Layer Seven Security

Whitepaper: Securing SAP Solutions from Log4Shell

Log4JShell is one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility. A dangerous zero-day remote code execution vulnerability in Log4J was reported in November last year. The vulnerability was patched in December and published in the National Vulnerability Database on December 12 as CVE-2021-44228.

Log4Shell was added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA) due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Iran, Russia and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is bundled in multiple SAP solutions including products such as SAP HANA and SAP Process Orchestration. Download the new whitepaper from Layer Seven Security to learn to mitigate and detect Log4Shell in SAP applications. The whitepaper includes a detailed breakdown of the vulnerability, guidance for patching and securing SAP solutions, and recommendations for detecting Log4shell signatures and indicators of compromise.

DOWNLOAD

Securing SAP Systems from Log4J Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has designated the recent Log4J vulnerability as one of the most serious in decades and urged organizations to immediately address the vulnerability in applications.  

Log4j is an open-source logging framework maintained by the Apache Foundation. The framework includes the API Java Naming and Directory Interface (JNDI). Strings passed through JNDI can force Log4J to query remote LDAP or other servers, download serialized Java code from the malicious servers, and execute the code during deserialization if message lookup substitution is enabled. This can lead to the complete compromise of impacted applications and systems. The remote code execution vulnerability impacts all versions of Log4J2 up to and including 2.14.1 in Java 8 or higher.

Message lookup substitution is disabled by default in Log4j 2.15.0. It has been removed altogether from 2.16.0. Therefore, customers should upgrade to the latest version of Log4J. The vulnerability is addressed by CVE-2021-44228 which has a base CVSS score of 10.0.

CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Russia, Iran, and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.

Log4J is included in multiple SAP applications including SAP HANA XSA. The central note 3131047 includes available patches for impacted solutions. Refer to the SAP’s official response for details of all impacted products. Note 3129883 includes manual procedures for a workaround that will disable the loading of external code in Log4J using the J2EE Config Tool.

The Cybersecurity Extension for SAP identifies vulnerable SAP systems that have not been patched for the Log4J vulnerability. It also detects and alerts for suspected exploits targeted against SAP Java and Web Dispatcher installations based on exploit signatures. This includes known obfuscations and bypass methods.

CISA Issues Directive for Actively Exploited SAP Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 on November 3 to compel government departments and agencies to remediate specific vulnerabilities with known exploits. According to CISA, the vulnerabilities pose a significant risk to information systems. This includes several vulnerabilities for SAP applications that must be remediated by May 3, 2022. Agencies have 60 days to review and update their vulnerability management policies in accordance with the Directive.

The Directive addresses weaknesses with the Common Vulnerability Scoring System (CVSS) used for rating Common Vulnerabilities and Exposures (CVE) in the National Vulnerability Database (NVD). CVSS does not take into account active exploitations for vulnerabilities. Most critical CVEs are highly complex and have no known exploits. The Directive shifts the focus to CVEs with active threats. These vulnerabilities are prioritized for remediation and are classified in the CISA catalog for Known Exploited Vulnerabilities (KEV).

The catalog includes six CVEs for SAP applications.

CVE-2010-5326 is for the invoker servlet implemented in the InvokerServletclass within the Web Container of the J2EE for SAP NetWeaver Application Java (AS Java). The invoker servlet is vulnerable to authentication bypass, enabling remote attackers to execute arbitrary code via HTTP or HTTPS requests. The servlet is disabled by default in higher versions of AS Java. Refer to SAP note 1445998 for disabling the relevant property of the servlet_jsp service on server nodes. SAP also recommends scanning or reviewing application code to identify the usage of servlets with the prefix “/servlet/”. Applications should use local servlets only that are defined in web.xml files. Auth constraints in web xml files are recommended to restrict the invoking of the servlet to users with an administrative role.  

CVE-2016-3976 relates to a directory traversal vulnerability in AS Java that could be exploited to read arbitrary files from servers remotely and without authentication using CrashFileDownloadServlet. Note 2234971 provides a patch for the LM-CORE to address the CVE.

CVE-2020-6287 is for the RECON vulnerability in the LM Configuration Wizard of AS Java. Attackers can exploit a missing authentication check in the CTCWebService to perform administrative functions such as creating privileged users. Note 2934135 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2018-2380 relates to a directory traversal vulnerability in SAP CRM.  There is a publicly-available exploit for the CVE that could be deployed to perform remote code execution through log file injection. Note 2547431 includes a patch to validate user input for log paths and block arbitrary log file locations and extensions.

