Layer Seven Security

10KBLAZE: Secure Your Systems with SAP Solution Manager

On May 2, the Department of Homeland Security issued an alert for SAP customers in response to the disclosure of new exploits targeting vulnerable SAP components. According to some reports, the so-called 10KBLAZE exploits could impact 90% of SAP installations worldwide. The exploits target misconfigurations in the gateway server and message server installed in most SAP systems including S/4HANA, ERP and CRM. The successful execution of the exploits could enable attackers to exfiltrate or modify data and provoke a denial of service without authentication. In other words, attackers can completely compromise target SAP systems without any user credentials.

The new exploits target known vulnerabilities addressed by notes and advisories released by SAP since 2005.  Note 821875 details measures to secure the message server, including restricting external access, separating internal and external communications, and maintaining secure access control lists. The profile parameter ms/monitor should be set to 0 to prevent external programs such as msmon from administering the message server at the operating system level. Access to transaction SMMS should also be restricted since the setting can be changed dynamically using the Message Server Monitor within the application server. A separate port for internal communication between application servers should be defined using parameter rdisp/msserv_internal. This will prevent external clients from intercepting or rerouting internal message server communications.  The port should not be exposed to clients or intranets. Finally, the parameter ms/acl_info should specify the file containing a restrictive access control list of hosts, domains, IP addresses or subnets for application servers permitted to log on with the message server.

ACLs should also be defined for the gateway server to control access to starting external programs.  This can be performed using the gateway security file sec_info. The correct syntax for the file depends on the kernel level. For kernel 7.20 and higher, the setting USER-HOST=LOCAL is recommended to protect against 10KBLAZE exploits. This will allow connections from the same server instance. The setting USER-HOST=INTERNAL could be vulnerable but is required for SID clusters. For detailed guidance, refer to Note 1408081. The ACLs should be supported by the setting gw/acl_mode to 1. This parameter defines the behavior of the gateway server if sec_info does not exist.

Since some 10KBLAZE exploits are targeted at modifying or redirecting data packets, enabling SNC to authenticate and encrypt client-server communications is recommended.

SAP systems vulnerable to 10KBLAZE exploits can be discovered using SAP Solution Manager. The Cybersecurity Extension for SAP Solution Manager automatically monitors security settings for the message server and gateway server including profile parameter settings, access control lists and users with critical transactions such as SMMS. The extension also monitors message and gateway logs for external monitor commands, successful and unsuccessful program starts, and other events. Alerts are triggered by the extension for suspected exploits.

The example below illustrates how you can discover insecure sec_info entries that could expose systems to 10KBLAZE exploits.

Click on Vulnerability Report in the Fiori Launchpad.

SAP Cybersecurity Extension for Solution Manager 10

Filter by ABAP systems, select the check-box for the target system and click on Display.

SAP Cybersecurity Extension for Solution Manager 09

Filter for vulnerabilities in open status within the area of RFC Security. Click on the check for starting of external programs.

SAP Cybersecurity Extension for Solution Manager 08

Review the details and recommendation. Click on the linked SAP Notes and SAP Help.

SAP Cybersecurity Extension for Solution Manager 07

Click on Additional Information to review the insecure entries in the sec_info ACL.

SAP Cybersecurity Extension for Solution Manager 03

Focus on entries with the setting USER-HOST=internal.

Click on the download icon to export the current settings.

If required, add comments in the Comment section.

SAP Cybersecurity Extension for Solution Manager 04

The finding for the system will be automatically removed from the report once the sec_info entries are updated. However, you can manually change the status using the Change Status option. Note that status changes are tracked in the extension.

SAP Cybersecurity Extension for Solution Manager 05

You can also assign responsibility for remediating the finding to specific groups using the Change Owner option.

SAP Cybersecurity Extension for Solution Manager 06

Webinar: 10KBLAZE – Secure Your SAP Systems with CVA and SolMan

According to a recent report, thousands of SAP installations may be vulnerable to 10KBLAZE exploits targeting SAP applications.

Join SAP and Layer Seven Security to learn how to secure your SAP systems against the exploits with SAP Code Vulnerability Analyzer (CVA) and SAP Solution Manager. CVA performs static code analysis to detect vulnerabilities in custom code. SAP Solution Manager detects vulnerabilities and threats in SAP systems including components such as the gateway server, message server and SAProuter, targeted by 10KBLAZE.

