Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.
Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.
Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.
The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.
Maintaining an accurate and complete inventory of SAP systems is an important requirement for cybersecurity. It enables organizations to assess and prioritize risk management, ensure systems are not accidentally overlooked and exposed to threats, plan and track maintenance activities such as upgrades to apply security patches, and recover rapidly from security incidents including data breaches and successful ransomware attacks. For this reason, compliance frameworks such as CIS, NIST and PCI-DSS include requirements for asset management. The requirement is also the subject of the new bill Strengthening Agency Management and Oversight of Software Assets Act approved by the U.S Senate Homeland Security and Governmental Affairs Committee in September.
In many organizations, SAP asset inventories are maintained in spreadsheets or asset management tools that require manual updating. This can lead to inaccuracies if these approaches fail to keep pace with changes in complex and evolving SAP landscapes. Landscape Management in SAP Solution Manager provides an automated solution for managing system inventories by discovering and mapping SAP assets and automatically updating system information. Landscape Management is included in the standard usage rights for Solution Manager.
System information is sourced by Landscape Management from the System Landscape Directory (SLD). The SLD is the central repository of system information required for SAP lifecycle management. SAP landscapes may have multiple SLDs for backup or to support different environments, but the supplier for Landscape Management is the central SLD. The SLD includes a software catalog for each system known as CR Content. It also includes a Common Information Model (CIM) for sharing hardware and software information. CR and CIM data is automatically synched from the SLD with Landscape Management via SAP agents. The data can also be automatically or manually imported into Solution Manager in landscapes that do not have an SLD. The data is then synched from Landscape Management with the Maintenance Planner in the SAP Support Portal. This is one of the primary reasons why SAP Solution Manager is required in SAP landscapes even if customers are not actively using any SolMan scenarios.
Landscape Management is accessed from the SAP Solution Manager Administration workgroup in the Fiori Launchpad.
System information is categorized by application server, database, host and component areas. For technical systems, you can select a system from the selection screen and click on Display to display the full system information.
The initial screen summarizes the key attributes for the system such as the SID, database, installation number, release information and SAP products installed in the system. This section also includes the environment, location and lifecycle status. The priority of the system can be used to classify systems based on their business importance using a low to very high rating scale.
The tabs for Technical Scenarios, SAP Support Portal, Business Partners, and Installed Licenses detail the active SolMan scenarios for the system, the system number, key personnel including system owners, business contacts, architects, and technical support with email addresses and telephone numbers, and license information.
The Software section lists the installed software components including version and support pack level. This information is used by SAP Solution Manager during the calculation of relevant notes including security notes.
The Database, Instances and Clients section include information such as the database type, release and host name, instance names, numbers and directories, and active clients and roles.
The Hosts section will include host-level information such as the host name, FQDN, IP address, OS type and version, CPU, and details of whether the host is physical, logical or virtual.
The Destinations section lists the active RFC destinations in the system by client.
Finally, the Component Groups section details the logical component groups for the system. This is often used to group systems based on their role. The system roles below are predefined by SAP. However, users can create and maintain custom component groups to cluster systems by business group, function, location, or other areas.
System Recommendations (SysRec) in SAP Solution Manager automatically calculates relevant security notes for SAP systems based on the available software and application components in each system. It provides a cross-system view for required notes using a customizable, user-friendly interface.
The use of SysRec is recommended by SAP for the lifecycle management of notes. It connects directly to SAP Support to perform a daily or weekly check for new notes. It identifies prerequisite and side-effect notes. It also identifies support packages for notes. Corrections can be downloaded directly through SysRec and staged automatically in systems. SysRec integrates with Change Request Management (ChaRM) for applying notes. It also supports change impact analysis for test planning through integration with the Business Process Change Analyzer (BPCA). Usage statistics for impacted objects are included in SysRec through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON).
Despite these benefits, there is one major drawback for SysRec. Based on an analysis performed by Layer Seven Security, an average of 30 percent of security notes reported in SysRec are false positives. The notes are irrelevant since the impacted application components are not installed in the relevant SAP systems. The process of manually reviewing notes in SysRec in order to identify and remove false positives is time-consuming, especially for large SAP landscapes. It can also lead to delays in the implementation of corrections to address security vulnerabilities in SAP solutions.