CVE-2016-9563 is for a Denial of Service vulnerability in a BPM service within AS Java. This CVE also has a publicly-available exploit. Note 2296909 disables the resolving of external entities during XML parsing to address the CVE.

CVE-2020-6207​ relates to a missing authentication check for the SAP EEM servlet in SAP Solution Manager. A module for the Metasploit penetration framework automates the exploitation of the CVE. This could be exploited to execute OS commands on connected SMDAgents via the /EemAdminService/EemAdmin page for User Experience Monitoring. Note 2890213 includes a patch for the impacted LM-SERVICE software component and instructions for a temporary workaround involving enabling authentication for the EemAdmin service in the Java stack of Solution Manager.

The Cybersecurity Extension for SAP is an SAP-certified solution that automates the discovery of applications vulnerable to the CVEs for SAP applications in the KEV catalog. It also monitors SAP logs to detect the signature of exploits targeting the CVEs and provides mechanisms to investigate and respond to the exploits.  

Securing the SYSTEM User in SAP HANA

The SYSTEM user is the most powerful database user in SAP HANA with system-wide privileges including permissions to create and maintain other users, perform system changes, stop and start services, and create and drop databases and tables. The user is created during the initial setup of SAP HANA. Once the system is setup, the SYSTEM user should be deactivated and other users should be created for administrative tasks. The user is not required for HANA updates but should be reactivated for system upgrades, installations and migrations. This includes support stack and enhancement pack upgrades.

Since the SYSTEM user is a well-known administrative user with full system privileges, it is often targeted by threat actors. This article outlines measures to secure the user against attacks and detect and alert for actions performed by the user.

1. Reset Initial Password

Initial passwords for the SYSTEM user for both the system database and the first tenant database are set by hardware partners or administrators. The password should be reset immediately after the handover. The reset can be performed using SQL statements or the SAP HANA cockpit by a user with the USER ADMIN or DATABASE ADMIN privilege. Password resets can also be performed by the <sid>adm user from the system database.

2. Deactivate the User

The SYSTEM should not be used for data-to-day activities, especially in production systems. Create alternative dedicated users for each administrative scenario and then deactivate the SYSTEM user. The user can be temporarily reactivated for emergency tasks, when required. Deactivation can be performed using the SQL statement ALTER USER SYSTEM DEACTIVATE USER NOW and reactivation using the statement ALTER USER SYSTEM ACTIVATE USER NOW. The status of the user can be confirmed by reviewing the values in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the SYSTEM user in the USERS system view.

3. Create Audit Policies

Configure audit policies to log for all actions performed by the SYSTEM user and changes to the user such as password changes and user activation/ deactivation. Once activated, the policies will automatically log events to the audit trail. Audit policies can be created using SQL statements or the Auditing tab of the SAP HANA cockpit with the AUDIT ADMIN privilege. Actions should include both successful and unsuccessful events. Events can be written to one of the supported audit trail targets specified in each policy or the default audit trail if none is specified. Maximum retention periods can also be specified for each policy.

4. Monitor the Audit Trail

Monitor HANA audit logs using System Monitoring in SAP Solution Manager. Configure automated alerts and email/ SMS notifications for actions performed by the SYSTEM user or changes to the user. Integrate alerts with SIEM systems for SOC monitoring. Finally, investigate alerts using guided procedures in SAP Solution Manager.

Securing Software Supply Chains for SAP Systems

Software supply chain attacks are advanced cyberattacks that target information systems through third party software. Threat actors compromise systems and data by exploiting software builds or interfaces for trusted software. This enables attackers to introduce malware without detection including backdoors.

The recent software supply chain attack experienced by SolarWinds is widely regarded as one of the most devastating cyber attacks in history.  It impacted as many as 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, the world’s largest cybersecurity firm, as well as thousands of organizations worldwide. The attack cost affected companies an average of $12M.

Download the whitepaper from Layer Seven Security for guidance on securing software supply chains in SAP landscapes. The whitepaper outlines the threat vectors that could be exploited by attackers to compromise third party software that support SAP applications. It provides practical steps for minimizing third party software and external connections in SAP landscapes, avoiding the use of open source components, and monitoring third party software. The steps are aligned to the Cyber Supply Chain Risk Management (C-SCRM) practices recommended by the National Institute of Standards and Technology (NIST).

Protecting SAP Systems from Ransomware

The recent attack at Colonial Pipeline has demonstrated the devastating impact of ransomware on critical infrastructure. According to the Department of Homeland Security, ransomware a­ttacks have increased by 300% over the past year, impacting all industries and sectors. The average downtime from an att­ack is 21 days. Full recovery takes an average of 287 days.

