1 2 3 10 Previous Next

Security

139 Posts

Today we are going on with our series of articles where we describe the 33 steps to security. In our previous articles we’ve already presented you the list of the 9 most important business application security critical issues [1],  covered patch management flaws [2], provided the information about default passwords for access to the application [3] and told about numerous unnecessary functions [4].


The subject is of great significance not only to a small group of SAP infosec specialists, but to all those people who work with ERP systems as recent years have witnessed an increased awareness of business data protection problems. Not to go into details, let us get right to the topic.

The SAP NetWeaver platform includes not only the Dispatcher service responsible for SAP GUI user connections, but it also includes a whole range of other services. Each of them listens to a remote port and accepts network connections. Some of these services grant administrative access and remote administration functions. Some of them also grant access to various technical services. Load balancing system of the SAP Message Server and remote administration system of the SAP Management console are among them.

 

One can connect to these services via the corporate intranet or the Internet. What is more, in case those services’ settings are insecure, they are manageable remotely without authentication data.

 

So, this section contains information about the most insecure services. Their settings should by no means be accessible via the corporate intranet.


Further steps


Except those services we are going to discuss, the system has other less critical and widespread services (e.g. the Message Server HTTP). But you should restrict access to them as well. For a full list of SAP services, check out “TCP/IP Ports Used by SAP Applications" paper [5]. The list’s content depends on the installed components of each particular system.

Besides, it is also advisable to check third-party services that may be enabled on this server, such as remote administration interfaces for various DBMS, remote monitoring and data backup systems, etc. The thing is that you should restrict access to them using authentication both at the network and application levels, if possible.


[EASAI-NA-11] Unauthorized access to the SAPControl (SAP MMC) service functions


Description


The SAP Start Service starts on each computer simultaneously with the SAP solution instance. In Windows, this process is executed with sapstartsrv.exe, in UNIX - with sapstartsrv. The SAP Start Service provides the following functions for the SAP solution, instance and process monitoring:


  • start and stop;
  • monitoring the active state;
  • reading logs, trace files and configuration files;
  • technical information, for example, on network ports, active sessions, etc.


These services are accessible via the SAPControl SOAP Web Service and are used by the SAP monitoring tools (SAP Management Console, NetWeaver Administrator and others). When service starts, it uses the following ports:


  • HTTP port 5<xx>13 (or sapctrl<txx> in /etc/services), where <xx> is the instance number;
  • HTTPS port 5<xx>14 (or sapctrls<xx> in /etc/services), where <xx> is the instance number.


For example, when service starts, either the HTTP port 50013 or the HTTPS port 50014 is used for the instance 00. [6]. This process allows to read various system data without user's consent. However, it requires user authentication for secure operations, such as to start or stop the SAP instance. Startsrv controls internal list of secured operations (depending on the version of the release, default list may differ). If necessary, you can change the list using service/protectedwebmethods parameter.


Threat


By means of many insecure methods, one can get access to system configuration data, request system status, read the log and trace files that may contain user passwords or HTTP session files. Eventually, this data can be used to implement more critical attacks.


Solution


In accordance with SAP Security Note 1600846 [7], sapstartsrv settings must be reconfigured. To do this, you need to set the parameter service/protectedwebmethods to DEFAULT in a default system profile (DEFAULT.PFL). To apply the changes, restart all sapstartsrv services in the cluster. Besides, this change of value, also involves implementation of a list of all critical methods by default. Instead, you can use the value ALL (i.e. all methods), though it is considered excessive (the parameter and its values are described in detail in SAP Security Note 927637 [8]).

Implementation of SAP Security Note 1439348 [9] along with related recommendations may be seen as an additional method of patching this vulnerability.

It is advisable to restrict access to this service by IP-addreses. To do this, you need to define Access Control List (ACL) by changing values of services/http/acl_file and /https/acl_file.


[EASAI-NA-12] Unauthorized access to the SAPHostControl service functions


DescriptionThe SAP Host Agent is a component designated for other components management, their control and monitoring. It consists of the following services and programs:


  • The SAPHostExec is a control program that runs under root (UNIX) or LocalSystem (Windows) accounts. It controls all the functions called for by the specific users of this type, such as saposcol and sapacosprep OS collectors. The program is connected with the sapstartsrv in a host mode via the local socket that provides high-speed and secure connection (see the picture). It also starts simultaneously with the host.
  • DB4STATS and SAPILED are the programs that supply IBM I with the SAP Database Performance Collector and the SAP ILE daemon respectively.
  • The SAPHostControl (sapstartsrv in the host mode) is the SAP NetWeaver management agent. It is an executable of sapstartsrv run in the host mode under the sapadm user. It is using remote TCP 1128 port. That is why it is responsible not for the SAP instance, but for any host monitoring, which is controlled centrally.