SysRec calculates notes for systems based on software information sourced from the Landscape Managed Database (LMDB) in SAP Solution Manager. The LMDB includes details of software components and versions for each system. This information supports not only SysRec, but Root Cause Analysis and System Monitoring in Solution Manager, and the Maintenance Planner in the SAP Support Portal. The data is synched from the System Landscape Directory (SLD). Therefore, one of the root causes of false positives in SysRec is the incomplete registration of systems in the SLD and synchronization issues between between the SLD and LMDB. Other root causes are job or connection errors during the runtime for the SysRec calculation. The LMDB can be kept in sync with the SLD by using the resynchronization option in the LMDB. Job and connection errors can be identified and alerted for using Job Monitoring and Interface Connection Monitoring in SolMan.
However, system maintenance, synchronization, and monitoring does not remove all false positives in SysRec. This is often a major source of frustration for SAP customers. The Cybersecurity Extension for SAP automatically identifies and removes false positives in SysRec by validating if the application components for notes are installed in SAP systems. Security notes for components that are not installed are marked as ‘Irrelevant’. Irrelevant notes can be removed using filters to improve the quality and reliability of results in System Recommendations.
The Cybersecurity Extension for SAP also enriches SysRec results by including information such as the CVE, CVSS and Vector for each note. This information supports the analysis and prioritizing of security notes based on risk and impact.
Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a multitude of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP.
This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE. Notes 3123396 and 3123427 patch SAP for ICMAD. Note 2934135 secures SAP against RECON exploits. Protection against 10KBLAZE can be applied through notes 1408081, 821875, and 1421005. Some the notes for 10KBLAZE have been available since 2006. This is 13 years before CISA released an alert for the exploits.
Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.
Most software tools for SAP patch management automate the discovery of SAP security notes but do not support notes analysis and implementation. System Recommendations (SysRec) is the only solution that supports the full lifecycle of SAP security notes. SysRec is a standard application in SAP Solution Manager, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager.
Discovery
For notes discovery, SysRec performs a daily check for the latest security notes. Therefore, customers are notified immediately as soon as new notes are released by SAP. SysRec connects directly to the SAP Support Portal to identify new notes. It calculates relevant notes based on software information for SAP systems stored in the Landscape Management Database (LMDB). The LMDB is synced to the SAP NetWeaver System Landscape Directory (SLD). The SLD is the source of system information in SAP landscapes including installed software components, databases and operating systems and the versions of components and platforms. Notes calculation takes into account the implementation status of notes. Therefore, fully implemented notes are automatically excluded by SysRec.
It is important to note that the results returned by SysRec are based on installed components, regardless of usage. All installed components must be maintained and patched even if they are not actively used since they are part of the attack surface.
System Recommendations is widely used by SAP administrators to manage not only SAP security notes but also correction, legal, performance and other notes. SAP security teams that rely on third party solutions for notes discovery often clash with SAP administrators since security notes returned by their tools do not align with the results of SysRec. SAP administrators are inclined to trust the results of SAP applications such as SysRec over third party solutions. This can lead to disputes and delays within organizations as SAP administration and security teams fail to align on the notes that should be implemented. The risk is avoided when both teams use System Recommendations and are therefore aligned on the required security notes.
Analysis
SysRec supports detailed notes analysis through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON). UPL and SCMON support change impact analysis by revealing function modules, methods, programs and other objects impacted by security notes before they are applied. It includes usage statistics for impacted objects. This information enables SAP administrators to determine the scope and extent of testing for security notes. Notes impacting many objects with high usage counts may require detailed integration or regression testing. Conversely, notes impacting few objects with low usage counts indicates that customers may be able to employ less complex and more rapid test approaches such as smoke tests. Change impact analysis in SysRec provides the insights required by SAP customers to pinpoint the effect of security notes in SAP systems. This addresses the root cause of long patch cycles that increase the period of vulnerability for SAP systems.
Implementation
System Recommendations enables users to download corrections from the SAP Support Portal directly to the target SAP system. This is performed using the option for Integrated Desktop Actions. The user is prompted to select the target system before the download and can therefore select non-productive SIDs when analyzing notes for productive SIDs. SysRec automatically calls SNOTE in the target system after the download to apply the note.
Integrated Desktop Actions also enables users to create a Request for Change (RfC) in Change and Request Management (ChaRM) for security notes. ChaRM is commonly used by SAP customers to manage the lifecycle of SAP changes and includes workflows to control requests including phases for requirements, approval, testing, and promotion to production.
If you would like to learn more about patching SAP systems using System Recommendations, request a pre-release of Layer Seven Security’s new whitepaper for SAP Security Patching, scheduled for Q3 2022.
Log4JShell is one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.