Ransomware can impact SAP systems through vulnerable operating systems. However, securing SAP hosts alone does not safeguard SAP systems from ransomware. Att­ackers can exploit trust relationships between SAP applications and underlying operating systems to execute privileged OS commands that avoid detection. This can include commands that enable threat actors to transfer, install and execute ransomware tools.

The newly released guide Protecting SAP Systems from Ransomware includes actions you can take to secure your business-critical SAP systems from ransomware. It provides an integrated strategy for:

  • Identifying and prioritizing critical SAP assets and infrastructure;
  • Hardening SAP systems to reduce the attack surface;
  • Activating and monitoring SAP logs to detect suspected attacks; and
  • Backing up and restoring SAP systems to minimize the downtime from successful attacks.

The guide also discusses how to use SAP Solution Manager to support your anti-ransomware program, from identifying and removing vulnerabilities that could be exploited to attack your systems to detecting and alerting for suspected security breaches.

DOWNLOAD

Cybersecurity Extension for SAP Identifies Signatures of Active SAP Cyberattacks

Earlier this month, SAP issued a joint report with a security research firm to highlight active cyber threats targeting SAP applications. According to the report, there is conclusive evidence that attackers are actively targeting and exploiting unsecured SAP applications. The report also reveals that some SAP vulnerabilities are being weaponized in less than 72 hours from the release of SAP patches.  Unprotected cloud installations of SAP are being discovered and compromised in less than 3 hours.

The investigation performed for the report identified over 300 successful exploitations of SAP systems. This included attempts to modify users and configurations and exfiltrate business information. Most of the exploits targeted the six CVEs below. Although the vulnerabilities have been patched by SAP, many organizations have not applied the recommended mitigations to protect SAP systems.

CVE-2010-5326 (SAP Security Note 1445998)
CVE-2018-2380 (SAP Security Note 2547431)
CVE-2016-3976 (SAP Security Note 2234971)
CVE-2016-9563 (SAP Security Note 2296909)
CVE-2020-6287 (SAP Security Note 2934135)
CVE-2020-6207 (SAP Security Note 2890213)

SAP recommends customers to immediately assess vulnerable systems to identify indicators of compromise such as unauthorized privileged users. The assessment should include systems within SAP landscapes that are connected to the vulnerable targets. The related SAP security notes and recommendations should also be applied in impacted systems.

SAP also urges customers to implement appropriate cybersecurity measures to protect SAP applications. The Cybersecurity Extension for SAP is an SAP-certified solution that performs automated vulnerability management, threat detection and incident response to secure SAP systems from cyber threats. This includes exploits that target the CVEs highlighted in the report. The Extension detects misconfigured and unpatched systems. It also detects the signatures of exploits that target the CVEs, triggers alerts and notifications for suspected breaches, and provides guided procedures for investigating incidents. To learn more, contact Layer Seven Security.

Layer Seven Security’s Cybersecurity Extension for SAP® Solutions Achieves SAP® Certification as Integrated with SAP NetWeaver®

Toronto, Canada – March 8, 2021 – Layer Seven Security today announced its Cybersecurity Extension v3.4 for SAP® Solutions has achieved SAP®-certified integration with the SAP NetWeaver® technology platform.  The solution has been proven to integrate with SAP solutions, providing automated vulnerability management, threat detection and incident response for SAP applications and infrastructure.

“We are delighted to announce that our Cybersecurity Extension v3.4 for SAP Solutions has achieved SAP-certified integration with SAP NetWeaver,” said Ian Thomson, Chief Operating Officer at Layer Seven Security.  “The certification will support the successful integration of the extension in SAP landscapes, helping customers to protect business-critical SAP systems against the threat of cyber attacks.”

The SAP® Integration and Certification Center (SAP ICC) has certified that Cybersecurity Extension v3.4 for SAP Solutions integrates with SAP NetWeaver. Technology or infrastructure products that have SAP-certified integration with SAP NetWeaver have proven to interoperate with the technology platform.

The Cybersecurity Extension for SAP Solutions is now listed in the SAP Certified Solutions Directory.

Layer Seven Security is a partner in the SAP PartnerEdge® program. As such, it is empowered to build, market and sell software applications on top of market-leading technology platforms from SAP. The SAP PartnerEdge program provides the enablement tools, benefits, and support to facilitate building high-quality, disruptive applications focused on specific business needs – quickly and cost-effectively. The program provides access to all relevant SAP technologies in one simple framework under a single, global contract.