A profile used while starting executable files also determines whether sapstartsrv will run in an instance operating mode (with an appropriate instance profile) or in a host mode (with the host's own profile that may include parameters SAPSystem = 99, SAPSystemName = SAP). [10]

For data transmission, the SOAP protocol is used. In case encryption is set up, it encapsulates into the SSL. This service allows to read some system information without user’s consent. It also has vulnerabilities that allow to run OS commands remotely.
ThreatAn authorized adversary can run any random code, caused by the SAPHostControl service maintenance error remotely using the SAP NetWeaver. This happens when this service does not properly validate incoming data of the SOAP management interface. With the SOAP interface running on TCP port 1128, an adversary can exploit this vulnerability to inject and execute random commands to the system having administrative privileges.

Many insecure methods make system configuration or status data requests possible. One can also read logs and trace files that may contain user passwords or HTTP session files. Also, remote execution of OS commands using OS command injection vulnerability becomes available (see SAP Security Note 1341333 [11]). This data can be used to implement more critical attacks.
SolutionRemote execution of random code vulnerability was fixed in May 2012 with SAP Security Note 1341333[12].

SAP Security Note 1816536 [13] released in April 2012 prevents information disclosure. Resulting from this, it’s sufficient to apply both of these security updates to fix vulnerabilities.

In order to additionally secure the service you can restrict access to it by IP, using a personal firewall or by means of network equipment, granting access only from those servers where you take data from.


[EASAI-NA-13] Unauthorized access to the Message Server service functions


Description


The SAP Message Server is a system component that, on the one hand, manages communication between application servers (dialog instances) within one SAP system and, on the other hand, ensures balancing of a load coming from such clients as the SAP GUI.


In standard, lower than 7.0 versions, Message Server port is used for interaction of both clients and application servers. Starting from the version 7.0, Message Server port is by default divided into an internal and an external port. An internal port is used for application connections to the server, while an external port is used for end-user connections.

In order to control the list of addresses one can connect to the Message Server with, you need to activate the Access Control List (ACL). To do this, use ms/acl_info parameter. It indicates the file where you can configure access to the Message Server. This file contains application server's host and domain names, IP addresses and/or subnet masks using which you can access the Message Server. External clients that retrieve data from the Message Server are not anyhow affected by this. The data remains accessible. Default parameter value is /usr/sap/<SID>/SYS/global/ms_acl_info.


Threat


In case ACL file is absent or misconfigured, malicious software or potential adversaries can access the Message Server, register their own application server and perform "man-in-the- middle" attacks. In other words, intercept credentials of legitimate users trying to connect to the Message Server. This can result in gaining unrestricted access to user accounts.


Solution


It is essential to configure ms/acl_info parameter. It indicates the ACL file that has an authorized access to the Message Server.
(default value: /usr/sap/<SID>/SYS/global/ms_acl_info). This file should contain application servers' host and domain names, IP addresses and/or subnet masks from which application servers are allowed to address the Message Server. They address the Message Server using the following syntax:
HOST = [*| ip | hostname | network mask | domain ] [, ...]


Configuration file accepts the "*" wildcard in access control description (e.g., HOST = *.sap.com or HOST = 157.23.45.*). The "*" wildcard should be avoided, especially when in the HOST = * form, as it makes access from any workstation possible.


Access control settings do not affect the retrieval of technical information from the Message Server. It remains always accessible.
As an alternative to ACL file configuration we suggest the following options:


  • In 4.5 and lower releases, Message Server port defined by rdisp/mshost and rdisp/msserv parameters should be blocked by the firewall. Only those network segments with SAP servers should be granted access to this port.
  • For 6.4 and lower releases, it is highly recommended to distribute Message Server services between the two ports - one for the SAP GUI client access (rdisp/msserv), the other one - to access internal connections with the server (rdisp/msserv_internal).

 

[EASAI-NA-14] Unauthorized access to the Oracle DBMS


Description


Currently, Oracle Data Management System (DBMS) is the most widely spread DBMS along with the SAP. Unfortunately, if installed together with the SAP, this DBMS has insecure REMOTE_OS_AUTHENT settings. REMOTE_OS_AUTHENT ensures execution of trusted operations between various SAP solutions.