Log4Shell impacts Log4J, a widely installed open-source Java logging utility. A dangerous zero-day remote code execution vulnerability in Log4J was reported in November last year. The vulnerability was patched in December and published in the National Vulnerability Database on December 12 as CVE-2021-44228.
Log4Shell was added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA) due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Iran, Russia and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.
Log4J is bundled in multiple SAP solutions including products such as SAP HANA and SAP Process Orchestration. Download the new whitepaper from Layer Seven Security to learn to mitigate and detect Log4Shell in SAP applications. The whitepaper includes a detailed breakdown of the vulnerability, guidance for patching and securing SAP solutions, and recommendations for detecting Log4shell signatures and indicators of compromise.
The Cybersecurity and Infrastructure Security Agency (CISA) has designated the recent Log4J vulnerability as one of the most serious in decades and urged organizations to immediately address the vulnerability in applications.
Log4j is an open-source logging framework maintained by the Apache Foundation. The framework includes the API Java Naming and Directory Interface (JNDI). Strings passed through JNDI can force Log4J to query remote LDAP or other servers, download serialized Java code from the malicious servers, and execute the code during deserialization if message lookup substitution is enabled. This can lead to the complete compromise of impacted applications and systems. The remote code execution vulnerability impacts all versions of Log4J2 up to and including 2.14.1 in Java 8 or higher.
Message lookup substitution is disabled by default in Log4j 2.15.0. It has been removed altogether from 2.16.0. Therefore, customers should upgrade to the latest version of Log4J. The vulnerability is addressed by CVE-2021-44228 which has a base CVSS score of 10.0.
CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Russia, Iran, and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.
Log4J is included in multiple SAP applications including SAP HANA XSA. The central note 3131047 includes available patches for impacted solutions. Refer to the SAP’s official response for details of all impacted products. Note 3129883 includes manual procedures for a workaround that will disable the loading of external code in Log4J using the J2EE Config Tool.
The Cybersecurity Extension for SAP identifies vulnerable SAP systems that have not been patched for the Log4J vulnerability. It also detects and alerts for suspected exploits targeted against SAP Java and Web Dispatcher installations based on exploit signatures. This includes known obfuscations and bypass methods.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 on November 3 to compel government departments and agencies to remediate specific vulnerabilities with known exploits. According to CISA, the vulnerabilities pose a significant risk to information systems. This includes several vulnerabilities for SAP applications that must be remediated by May 3, 2022. Agencies have 60 days to review and update their vulnerability management policies in accordance with the Directive.
The Directive addresses weaknesses with the Common Vulnerability Scoring System (CVSS) used for rating Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD). CVSS does not take into account active exploitations for vulnerabilities. Most critical CVEs are highly complex and have no known exploits. The Directive shifts the focus to CVEs with active threats. These vulnerabilities are prioritized for remediation and are classified in the CISA catalog for Known Exploited Vulnerabilities (KEV).
The catalog includes six CVEs for SAP applications.
CVE-2010-5326 is for the invoker servlet implemented in the InvokerServletclass within the Web Container of the J2EE for SAP NetWeaver Application Java (AS Java). The invoker servlet is vulnerable to authentication bypass, enabling remote attackers to execute arbitrary code via HTTP or HTTPS requests. The servlet is disabled by default in higher versions of AS Java. Refer to SAP note 1445998 for disabling the relevant property of the servlet_jsp service on server nodes. SAP also recommends scanning or reviewing application code to identify the usage of servlets with the prefix “/servlet/”. Applications should use local servlets only that are defined in web.xml files. Auth constraints in web xml files are recommended to restrict the invoking of the servlet to users with an administrative role.
CVE-2016-3976 relates to a directory traversal vulnerability in AS Java that could be exploited to read arbitrary files from servers remotely and without authentication using CrashFileDownloadServlet. Note 2234971 provides a patch for the LM-CORE to address the CVE.
CVE-2020-6287 is for the RECON vulnerability in the LM Configuration Wizard of AS Java. Attackers can exploit a missing authentication check in the CTCWebService to perform administrative functions such as creating privileged users. Note 2934135 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.
CVE-2018-2380 relates to a directory traversal vulnerability in SAP CRM. There is a publicly-available exploit for the CVE that could be deployed to perform remote code execution through log file injection. Note 2547431 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.
CVE-2016-9563 is for a Denial of Service vulnerability in a BPM service within AS Java. This CVE also has a publicly-available exploit. Note 2296909 disables the resolving of external entities during XML parsing to address the CVE.