Together, CVA and Solution Manager provide an integrated platform to secure your business-critical SAP systems against 10KBLAZE and other exploits.

Thu, Jun 6, 2019
11:00 AM – 12:00 PM EDT

REGISTER

Securing Administrative Access in SAP AS Java

The misuse of administrative privileges is a common method used by attackers to compromise applications and propagate attacks to connected systems. The elevated privileges granted to administrative accounts are a prized target for attackers and provide a fast path to accessing or modifying sensitive data, programs and system settings.

User privileges for Java applications are administered through the User Management Engine (UME) in the SAP NetWeaver Application Server for Java (AS Java). The UME is the default user store for AS Java and can be configured to use LDAP directories, AS ABAP, or the system database of AS Java as the data source for user-related data.

UME permissions granted to users can include administrative actions such as Manage_All, Manage_Roles, Manage_Users, Manage_User_Passwords, and other privileged functions. Administrative actions are bundled into roles and granted to users organized into user groups. Standard user groups include the Administrator group, as well as groups such as SAP_J2EE_ADMIN and SAP_SLD_ADMINISTRATOR. The latter includes users with administrative access to the System Landscape Directory.  Standard roles include Super Admin and, for Enterprise Portals running on AS Java, Portal System Admin, Portal User Admin and Portal Content Admin.

Access to administrative roles and rights in AS Java should be granted to required users only, based on the principle of least privilege. Users with administrative privileges in AS Java systems can be detected using the Cybersecurity Extension for SAP Solution Manager. The results are displayed in security reports and dashboards. Alerts are also triggered by the extension for new users granted privileged roles and actions for possible privilege escalations. The extension also detects users with administrative rights in ABAP and HANA platforms, as well as SAP-compatible databases including IBM, Microsoft, Oracle and Sybase.

 

Database Security with the Cybersecurity Extension for SAP

Protecting SAP systems against cyber threats requires integrated measures applied not just within the SAP layer but across the technology stack including network, operating system, and database components.  As repositories of business-critical and sensitive information, databases warrant specific attention for hardening and monitoring efforts. This includes identifying and addressing configuration weaknesses, excessive privileges, and weak audit policies, encrypting data in transit and at rest, removing vulnerable stored procedures, and detecting and responding to privilege abuse or escalations.

SAP Solution Manager is uniquely positioned to monitor the security of SAP databases given its deep connectivity into SAP platforms. This article outlines the architecture and data collection procedures for database monitoring with Solution Manager. Next month’s article will explore database-level security reporting and event monitoring with SolMan.

Establishing connectivity to databases supporting SAP systems is a standard step during the mandatory configuration procedures for Solution Manager. Connection information is entered into the DB Parameters section during the Enter System Parameters step of Managed System Configuration. This includes the database host, port, and user credentials.

The connection supports the DBA Cockpit for database administration and monitoring. It also supports database extractors used by the Extractor Framework. The Extractor Framework performs data collection and distribution for monitoring and alerting in Solution Manager. The framework operates regular extractors to snapshot configuration, user, system, change and event-related data from systems. The snapshots are stored in areas such as the SolMan Configuration and Change Database (CCDB) and queried by other applications in SolMan including Configuration Validation and the Monitoring and Alerting Infrastructure (MAI). The concept of running or scheduling security scans is foreign in Solution Manager. Periodic jobs run the extractors to refresh the data. Therefore, there is no need to schedule scans or connect directly to systems to compile data when reviewing security-related information. Job Monitoring in Solution Manager can be used to monitor the relevant jobs and alert for job errors or warnings.

Solution Manager automatically applies preconfigured templates for databases once they are successfully connected for monitoring. SolMan installations are packaged with templates for all platforms supported by SAP systems including SAP databases such as HANA, Sybase and MaxDB, and third-party databases from Oracle, IBM and Microsoft. Template contents can vary based on the specific version and release of databases.

Templates for HANA platforms including metrics and alerts for monitoring system availability, performance and security. They also include CCDB stores to extract current values for HANA parameters, and details of active users, audit policies and users with critical database and system privileges.

The extractor framework and SAP-delivered templates may not provide coverage for monitoring all the security-related areas for each database platform. Therefore, customers or partners can either define their own templates or create/ modify extractors, metrics, alerts and CCDB stores to extract additional data. In the example below, we’ve added several custom stores to extract and query data for Sybase ASE that is not available in a standard Solution Manager installation.  This includes runtime values for all Sybase parameters, active users, roles assigned to database users, enabled stored procedures, audit settings, and database event logs with event IDs, user IDs, and timestamps.