About Layer Seven Security

Layer Seven Security is an SAP partner, headquartered in Toronto, Canada. The company’s Cybersecurity Extension for SAP® Solutions performs advanced security diagnostics and monitoring for SAP systems. The Extension delivers real-time security intelligence for cloud and on-premise SAP systems including SAP HANA®, ABAP® and J2EE platforms. It supports security monitoring across the SAP system stack including application, database, operating system, and program layers, as well as components such as the SAProuter and SAP Web Dispatcher. 

###

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Please see https://www.sap.com/copyright for additional trademark information and notices. All other product and service names mentioned are the trademarks of their respective companies.

Any statements in this release that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. All forward-looking statements are subject to various risks and uncertainties described in SAP’s filings with the U.S. Securities and Exchange Commission, including its most recent annual report on Form 20-F, that could cause actual results to differ materially from expectations. SAP cautions readers not to place undue reliance on these forward-looking statements which SAP has no obligation to update and which speak only as of their dates.

Securing the Web Dispatcher with the Cybersecurity Extension for SAP

The SAP Web Dispatcher is an application gateway that filters Internet based traffic to SAP systems including HTTP requests. As an entry point for Web-based communications in SAP landscapes, the Web Dispatcher can help to secure remote access to SAP systems by enforcing security standards for external connections and filtering connection requests.

However, the Web Dispatcher can also be the focal point for attackers looking for an externally reachable pathway to SAP systems. Therefore, it is critical to secure the Web Dispatcher against misuse and prevent attackers from compromising SAP landscapes through poorly configured gateways.

The Web Dispatcher should be regularly patched and updated to prevent attackers from exploiting known program-level vulnerabilities. You should monitor composite note 538405 to stay up-to-date with the latest Web Dispatcher versions.  

Default error messages that disclose sensitive information to attackers should be blocked and replaced with custom messages.

The admin port for the Web Dispatcher should not be accessible from external networks. Administration should be restricted to internal hosts. Public monitoring information in the Web admin interface should be blocked.

SSL should be enforced for connections including communications between the Web Dispatcher and back-end systems and metadata exchange with message servers and application servers.

Finally, filtering should be enabled to enforce positive or negative lists for access requests. The Web Dispatcher supports multiple filtering mechanisms including ACL files and authentication handlers.  ACL files can be used if access should be filtered based on client IP address or IP range. Authentication handlers should be used if requests need to be filtered for specific URLs. Both approaches support logging of successful and unsuccessful requests.  Access to the following URLs should be blocked or restricted:

/sap/public/icman/*
/sap/public/ping
/sap/public/icf_info/*
/sap/wdisp/info

The Cybersecurity Extension for SAP monitors the security of the Web Dispatcher using the SAP Solution Manager platform. The SAP-certified addon detects vulnerable Web Dispatcher versions and patch levels, improper error handling that could lead to information disclosure, the use of insecure Web Dispatcher settings, protocols, and filters, and calls to critical URLs captured in Web Dispatcher logs.

Compliance Reporting for the SAP Security Baseline

The SAP Security Baseline is a widely used benchmark for securing SAP applications. The benchmark includes SAP recommendations for system hardening, authentication and authorization, logging and auditing, and other areas. The recommendations draw on SAP security notes, guides and whitepapers.  The SAP Security Baseline was updated by SAP earlier this year and provides an up-to-date framework for safeguarding SAP ABAP, HANA and Java systems against known vulnerabilities and threats. Note 2253549 includes a link to the latest version of the framework.

The Cybersecurity Extension for SAP Solution Manager performs automated gap assessments for SAP systems against the SAP Security Baseline. The extension identifies compliance gaps in SAP systems to highlight configuration, user and other issues that do not meet SAP requirements defined in the baseline. The extension eliminates the need for periodic, manual audits and supports on-demand compliance reporting.

Control gaps are automatically discovered via daily background jobs. The gaps are reported in the Compliance Report application, accessible from the Fiori launchpad for SAP Solution Manager.

The SAP Security Baseline template can be selected from the list of supported frameworks.

There are optional filters to select specific baseline requirements and systems based on environment or priority. Reports can also be filtered to include or exclude requirements based on risk rating and compliance result.  Once the framework and system is selected, users can select Go to view the results.

The overall compliance level for the system is displayed the report header. The results for each requirement of the SAP Security Baseline are displayed in the main body of the report.  

Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.

Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.

Users can also save shortcuts for prefiltered reports to the Fiori launchpad.