More importantly, it is able to circumvent such security checks, in particular DBMS password check. The only way to mitigate this risk is to restrict remote access to Oracle DBMS port by preserving it only for necessary servers by IP addresses.


This setting is implemented by means of the Sqlnet.ora configuration file. In particular, it has to do with tcp.validnode_checking parameter, which is required to validate host names while they attempt to establish inbound connections. When this parameter is set to yes value, inbound connections are only allowed if they come from the note listed in TCP.INVITED_NODES or TCP.EXCLUDED_NODE. Note that, the first one is of higher priority.


TCP.INVITED_NODES, in turn, requires each client host to be included in the sqlnet.invited_nodes server list.


Threat


If restrictions for client nodes are not set, an attacker can connect to the Oracle DBMS without password, using a trusted login $OPS<SID>adm. Thus, the attacker will get almost unlimited access to the DBMS.
Next step is to decrypt SAPR3 user password. One can take it from the SAPUSER table and connect to the DBMS with this user’s privileges. This user has a full access to the SAP data, thus an adversary can get an unlimited control over the system.


Solution


Set the tcp.validnode_checking parameter in the sqlnet.ora file to “
yes. This way it’s possible to check whether there are inbound connections coming from the permitted nodes listed in sqlnet.invited_nodes.


It’s imperative to specify all the necessary client hosts in the sqlnet.invitednodes server. It is recommended to leave only the trusted systems in this list.

SAP has released the monthly critical patch update for May 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong in the SAP HANA security area. This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed.

 

Issues that were patched with the help of ERPScan

The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.

  • A Buffer Overflow vulnerability in SAP Afaria Server (CVSS Base Score: 7.8). Update is available in SAP Security Note 2153690. An attacker can use Buffer Overflow to inject specially crafted code into working memory. The code will be executed by the vulnerable application under the same privileges that the application has. This can lead to the attacker taking complete control over the application, denial of service, command execution, and other attacks. In case of command execution, the attacker can obtain critical technical and business-related information stored in the vulnerable SAP system or escalate their privileges. As for denial of service, it can terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation.


  • A Missing Authorization Check vulnerability in SAP Afaria (CVSS Base Score: 7.1). Update is available in SAP Security Note 2155690. An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use the service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.


  • An XML eXternal Entity vulnerability in SAP System Landscape Directory (CVSS Base Score: 4.9). Update is available in SAP Security Note 2090851. An attacker can use XML eXternal Entities to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker will get unauthorized access to the OS file system.

 

The most critical issues found by other researchers


Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:


  • 2152278: SAP ASE Database Platform has an SQL Injection vulnerability (CVSS Base Score: 8.5). An attacker can use SQL Injection with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.


  • 2121661: SAP ABAP & Java Server has a Running Process Remote Termination vulnerability (CVSS Base Score: 8.3). An attacker can use this vulnerability to terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.


  • 2127995: SAP Content Server has a Running Process Remote Termination vulnerablity (CVSS Base Score: 8.3). An attacker can use this vulnerability to terminate SAP Content Server. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation. It is recommended to install this SAP Security Note to prevent risks.


  • 2153892: SAP HANA Web-based Development Workbench has an SQL Injection vulnerability (CVSS Base Score: 6.0). An attacker can use SQL Injections with the help of specially crafted SQL queries. They can read and modify sensitive information from a database, execute administration operations in a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands. It is recommended to install this SAP Security Note to prevent risks.

 

Remote code execution in SAP applications


Information security researchers have found many vulnerabilities in LZC/LZH algorithm, using which attackers can execute remote code on client and server hosts.Many server and client SAP applications use the vulnerable compression algorithm LZC/LZH:


  • SAP NetWeaver Application Server ABAP
  • SAP NetWeaver Application Server Java
  • SAP NetWeaver RFC SDK
  • SAP RFC SDK
  • SAP GUI
  • SAP MaxDB database
  • SAPCAR archive tool

 

They are also used in the following protocols:


  • Diag
  • RFC
  • MaxDB

 

Let’s look at the found vulnerabilities in detail.