The stores are assigned to the custom /L7S/ namespace to avoid any conflict with SAP and other namespaces.

The extractor framework regularly refreshes the data through background jobs. Database security policies are then applied by Solution Manager against the CCDB to identify vulnerabilities and security-related events in the platform. The data is also monitored by the MAI which triggers alerts and notifications for critical risks. The results are replicated to an internal Business Warehouse (BW) in Solution Manager.

In next month’s article, we will discuss how you can use Service Level Reporting and BusinessObjects to create detailed and user-freindly reports to convey the results of database security monitoring with SAP Solution Manager.

Secure, Patch & Respond: Security Analytics with SAP Web Intelligence

SAP Web Intelligence enables users to visualize and manage security risks in SAP systems using interactive reports delivered through an intuitive web interface. Powered by the BusinessObjects platform, Web Intelligence connects directly to data sources in SAP Solution Manager to convey system vulnerabilities, missing security notes and open alerts using dynamic charts and graphs and detailed tables.

Animated charts summarize risks by system, location, priority and other dimensions. Results can be filtered and sorted to focus on specific areas. Users can comment on report elements for collaboration, decision-making and tracking remediation efforts. Reports can be exported to Excel, HTML and PDF. Reports can also be accessed remotely using the mobile app for SAP BusinessObjects.

The security reports are comprised of five distinct sections. The first section includes a series of charts that summarize risks across three dimensions: vulnerabilities, security notes, and alerts. The results can be filtered to focus on single or multiple systems.

The second section includes trend charts, bar graphs, geo-maps and bubble charts that break down the results for each dimension.

The remaining sections convey detailed findings and empower users to secure SAP systems against cyber threats by discovering and removing vulnerabilities, applying patches, and responding to alerts for suspected security breaches.

To learn more, contact Layer Seven Security. You can also request a free trial for security reporting with SAP Web Intelligence using Layer Seven’s cloud platform.

 

How to Comply with the DHS Recommendations for Securing SAP Systems from Cyber Attacks

In response to the dramatic rise of cyber attacks targeting ERP applications, the United States Department of Homeland Security (DHS) issued a warning earlier this year that encouraged organizations to respond to the risks targeted at their business applications by implementing specific measures to secure, patch and monitor SAP systems. The measures included scanning for vulnerabilities and missing security patches, managing SAP interfaces, and monitoring user behaviour, indicators of compromise, and compliance against security baselines for systems.

This article discusses how you can leverage SAP Solution Manager to comply with the DHS recommendations. Solution Manager is installed and available in most SAP landscapes and includes diagnostics and monitoring applications to support cybersecurity. The specific applications are outlined below against each of the DHS recommendations.

1. Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.

Configuration Validation in Solution Manager can perform automatic daily scans of SAP systems against security benchmarks to identify misconfigurations that could expose systems to cyber threats. The scans are performed against snapshots of systems stored in the Configuration and Change Database (CCDB). The results of the scans are stored in an internal Business Warehouse (BW). Service Level Reports and Security Dashboards connect to BW using BEx queries to read the results of the security scans and report the findings.

System Recommendations (SysRec) in Solution Manager connects directly to SAP Support to discover missing security patches.  SysRec also connects to each system in an SAP landscape to determine the current patch level. It reads the system information in the Landscape and Management Database (LMDB) to identify installed software components and versions. SysRec also integrates with the ABAP Call Monitor, Usage Procedure Logging, and Solution Documentation to perform change impact analysis for security patches.

2. Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.

Interface and Connection Monitoring (ICMon) in Solution Manager automatically maps cross-system interfaces including RFC, HTTP, IDOC and Web Services. This includes internal and external connections. It also monitors real-time traffic patterns to detect and alert for malicious actions including dangerous RFM and URL executions.

3. Analyze systems for malicious or excessive user authorizations.

Solution Manager can detect users with administrative privileges in SAP systems. It flags users with privileged authorizations, profiles, roles, transactions, Java permissions, and HANA system and table privileges. Privileges can include standard and custom objects.

4. Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.

The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can monitor event logs in SAP systems to detect and alert for indicators of compromise (IOCs). This includes log files and tables such as the Security Audit Log, HTTP Log, System Log, Gateway Server Log, Change Document Log, Read Access Log, Java Security Log, HANA Audit Log, and the SAProuter Log. The MAI triggers alerts and email and text notifications for IOCs. Guided procedures provide a framework for incident response and tracking.

