry point to corporate networks. RDP is the most dominant attack vector for ransomware attacks and is used in over 60% of ransomware campaigns. Compromised servers provide anonymity for attackers which impedes the detection of malicious activity. Furthermore, RDP vulnerabilities such as Bluekeep (CVE-2019-0708) are wormable and therefore can enable attackers to propagate to connected hosts.

VPNs are vulnerable to both client and server side vulnerabilities. The National Security Agency (NSA) issued an advisory in October for vulnerabilities in several VPN products that were actively targeted by state-sponsored and other threat actors. The products include Pulse Secure, Palo Alto GlobalProtect, and Fortinet Fortigate. The vulnerabilities could be exploited to perform remote code execution and intercept or hijack encrypted sessions. VPN-related vulnerabilities were identified as the root cause of the devastating cyber attack suffered by Travelex in January.

The increase in cyber attacks and remote working underscores the need to secure enterprise systems including business-critical SAP applications and infrastructure. The Cybersecurity Extension for SAP Solution Manager performs automated vulnerability scans to support effective hardening of SAP systems. It also continuously monitors SAP event logs to alert for indicators of compromise. Contact Layer Seven Security to learn how to leverage your Solution Manager installations to secure SAP systems from cyber attack.

Security Forensics with SAP Solution Manager

Security Forensics in SAP Solution Manager supports centralized log monitoring for SAP landscapes. The Fiori application from Layer Seven Security enables users to analyze incidents across multiple logs and systems directly from Solution Manager, helping organizations to detect and respond to security breaches. It also protects against anti-forensics.  Since event logs are replicated to a central log, attackers can not remove all traces of their actions to avoid detection.

Security Forensics is accessed from the Fiori launchpad for SAP Solution Manager.

The application currently supports the Security Audit Log, Gateway Server log, HTTP log, Transaction log, Read Access Log, System Log, User Change logs, and the HANA Audit log. Support for the Java Security Log and SAProuter log is scheduled for Q3 2020.

Advanced Search supports complex queries based on system, log source, date, time, user, source terminal/ IP address, and event ID.

Log Source:

Source terminal/ IP address:

Date/Time:

The query below filters log events to isolate actions performed by the SAP* user. The query results reveal that the SAP* user was locked due to failed logon attempts in system AS2 at 10:30:00 on 23.03.2020.

The results can be exported to a csv file to support offline analysis and collaboration. Event details can also be appended directly to an email by selecting the Notify option from the drilldown.

Personalized alarms for events can be configured using the Save As Tile option for filter selections.

Alarms are displayed as custom tiles in the launchpad. Below we have added an alarm for log events related to the SAP* user in production systems. The tile will automatically update to display the number of matching records. Users can click on the alarm to view the details of the events.

Security Forensics is available for SAP Solution Manager 7.2 SP07 or higher. The application is available for both HANA and conventional database platforms.  For the latter, customizing options are provided to activate log monitoring for only specific managed systems and adjust the log retention period.

Webinar Playback: SIEM Integration for SAP

Security Information and Event Management (SIEM) systems support centralized security monitoring across networks. They ingest and analyze data from hosts, routers, switches, firewalls and other components to identify and respond to security threats.

SIEM systems can ingest data directly from SAP application logs. However, direct integration is complex and laborious. It also requires high maintenance and may substantially increase costs if SIEM licensing is tied to log size or events per second.

This challenge can be overcome by integrating SAP logs with SIEM systems using SAP Solution Manager, a management server in SAP landscapes. Solution Manager filters, structures and enriches security event data in SAP logs to support fast, seamless integration with SIEM systems.

This webinar recording discusses the challenges of direct ingestion of SAP logs and the benefits of integration using Solution Manager. It also provides recommendations for configuring audit settings and policies for the following data sources in SAP:

Security Audit Log
System Log
ICM Log
Business Transaction Analysis
Gateway Log
Change Documents
Read Access Log
Java Security Log
HANA Audit Log
SAProuter Log

The webinar is a digest of the whitepaper SIEM Integration for SAP.