1. Stack-based overflow vulnerability CVE-2015-2282 in compression algorithm LZC


Vulnerable application code:


[..]
int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,
SAP_INT inlen,
SAP_BYTE * outbuf,
SAP_INT outlen,
SAP_INT option,
SAP_INT * bytes_read,
SAP_INT * bytes_written)
[..]
/* Generate output characters in reverse order ...................*/
while (code >= 256)
{
*stackp++ = TAB_SUFFIXOF(code);
overflow
code = TAB_PREFIXOF(code);
}
[..]


Note that the variable "code" contains an attacker-controlled value, which results in a stack overflow if the value is greater than 256 and the value of the code in the prefix table is also greater than 256. It's possible to fill the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.


2. Vulnerability CVE-2015-2278 in compression algorithm LZH


Using this vulnerability, an attacker can read data stored outside the buffer using special package data.Vulnerable code:


[..]
int CsObjectInt::BuildHufTree (
unsigned * b, /* code lengths in bits (all assumed <= BMAX) */
unsigned n, /* number of codes (assumed <= N_MAX) */
unsigned s, /* number of simple-valued codes (0..s-1) */
int * d, /* list of base values for non-simple codes */
int * e, /* list of extra bits for non-simple codes */
HUFTREE **t, /* result: starting table */
int * m) /* maximum lookup bits, returns actual */
[..]
if (p >= v + n)
{
r.e = INVALIDCODE; /* out of values--invalid code */
}
else if (*p < s)
{ /* 256 is end-of-block code */
r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE);
r.v.n = (unsigned short) *p; /* simple code is just the value*/
p++;
}
else
{
r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/
r.v.n = (unsigned short) d[*p - s];
p++;
}
[..]


As you can see, arrays 'e' and 'd' are indexed by the values of "* p - s". As the value of variables 'p' and 's' are under the attacker’s control, they also control the values of arrays 'e' and 'd'.


Attack scenarios


As the vulnerability affects a large number of SAP products, there are multiple attack vectors depending on how the vulnerable code is used in an SAP program.Examples of vectors:


  • Attack on a server component: SAP NetWeaver services Gateway and Dispatcher process compressed data. An attacker can forge requests, create a special attack package, and exploit a Remote Code Execution vulnerability on the server.


  • Attack on a client component: the attacker can create a special .CAR or .SAR package, send it to a client, and when they try to unarchive it, the attacker’s commands will be executed on the client's host.


  • MitM attack. As most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.

 

Remediation

SAP customers can implement security notes 2124806, 2121661, 2127995, 2125316 at the company's support portal.

SAP has traditionally issued acknowledgments to the security researchers on their website.

In our previous articles we’ve already presented you the list of the 9 most important business application security critical issues [1],  covered patch management flaws [2] and provided the information about default passwords for access to the application [3].

What is the most common problem of any more or less complex application? In essence, they almost always have numerous unnecessary functions aimed to perform multiple tasks.Obviously, that makes the whole system vulnerable. The more functionality is available, the higher becomes the number of vulnerabilities. "Complexity Kills Security"

More importantly, all those functions are enabled by default right from the start, thus making security threats inevitable. However, there is a growing trend that in every next following version of SAP there are positive changes concerning unnecessary functionality as more and more safety measures are being taken (extra functions are now deactivated by default).

Besides, very often those are not the functions themselves that make the whole system subjected to tрreats. It is evident that only those additional functions that are misconfigured can perform critical actions.

So, that is why it is crucial to regularly carry out security checks for misconfigured unnecessary functions. This critical area is the third one in our list and it involves three security assessment steps:

  • [EASAI-NA-08] Access to the RFC-function via the SOAP interface;
  • [EASAI-NA-09] Access to the RFC-function via the form interface Description;
  • [EASAI-NA-10] Access to the Exchange Infrastructure (XI) via the SOAP interface;

 

But first, let us start with the basis. Web-applications and internal system objects (such as programs, transactions, RFC, etc.) - that is where most unnecessary functions are typically concentrated.


As far as it is quite easy for low-privileged or even anonymous users to get access to web applications via the Internet, the decision was taken to describe in the present article only the checks related to web-applications.


Also, when it comes to the ways of getting access to web applications we should keep in mind that it is the Internet Communication Framework(ICF, the SAP Web Application Server component) that makes it possible to implement standard protocols, such as HTTP, HTTPS and SMTP for intersystem connections management via the Internet.


Further steps


Standard environment contains about 1500 various web-services that are available remotely on behalf of any registered user. Also, about 40 services are accessible to anonymous users. Note that remote access is only possible if the service was enabled by default.


