Layer Seven Security

FBI and CISA Issue Alert for Threat Actors Actively Exploiting SQL Injection Vulnerabilities

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week to urge organizations to urgently address SQL injection vulnerabilities in software. The alert is based on recent exploits performed by the CL0P cybercrime group, also known as TA505. The Russian group has exploited SQL injection vulnerabilities to propagate ransomware that has extorted an estimated $100M from organizations.

TA505 provides Ransomware-as-a-Service (RaaS) to other threat actors, sells access to compromised corporate networks as an initial access broker, and operates botnets specializing in financial fraud. The group is actively exploiting SQL injection vulnerabilities to install web shells in compromised servers. The web shells are used to execute operating system commands, install malicious ransomware programs, and exfiltrate data. TA505 is believed to have breached 130 organizations in just 10 days.

SQL injection vulnerabilities arise when user inputs are included in SQL commands to execute database queries. The processing of database queries containing malicious commands can enable threat actors to access and modify sensitive data, change programs and system configurations, and install and execute programs such as ransomware.  

The risk of SQL injection can be mitigated using a combination of input validation and output encoding, escaping and quoting. Input validation reviews user-provided data before it is included in database queries and rejects data that does not conform with expected specifications such as character types, length, and syntax. Output encoding, escaping, and quoting can be more effective than input validation since programs often need to support free-form text containing arbitrary characters.

SAP software is subjected to static code analysis and other forms of security testing to detect and remove potential SQL injection vulnerabilities. However, SAP is not responsible for securing custom programs and applications deployed to SAP systems. Securing custom programs is the responsibility of each SAP customer. The Cybersecurity Extension for SAP is an SAP-certified addon that automatically detects SQL injection vulnerabilities in custom SAP ABAP programs and SAP UI5 applications. This includes SQL injection vulnerabilities in SELECT, INSERT, UPDATE, MODIFY, DELETE and other statements, as well as GROUP, JOIN, SET, WHERE, and other conditions and clauses. It also detects SQL injection issues in ADBC, DDL, DML and other statements executed by APIs in SAP systems.

The Cybersecurity Extension for SAP integrates with the ABAP Test Cockpit (ATC) and SAP Code Inspector (SCI). It also integrates with the Transport Management System (TMS) to automatically scan and block requests containing SQL injection and other security vulnerabilities.

Securing Custom SAPUI5 Applications using the Cybersecurity Extension for SAP

SAPUI5 is the foundation of Fiori applications in SAP solutions such as SAP HANA and S/4HANA. It provides a HTML5 framework for developing flexible and user-friendly applications that perform consistently across all browsers, platforms, and devices, and integrate with ABAP programs using APIs such as OData services.

The SAPUI5 library is based on the jQuery JavaScript library. Therefore, although SAP Web IDE is recommended by SAP, UI5 applications can be developed using any development environment that supports JavaScript development. SAPUI5 applications generate their own JavaScript code and handle HTML rendering. Consequently, the applications are more susceptible to code-level vulnerabilities than Web Dynpro applications that use an abstract programming model. Application developers should ensure custom SAPUI5 applications meet stringent security standards during all phases of the development lifecycle. Custom applications are part of the attack surface for SAP systems and vulnerable applications are often targeted by threat actors to compromise SAP solutions. Since custom applications are not maintained by SAP and not patched by SAP security notes, customers are directly responsible for ensuring custom applications are secure and protected against misuse.

Automatic static source code scanning is a proven method to effectively and efficiently detect software vulnerabilities in custom applications during and after development. In addition to static code scanning for over 100 vulnerabilities in custom ABAP programs, the Cybersecurity Extension for SAP (CES) supports the automatic detection of more than 900 vulnerabilities in custom SAPUI5 applications. This includes vulnerabilities such as code injection, SQL injection, cross-site scripting, directory traversal, and missing or insufficient authentication or authorization checks. CES enables SAP customers to securely develop and deploy custom SAPUI5 applications to support the needs of end-users, in accordance with best practices for secure coding.

CES provides detailed information for vulnerabilities detected in custom SAPUI5 applications, including risk analysis, remediation guidance, and details of the impacted lines of code, objects, packages and owners. Findings are also mapped to the Common Weakness Enumeration (CWE) framework to monitor for compliance against coding best practices. CWE is software development standard supported by US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security. The results of static code scan results for custom SAPUI5 applications can be reviewed and managed using SAP Code Inspector (SCI) and exported as Excel/ PDF reports. The results are also integrated with the Vulnerability Report in CES, accessed from the Fiori launchpad for SAP Solution Manager.

Secure Your Custom Code with the Cybersecurity Extension for SAP

The Cybersecurity Extension for SAP Solution Manager now supports static code analysis for custom SAP programs. Released in September, version 3.3 performs code vulnerability detection for hard coded users, passwords, hosts, systems, and clients, SQL injection, cross-site scripting, missing or insufficient authorization checks, directory traversal, sensitive table reads and writes, OS command injection, and insecure communication methods and passwords.

The ABAP checks are integrated with SAP Code Inspector (SCI) and ABAP Test Cockpit (ATC). They can be applied for new developments and existing custom programs. For existing programs, periodic scans are scheduled in the ATC. Scan results are also viewed using ATC. The results below are displayed in SAP Eclipse.

The details of vulnerabilities including the impacted lines of code in the relevant objects can viewed by clicking on each error.

Findings are integrated with the Vulnerability Report in SAP Solution Manager. Remediation plans can be recorded and tracked using action plans in Solution Manager. Alternatively, exemptions can be requested for vulnerabilities in the ATC.

Automatic blocking for transport requests containing security-related errors can be enforced in the Change and Transport System (CTS). Furthermore, the SAP BAdI CTS_REQUEST_CHECK can be implemented to trigger security checks during the release of a transport request.

Checks can be applied from central systems for remote systems. The procedures are outlined in SAP Note 2364916 and a Technical Article in the SAP Community.