CVE-2020-6207 relates to a missing authentication check for the SAP EEM servlet in SAP Solution Manager. A module for the Metasploit penetration framework automates the exploitation of the CVE. This could be exploited to execute OS commands on connected SMDAgents via the /EemAdminService/EemAdmin page for User Experience Monitoring. Note 2890213 includes a patch for the impacted LM-SERVICE software component and instructions for a temporary workaround involving enabling authentication for the EemAdmin service in the Java stack of Solution Manager.
The Cybersecurity Extension for SAP is an SAP-certified solution that automates the discovery of applications vulnerable to the CVEs for SAP applications in the KEV catalog. It also monitors SAP logs to detect the signature of exploits targeting the CVEs and provides mechanisms to investigate and respond to the exploits.
The SYSTEM user is the most powerful database user in SAP HANA with system-wide privileges including permissions to create and maintain other users, perform system changes, stop and start services, and create and drop databases and tables. The user is created during the initial setup of SAP HANA. Once the system is setup, the SYSTEM user should be deactivated and other users should be created for administrative tasks. The user is not required for HANA updates but should be reactivated for system upgrades, installations and migrations. This includes support stack and enhancement pack upgrades.
Since the SYSTEM user is a well-known administrative user with full system privileges, it is often targeted by threat actors. This article outlines measures to secure the user against attacks and detect and alert for actions performed by the user.
1. Reset Initial Password
Initial passwords for the SYSTEM user for both the system database and the first tenant database are set by hardware partners or administrators. The password should be reset immediately after the handover. The reset can be performed using SQL statements or the SAP HANA cockpit by a user with the USER ADMIN or DATABASE ADMIN privilege. Password resets can also be performed by the <sid>adm user from the system database.
2. Deactivate the User
The SYSTEM should not be used for data-to-day activities, especially in production systems. Create alternative dedicated users for each administrative scenario and then deactivate the SYSTEM user. The user can be temporarily reactivated for emergency tasks, when required. Deactivation can be performed using the SQL statement ALTER USER SYSTEM DEACTIVATE USER NOW and reactivation using the statement ALTER USER SYSTEM ACTIVATE USER NOW. The status of the user can be confirmed by reviewing the values in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the SYSTEM user in the USERS system view.
3. Create Audit Policies
Configure audit policies to log for all actions performed by the SYSTEM user and changes to the user such as password changes and user activation/ deactivation. Once activated, the policies will automatically log events to the audit trail. Audit policies can be created using SQL statements or the Auditing tab of the SAP HANA cockpit with the AUDIT ADMIN privilege. Actions should include both successful and unsuccessful events. Events can be written to one of the supported audit trail targets specified in each policy or the default audit trail if none is specified. Maximum retention periods can also be specified for each policy.
4. Monitor the Audit Trail
Monitor HANA audit logs using System Monitoring in SAP Solution Manager. Configure automated alerts and email/ SMS notifications for actions performed by the SYSTEM user or changes to the user. Integrate alerts with SIEM systems for SOC monitoring. Finally, investigate alerts using guided procedures in SAP Solution Manager.
Software supply chain attacks are advanced cyberattacks that target information systems through third party software. Threat actors compromise systems and data by exploiting software builds or interfaces for trusted software. This enables attackers to introduce malware without detection including backdoors.
The recent software supply chain attack experienced by SolarWinds is widely regarded as one of the most devastating cyber attacks in history. It impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as thousands of organizations worldwide. The attack cost affected companies an average of $12M.
Download the whitepaper from Layer Seven Security for guidance on securing software supply chains in SAP landscapes. The whitepaper outlines the threat vectors that could be exploited by attackers to compromise third party software that support SAP applications. It provides practical steps for minimizing third party software and external connections in SAP landscapes, avoiding the use of open source components, and monitoring third party software. The steps are aligned to the Cyber Supply Chain Risk Management (C-SCRM) practices recommended by the National Institute of Standards and Technology (NIST).
The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware attacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an attack is 21 days. Full recovery takes an average of 287 days.
Ransomware can impact SAP systems through vulnerable operating systems. However, securing SAP hosts alone does not safeguard SAP systems from ransomware. Attackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install and execute ransomware tools.
The newly released guide Protecting SAP Systems from Ransomware includes actions you can take to secure your business-critical SAP systems from ransomware. It provides an integrated strategy for:
Identifying and prioritizing critical SAP assets and infrastructure;
Hardening SAP systems to reduce the attack surface;
Activating and monitoring SAP logs to detect suspected attacks; and
Backing up and restoring SAP systems to minimize the downtime from successful attacks.
The guide also discusses how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.