5. Monitor systems for suspicious user behavior, including both privileged and non-privileged users.

MAI monitors user logs to detect and alert for suspicious behavior covering both privileged and non-privileged users. This includes unauthorized access, escalation of privileges and actions that could lead to data leakage.

6. Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.

SAP Partners periodically update content for Solution Manager to address new vulnerabilities and attack vectors.

7. Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

Solution Manager continuously monitors for policy violations against security baselines and compliance frameworks such as GDPR, IT-SOX, NIST and PCI-DSS. Service Level Reports and Dashboards provide directions for implementing and tracking remedial actions taken to patch and secure systems. Guided procedures document incident investigation steps performed by responders. The results are archived in Solution Manager.

To learn more about how Solution Manager can help you comply with the DHS recommendations for securing SAP systems, contact Layer Seven Security.

Monitor Dangerous Function Module Calls with SAP Solution Manager

SAP systems operate in highly interconnected landscapes integrated by numerous interfacing technologies.  The most common interface technology is the RFC protocol. The RFC protocol enables remote-enabled function modules (RFMs) to be called in remote systems. Some RFMs can be exploited to perform dangerous, administrative commands in target systems. For example, the function module BAPI_USER_CREATE can be used to create or maintain users. RFC_ABAP_INSTALL_AND_RUN can be used to register and execute arbitrary code. External commands including operating system commands can be executed using SXPG_CALL_SYSTEM and SXPG_COMMAND_EXECUTE. Therefore, monitoring for the execution of dangerous RFMs is critical for detecting potential attacks against SAP systems.

This article discusses how SAP Solution Manager detects and triggers alerts for dangerous RFM calls using Interface and Connection Monitoring (ICMon) and the Monitoring and Alerting Infrastructure (MAI). The article also discusses how the Guided Procedure Framework in Solution Manager can be used to create automated workflows for alert handling and forensic investigations.

ICMon provides a centralized platform for monitoring communications between systems within and across SAP landscapes. The application is accessed from the System and Application Monitoring group in the Fiori Launchpad.

Monitoring scenarios must be configured before using ICMon. The scenarios define the target systems and interface channels for monitoring. They also define the direction of the communications traffic. ICMon supports monitoring for both internal and external systems. It also supports several communication protocols including not just synchronous, transactional, queued, and background RFCs but Web Services, Gateway (OData) connections, HTTP, IDoc, CRM, PI and Cloud services.

Once configured, Solution Manager starts to collect usage data for each scenario at regular intervals through background jobs. It also generates dynamic topologies for each scenario to visualize connections. Channels are color coded based on performance, availability, and configuration issues or exceptions detected by Solution Manager.

Monitoring for specific function modules can be performed by maintaining blacklisted RFMs for RFC interface channels in each scenario. The Number of RFC Executions metric should then be enabled to automatically trigger alerts for the execution of any of the RFMs.

The channel will be colored red in the topology if a dangerous RFC function module call is performed.

The Alert Ticker displays open alerts in the Overview screen.

 

Alerts can be managed from the Alert Inbox of the MAI.

The Alert Details specify the function module and the RFC destination used to call the RFM, as well as details of the calling system, called system, and the timestamp of the event.

The details are also included in attachments appended to email notifications sent by Solution Manager.

 

The Guided Procedure Framework (GPF) in Solution Manager can be used to create standard operating procedures for investigating dangerous RFM executions. The procedures can be started by selecting the option to Start Guided Procedure in each alert. Once initiated, the guided procedure will provide investigators with detailed instructions for performing forensic investigations and log the progress of each step in the procedure.

 

SAP Solution Manager is ITIL-Certified for Information Security Management

The SAP Integration and Certification Center (ICC) has been validating and certifying solutions from partners and software vendors for over twenty years. The certifications provided by the ICC are based on rigorous testing and enable customers to invest with confidence in technologies that integrate with SAP solutions. This includes technologies that support security scenarios such as automated vulnerability management, code scanning and threat detection.

The ICC cannot certify SAP’s own product offerings since self-certification does not provide the same level of assurance as independent certification. However, SAP platforms are often certified by recognized certification authorities. SAP Solution Manager, for example, is certified by organizations such as SERVIEW. In fact, Solution Manager is one of the most awarded service management platforms in the market and certified for all 18 certifiable processes of the ITIL framework, including Information Security Management.