You can download the whitepaper here.

Prevent Configuration Drift with SAP Solution Manager

Maintaining system security in dynamic SAP environments is a constant challenge. New users are added every day. Permissions for existing users are constantly updated to keep up with changing requirements. Software updates, transports and other changes introduce new components or developments and often necessitate changes to system settings. With each change, even hardened systems can become less secure and more vulnerable to intrusion.  

To some extent, the risk of configuration drift can be managed through regular vulnerability scanning. However, scan results only identify the consequences of changes, not the root cause. Periodic audits of system and user changes can also help to address the risk. Audits can uncover compliance gaps against change management protocols, but are limited in scope since they are usually performed manually.

Change Analysis in SAP Solution Manager provides an automated response to the risk of configuration drift in SAP systems. The application tracks changes in systems including ABAP, HANA, Java parameters, database and operating system settings, user privileges, notes, software updates, and transport requests. The tool maintains a history of changes performed in each system for two years.

Change Analysis is accessed from the Root Cause Analysis work center in the Fiori launchpad for SAP Solution Manager.

Scope selection supports filtering of changes by system, type or environment.

Results can be filtered further to focus on changes within a specific time frame.

The filtered results are summarized in the dashboard below.

The dashboard supports drilldown from summarized results by system and category into detailed changes. In the example below, the results reveal that the value of parameter gw/accept_timeout was modified in system AS2 at 3.00PM on February 11, 2020.

In another example, the results reveal that the profile SAP_ALL was assigned to the user ATTACKER9 on the same day in the identical system.

Notifications for changes to critical areas can be configured using the monitoring and alerting framework within Solution Manager. The notification below is an alert for changes to RFC destinations. Email and SMS notifications for changes are also supported. Alerts can be integrated with SIEM systems or incident management systems for automated ticketing.

Change Reporting can be used to compare the configuration of different systems.

It can also be used to compare the configuration of the same system using different timestamps. In the example below, we are comparing the configuration of system ECP on February 6 with January 22 to identify changes that occurred in the system during the interval.

The comparison tool is useful for identifying not only changes that may lead to configuration drift within systems but also differences between settings in production environments and other environments such as quality or development. The comparison results are displayed in the Result Details and can be exported for analysis. According to the results below, the SAP_UI component was upgraded in ECP from version 751 to 753 during the interval.

Whitepaper: SIEM Integration for SAP

Download the new whitepaper for SAP-SIEM integration from Layer Seven Security. The whitepaper outlines recommended settings for the Security Audit Log, HANA audit log, and other logs to support advanced threat detection. It discusses the challenges of direct integration of SAP logs with SIEM systems in terms of complexity, log volume, maintenance, and event correlation.

The whitepaper advocates SIEM integration using SAP Solution Manager based on benefits such as lower complexity, rapid deployment, reduced costs, ease of maintenance, and the enrichment of event data to support cross-platform correlation.

The SIEM Integrator for SAP is a software add-on for SAP Solution Manager that delivers automated threat detection for SAP systems. The add-on supports integration with SIEM platforms including Splunk, QRadar, ArcSight, LogRhythm and SolarWinds. The Integrator includes 300+ attack detection patterns for SAP platforms and logs.

SIEM Integration with SAP Solution Manager

Security Information and Event Management (SIEM) platforms combine the ability to collect log data from applications, hosts, routers, switches, firewalls and other endpoints with the ability to analyze events in real time. They support threat detection, event correlation and incident response with alerting and reporting capabilities.

SIEM platforms require complete coverage for maximum yield. In other words, organizations reap the full benefits of SIEM platforms when monitoring logs throughout the technological infrastructure. This includes SAP application logs for organizations with SAP systems.