Besides, after you have completed the three checks mentioned in this article, you should also disable all the services that anonymous users can get access to. Secondly, you should analyze all the installed services in order to detect those of them are not necessary for the system. Lastly, restrict access to the necessary ones using additional authorizations.


Check out «Secure Configuration of the SAP NetWeaver Application Server Using ABAP» [4]. In this paper 13 critical services are indicated. As mentioned above, those are only the main, basic services.


Another step to be taken, after you have completed web-services configuration is disabling all unnecessary internal functions, such as unnecessary critical transactions, programs, profiles, roles, etc. This step requires a thorough analysis of each module in each particular case.


Nevertheless, there are several transactions within the productive system to be disabled (1 see the paragraph end). They are mentioned in ISACA guides[5].


For the record, in the present guideline we only recommend you to do this, this item was not included in the main list because it only has to do with productive systems.
Transactions recommended to be blocked (disabled):


  • archive administration: KA10, KA12, KA16, KA18, SARA;
  • reset transaction data: OBR1;
  • structural authorization OICP, OOSB;
  • user maintenance: OMDL, OMEH, OMWF, OOUS, OPF0, OTZ1, OY27, OY28, OY29, OY30;
  • profiles: OMEI, OMWG, OOPR, OP15, OPE9, OTZ2, OY21;
  • privilege and profile maintenance: OMG7, OMWK, OPF1, OTZ3, OY20;
  • structural authorization: OOSP;
  • maintenance of user profiles: OVZ6;
  • copy by transport request: SCC1;
  • deleting a client: SCC5;
  • transport organizer (extended): SE01;
  • workbench organizer: SE09, SE10;
  • table maintenance: SE16, SM30, SM31; external OS commands: SM49, SM69;
  • deleting all users: SU12.;

 

[EASAI-NA-08] Access to RFC-functions via the SOAP interface

Description

RFC stands for Remote Function Call. Accordingly, RFC is a SOAP-interface based service which allows to get remote access to some of the functional modules, also called RFC-functions. This service is available by the following link: /sap/bc/soap/rfc.
Firstly, you need to have /sap/bc/soap/rfc service activated. Secondly, you need to have legitimate system or default user with a default password available in the system. In this case, it becomes possible to access and execute RFC-functions of the ABAP platform.

Threat

One can start RFC-function execution via HTTP channel using SOAP requests. Sometimes SOAP requests are even sent from the Internet.


An adversary can use default account details to gain access to RFC service. Subsequently, having access to RFC crevice one can carry out various types of attacks. For example, a regular user with any set of privileges can perform a DoS attack using incorrect SOAP request.

Solution

Providing that you have /sap/bc/soap/rfc service activated, make sure that the number of users allowed to access RFC is somehow restricted. Whereas, if there is no real need to use RFC, deactivate it using SICF transaction.

[EASAI-NA-09] Access to the RFC-function via the form interface Description

When it comes to /sap/bc/FormToRfc service, we should bear in mind that this service is intended only for internal needs of SAP. It should be by no means kept within the production system. The reason is that this service misses some authorization checks. Starting from the version 6.20, this service's functions are performed by the SOAP (/sap/bc/soap/rfc). As regards to ICF services, they are disabled by default.

Threat

It is risky to use /sap/bc/FormToRfc service within the production system, as it lacks some authorization checks. One can exploit this vulnerability using RFC-function, and get an unauthorized access to any business data.

Solution

In case the /sap/bc/FormToRfc service is not used, it is highly recommended to deactivate it with the help of SICF transaction.

[EASAI-NA-10] Access to Exchange Infrastructure (XI) via SOAP interface

Description

SOAP interface based surface which is used to access the so-called Exchange Infrastructure (XI) may be implemented to remotely call some critical functions. Moreover, it allows to send requests to a third- party system.

Threat

On the condition that the service was activated incorrectly or the number of restrictions is insufficient, it becomes possible to start execution of XI-function via HTTP channel using SOAP requests. Sometimes SOAP requests are even sent from the Internet.


An adversary can use default account details to gain access to this service. In this case one can carry out various types of attacks, both on the target system and on those systems that are integrated with it depending on the type of performed function, which is set in the Enterprise Service Bus. In the worst-case scenario, an adversary may get an unlimited access to this server together with the related ones.

Solution

In case the service is not used, it is highly recommended to deactivate it with the help of SICF transaction. Otherwise, it is better to set up additional access restrictions. To do that, you should put into practice the use of appropriate authorizations or network access control procedure.