ITIL is the Information Technology Infrastructure Library and provides best practices to support the design, management and monitoring of IT infrastructure and optimization of service levels for end users. The framework consists of five distinct lifecycle phases for service strategy, design, transition, operations, and continuous improvement. It includes key performance indicators to identify problems, measure performance, and track progress.

IT Security Management is a process within the Service Design lifecycle of the most recent version of the ITIL framework. It includes four sub-processes for the design of security controls, the performance of regular security reviews, and the management of security incidents. The sub-processes are targeted at preventing, detecting and containing security intrusions and breaches. The chart below maps each sub-process to relevant applications available in SAP Solution Manager.

ITIL v3 – IT Security Management

Applications such as Configuration Validation, Service Level Reporting and the Dashboard Builder enable customers to enforce security baselines for SAP landscapes and monitor compliance against security KPIs. System Recommendations automatically detects missing security patches through a direct connection to SAP support. Interface Monitoring detects potential breaches of cross-system connections. Finally, the Monitoring and Alerting Infrastructure and Guided Procedures provide an advanced framework for detecting and responding to security incidents and suspected breaches. Overall, Solution Manager provides a powerful ITIL-compliant platform for defining, implementing and sustaining secure SAP system landscapes.

 

Featured in SAPinsider: Secure Your SAP Landscapes with SAP Solution Manager 7.2

Firewalls, intrusion detection systems, and antivirus solutions may not protect SAP systems against advanced cyberattacks. However, this does not necessarily mean that SAP customers have to license third-party vulnerability scanning or threat detection solutions to deal with the risk. The answer to their security questions may be closer than they realize. Bundled with standard and enterprise SAP support agreements, SAP Solution Manager 7.2 includes five integrated applications to safeguard SAP systems against cyber threats:

Service Level Reporting (SLR)
Dashboard Builder
System Recommendations
Interface and Connection Monitoring (ICMon)
and the Monitoring and Alerting Infrastructure (MAI)

Read the full article

Discover Vulnerable System Connections with Interface Monitoring

Interface Monitoring provides the answer to one of the most vexing questions in SAP security: where are our vulnerable cross-system connections and how do we monitor them to ensure they’re not abused by attackers?

Although Interface Monitoring, also known as Interface Channel Monitoring or ICMon, has been available in SAP Solution Manager since version 7.10 SP05, the application has been completely overhauled in version 7.2, especially in SP05, which has been in general availability since June.

ICMon in SolMan 7.2 includes an SAPUI5 graphical display that automatically maps the entire landscape topology in a single screen (see below). Topologies are generated by ICMon based on so-called monitoring scenarios configured in Integration Monitoring within SolMan configuration.

During scenario creation, you specify the systems and channels to monitor in each scenario. Multiple scenarios can be created to monitor different channels, systems, environments or other variables. Scenarios can also be landscape-wide to include all available systems and even cross-landscape to monitor systems located in different SAP landscapes.

Unlike some third party security tools that focus exclusively on RFC communications, ICMon can support monitoring for any SAP-supported protocol. This includes not only RFC, but HTTP, HTTPS, IDoc and Web Services.

Once the scenarios are configured, you can select from the list of available scenarios from Scope Selection in ICMon to monitor the scenario.

ICMon’s ability to automatically generate a graphical topology of cross-system connections enables users to discover vulnerable interfaces between systems including trust RFC relationships between systems in different environments. Trust relationships and stored credentials in RFC destinations could be exploited by attackers to, for example, pivot from vulnerable development or test systems to productive systems.

However, ICMon doesn’t just generate a static topology of system interfaces. It also continuously collects metrics and usage data for each channel to monitor availability, configuration and performance errors. Errors and warnings are displayed in both the ICMon dashboard (see below) and the topology.  Connections with errors or warnings are displayed in red in the topology. Successful connections are displayed in green.

Usage data includes destinations and function modules called through each RFC channel with timestamps.

Alerts configured for metrics and thresholds including security-related scenarios can be viewed in the Alert Ticker from the ICMon home screen. The alerts can also be viewed in the Alert Inbox of SAP Solution Manager. In common with alerts for other application areas, ICMon uses the Monitoring and Alerting Infrastructure (MAI). Therefore, the Guided Procedure Framework can be used to apply standard operating procedures and best practices for incident management and alert handing.