However, there are several challenges with integrating SAP application logs with SIEM systems. The first is complexity. SAP systems typically contain multiple logs that capture security-relevant events. The SAP NetWeaver Application Server ABAP (AS ABAP) alone has at least seven such logs including the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Change Document Log, and the Read Access Log. The logs do not have a standardized format or structure. Some are captured at the file level and others are stored in SAP tables. The complexities involved in integrating multiple and distinct logs from each SAP system should not be underestimated, especially for large SAP landscapes.

The second is log volume. Raw event logs can grow to gigabytes and even terabytes within a relatively short period of time in SAP systems that often support thousands of end users and hundreds of cross-system connections. Transmitting large volumes of log data from SAP systems to SIEM platforms could consume high levels of network bandwidth. The need to store such data for analysis could also increase resource requirements and licensing costs for SIEM systems.

The third challenge with directly integrating SAP logs is maintenance. Monitoring and supporting the numerous integration points between SAP systems and SIEM platforms, as well as regular archiving to deal with the accumulation of log data, could lead to high maintenance costs.  

Finally, many SAP logs do not natively include information to support cross-platform correlation using SIEM tools. This includes source and destination IPs for security events. Values for sources and destinations in SAP logs are often terminal names and SAP Systems IDs (SIDs) rather than IP addresses. Therefore, Security Operation Centers (SOCs) are not able to easily correlate SAP events with non-SAP events in SIEM platforms.

The Cybersecurity Extension for SAP Solution Manager overcomes such obstacles by filtering, normalizing and enriching security event data from SAP logs. The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor logs at source without extracting and replicating event logs to external repositories. This reduces both bandwidth and storage requirements. MAI data providers support monitoring for all SAP logs including file and table logs in ABAP, HANA, and Java systems, and standalone components such as the SAProuter. MAI periodically parses event logs using attack detection patterns configured in metrics. The frequency of metric checks is customizable and can range from every 60 seconds to several minutes apart. Intervals can be adjusted at the metric level which means metrics can have different monitoring intervals.

A pattern match triggers the MAI to generate alerts and email or SMS notifications for security events. Security alerts generated by Solution Manager are managed using applications such as Monitor Systems, System Monitoring and the Alert Inbox. Alerts can also be written to an external file by Solution Manager. Solution Manager enriches event data by including source and IP addresses for each alert written to the file. This is intended to support correlation once the data is ingested by SIEM platforms. Event data is also normalized using a standardized structure for all log sources. The fields and separators for event details within each file are customizable and include values for alert name, description, date, time, system, system type, and event details. The event details can include information such as the event ID, username, source and destination IP addresses, and objects accessed by the user such as transactions, reports, function modules or URLs.  The example below includes <DATE>::<TIME>::<SYSTEM>::<MANAGED OBJECT TYPE>::<ALERT TYPE>::<PRIORITY>::<ALERT NAME>::<ALERT DESCRIPTION>::<ALERT DETAILS>. Each value is separated by ::

Since event details are written to and stored within alerts in Solution Manager, attackers will not be able to remove all traces of their malicious actions by modifying event logs alone.  They will also need to delete alerts and stop the triggering of email/ SMS notifications of alerts in Solution Manager. This would be challenging since alerts cannot be deleted in Solution Manager. They can only be confirmed. All alerts are retained and only removed by periodic housekeeping jobs designed to delete aged alerts.

Event files can be stored on the Solution Manager host or an external host or file server. A new event file is created by Solution Manager for each day. The contents of the newest file can be periodically pushed to SIEM platforms or pulled by SIEM systems directly from relevant directories. Since there is a single point of integration for event data between SAP and SIEM systems, maintenance efforts are relatively low.

This article outlines the benefits of integrating security event data from SAP applications with SIEM platforms using the Cybersecurity Extension for Solution Manager. The benefits include lower costs, rapid deployment, ease of maintenance, and the enrichment of event data to support cross-platform correlation. The example below is for SIEM integration with Solution Manager for Splunk Enterprise. However, the approach can also be used to integrate security event data with other SIEM systems including QRadar, ArcSight and Log Rhythm.