Summarizing our discussion let us once again remind you of the fact that presently no ERP system is immune to security threats. There is no exception to this rule. That is why solid information should be regularly provided on how to rise security control to higher levels.


Next time we'll come back with a description of new security assessments procedures concerning the fourth critical area from our list. Bye, and remember to keep a wary eye on business data.

For the two previous weeks we’ve been discussing the top-9 critical areas [1] and the 33 steps to be taken for security assessment [2]. Ultimately, we’ve covered patch management flaws - the first critical category in our list. As you should have probably guessed, today it’s time we take a closer look at the next item from our list of critical issues - default passwords.

It is a wide reaching vulnerability with multiple attack vectors. As it requires little skill, default passwords vulnerability exploitation is now among the most frequently used ways of getting access to company’s data. Once installed, SAP system has several standard clients: 000, 001, 066. They all have high privileges set by default (usually, they have the SAP_ALL profile). When it comes to creating new clients, SAP system automatically generates default usernames and passwords.


In the version 6.10 of SAP Web Application Server, the so-called Master Passwords  [3] were first put into practice.
Users should be particularly careful, as the fact is, vendor's default accounts and their passwords are well known. Have a look at the following table; we’ve gathered default passwords here for you:

 

USERPASSWORDCLIENT
SAP*06071992, PASS001, 066, Custom
DDIC19920706000, 001, Custom
TMSADMPASSWORD, $1Pawd2&  000
SAPCPICADMIN000,001
EARLYWATCH  SUPPORT066


Further steps

Some additional SAP components also have their unique default passwords. For example, old versions of such services as SAP SDM and SAP ITS have their own pre-installed default passwords.


After you have finished checking whether there are default passwords, you should check user passwords for simple dictionary passwords. We suggest that you use efficient password bruteforcing utilities, in particular, such utilities, as John The Ripper would fit you great. Alternatively you can use ERPScan Security Monitoring Suite.


Besides, default passwords should be checked in all associated systems.  Don’t forget to check your network equipment, operating systems and DBMS that store SAP system data. Oracle DBMS, for instance, contains a lot of default passwords, including those specific for SAP systems.


[EASAI-NA-03] Default password check for a SAP user


Description

The SAP* users are created in all clients immediately after installation. Those are dialog users who work via SAP GUI (user type = dialog). They perform all administrative tasks (and usually have the SAP_ALL profile). In case any SAP* user has been removed, after the system was rebooted one can login using standard PASS password and get all the corresponding SAP_ALL privileges.


Threat

Default passwords of SAP* users are well-known (see the table above). With these passwords, an adversary may enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.


Solution

  • First, give superuser rights to a SAP* user in all clients (do not remove it!). To do that, using SU01 transaction, select the SAP* user. After that, click on the Lock/Unlock icon (Ctrl+F5);
  • Set login/no_automatic_user_sapstar to 1 (RZ10 and RZ11 transactions). Note that in 3.1G and lower versions, the login/noautomatic_user_sap* parameter is used (for further information, see the SAP Security Note 68048 [4]);
  • Change the SAP* default password (using SU01 transaction);
  • Make sure that now the user belongs to the SUPER group in all clients. Go to SU01 transaction, select the SAP* user, click on the Change icon (Shift+F6), then on the Logon Data tab.

 

EASAI-NA-04 Default password check for the DDIC user


Description

The DDIC user is created in the clients 000 and 001 upon their installation (and copying). This default system user’s purpose is to perform system installation, renewal, configuration and operation. Its purpose can also be implementation of support packages, upgrade and background job runtime of Transport Tool background jobs triggered by the tool.
In case the client is 000, this user belongs to a dialog type, it has the right to enter the system via SAP GUI and perform any actions.
In all the other clients it is a system type user, it may perform background processing and it can interact with the system. SAP_ALL and SAP_NEW profiles that grant access to all the functions of the SAP are defined for this user.


Threat

The DDIC user default password is well-known (see the table above). With these passwords, an adversary can enter the system using SAP_ALL profile and, consequently, get an unlimited access to any business data stored in the system.


Solution


WARNING! Do not remove the DDIC user or its profile! The DDIC user is necessary for performing certain tasks, such as installation or updating.  It can also interact with ABAP dictionary. The DDIC user removal results in a loss of functionality in these areas. But it is acceptable (and highly recommended by some resources) to remove it in all clients except 000.

  • In 000 client change the user type to SYSTEM;
  • Remove SAP_ALL profile;
  • Lock out the DDIC user. Unlock it if needed only. Notice that transport system executes certain programs on behalf of the DDIC user;
  • Change the default password for the DDIC user;
  • Make sure that the DDIC user belongs to the SUPER group in all clients. Only authorized administrators have the right to modify this account.
  • Regularly perform checks of system clients to those illicit ones.

 

[EASAI-NA-05] Default password check for the SAP user


Description

The SAPCIPIC user is used in transportation system of SAP solutions (in 4.5A and lower versions). It is a communication type user. It is mostly used for EDI (Electronic Data Interchange). It may also transport RFC calls without dialog boxes.
So, this user does not have dialog type user privileges, though it has the S_A.CPIC profile. As a result, critical are the following authorization objects:

  • the S_CPIC (to call for CPIC functions from ABAP/4 programs),
  • S_DATASET (with privileges to access files from ABAP/4 programs), and
  • S_RFC (authorization check for RFC access to program modules, for example, to a functional group).

 

Threat

Default passwords of SAPCPIC user is well-known (see the table above). With these passwords, an adversary can remotely execute RFC requests (e.g. start some OS programs); execute arbitrary OS commands through RFC vulnerabilities (e.g. TH_GREP); create dialog users with any privileges to enter the system and get an unlimited access to the data.


Solution

Remove SAPCPIC user if you do not need it. If the user is still necessary:

  • Change the default password for SAPCPIC user;
  • Lock out SAPCPIC user. Unlock if necessary only;
  • If this user is required for EDI purposes (e.g. by contractor), never transmit this password via a remote session. It is also preferable to use separate communication channel, e.g. e-mail. Change the password immediately after the remote session is over;
  • Make sure that this user belongs to SUPER group in all clients, so as to be certain that only authorized administrators have the right to change this user’s account;
  • Determine a special user for remote access. Do not use any default users;
  • Perform regular checks of your clients to eliminate the risk of illicit access.

 

[EASAI-NA-06] Default password check for TMSADM user


Description

The TMSADM user is used for transfers through the transport system. It is created automatically upon configuration and changes of Transport Management System (TMS) via the 000 client.
It is a communication user, in other words, it is often used falsely to transport external RFC calls without dialog boxes. It has the assigned S_A.TMSADM authorization profile enabled to utilize RFC-functions with GUI and to write to a file system. SAP_ALL profile is also often assigned to this user.


Threat

The default password of TMSADM user is well-known. An adversary may remotely start RFC requests to perform critical actions such as deletion and reading files (EPS_DELETE_FILE, EPS_OPEN_FILE2); arbitrary ABAP code execution (through the RFC_ABAP_INSTALL_AND_RUN or TTMS_CI_START_SERVICE function vulnerabilities), and, using BAPI_USER_CREATE1 and SUSR_RFC_USER_INTERFACE requests, to create a dialog user and, consequently, to enter the system and get an unlimited access to business data.


Solution

  • Change the default password of TMSADM user; to change this password (according to Note 1414256 [5]) you should:   
    • Enter the 000 client under any user with administrative rights.
    • Start the TMS_UPDATE_PWD_OF_TMSADM program with the ABAP editor (the SE38transaction). There are three ways to change the TMSADM password:      
      • to enter your own password
      • to set a new standard password (Note 761637, $1Pawd2&), or
      • to set an old standard password (PASSWORD);
    • Select the option "To enter your own password” in the dialog box and enter the new password;
    • Start the program
  • Make sure that this user belongs to the SUPER group in all clients.  This way you will be certain that only authorized administrators have the right to change this user’s account;
  • Determine a special user for the remote access. Do not use any of default users;
  • Perform regular checks for your clients to eliminate the risk of illicit access.

Additionally, it is better to apply security notes related to vulnerabilities in the programs which TMSADM user can execute, such as:

  • SAP Security Note 1298160 for vulnerabilities in TTMS_CI_START_SERVICE;
  • SAP Security Note 1330776 for vulnerabilities in EPS_DELETE_FILE and EPS_OPEN_FILE2.

 

[EASAI-NA-07] Default password check for the EARLYWATCH user


Description

The EarlyWatch user is created in the 066 client upon SAP installation and is related to a dialog type. It can enter via SAP GUI and perform any actions to the system. One can use it for SAP distance remote management and to get access to monitoring data. As a rule, it is used by SAP AG customer support to enter customer's systems. Change the default password for EarlyWatch user, but never delete the user.


Threats

EarlyWatch user’s default password is well-known (see the table above). With this password, an adversary can enter the system using the S_TOOLS_EX_A profile and, consequently, perform various critical actions (for example, access any files, view sensitive tables or display external statistics records via the control tools). In old versions - 6.4 and lower, users could execute critical transactions such as SE37 (function modules execution) and SE38 (running reports). In the new versions, it has fewer privileges, but it can exploit some vulnerabilities, such as the TH_GREP call with the SM51 transaction and, consequently, execute arbitrary OS commands.


Solution


Warning!Do not remove Earlywatch user or its profile!

  • Lock out EARLYWATCH user. Unlock if necessary only;
  • Change the default password for the EARLYWATCH user;
  • Ensure that this user belongs to the SUPER group in all clients so that to be certain that only authorized administrators have the right to change this user’s account;
  • Perform regular checks of your clients to eliminate the risk of illicit clients’ access to the system.

 

By now you should have noticed the ease and clarity with which we tried explain to you some technical subjects. You should also have noticed and wondered how we managed to make the list of critical issues that brief. You may even have marveled at how sometimes we point out what it all means, what it’s good for, and why should you care. It’s completely up to you, but if you like our articles we strongly recommend that you stay with us as in two weaks well come back with the descriprion of the next critical issue.

Recently, HP published their yearly Cyber Risk Report 2015. Having many typical things spotlighted in this report such as growing number of ATM and IOT Security events, we have found some parts that are relevant to business application security, which we are honored to share with our readers, customers and partners.

According to their report, HP Zero Day Initiative were busy coordinating the disclosure and remediation of over 400 high-severity vulnerabilities in 2014 while 24 of them were related to SAP Products. So vendors at the top for most disclosures are: 1. Microsoft; 2.Hewlett-Packard; 3. Advantech; 4. SAP; 5. Apple.

ZDI were always in charge of publishing vulnerabilities in SAP, but this is the first year when the number of SAP vulnerabilities became so big.

According to ZDI Report:

"In 2013 there were a number of SCADA vulnerabilities, but 2014 marks the first year where a SCADA vendor is among the top vendors with vulnerabilities disclosed against its products. Advantech focuses on automation controllers, industrial control products, and single board computers. SAP is on the list due to an audit ZDI analysts conducted against one of its products, which yielded a large number of findings."

 

But the main idea is that we are not only speaking about the number of vulnerabilities, which is quite large, but also about the criticality of vulnerabilities. The average criticality of identified SAP vulnerabilities is 7.7 and the maximum CVSS is 9.5.

Affected SAP Products include:

 

  • SAP SQL Anywhere (4 vulnerabilities with average CVSS 9)
  • SAP Sybase ESP (18 vulnerabilities with average CVSS 7,5)
  • SAP Crystal Reports (2 vulnerabilities with average CVSS 6.8)

  

Detailed information about identified vulnerabilities you can find in the table below:

ProductVulnerabilityCVSSDate
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider Malformed Integer Stack Buffer Overflow Code Execution Vulnerability9.512.09.2014
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider REPLICATE Function Heap Overflow Code Execution Vulnerability8.512.09.2014
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider SPACE Function Heap Overflow Code Execution Vulnerability8.512.09.2014
SAP SQL AnywhereSAP SQL Anywhere .NET Data Provider Column Alias Stack Buffer Overflow Code Execution Vulnerability9.512.09.2014
SAP Crystal ReportsSAP Crystal Reports Connection String Processing Double Free Remote Code Execution Vulnerability6.809.03.2014
SAP Crystal ReportsSAP Crystal Reports Datasource Stack Buffer Overflow Remote Code Execution Vulnerability6.809.03.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getConnection Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.isInput Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getSampleRow Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getFieldTypes Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getFieldNames Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.setParams Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.destroy Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.dispose Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getTableNames Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.setScanDepth Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP0Day) SAP Sybase ESP esp_parse Connection.canDiscover Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getError Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.reset Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getErrors Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getName Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getParamNames Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse ConnectionType.getXmlDescription Remote Code Execution Vulnerability7.505.22.2014
SAP Sybase ESP(0Day) SAP Sybase ESP esp_parse Connection.getType Remote Code Execution Vulnerability7.505.22.2014

Last year brought us not only so much vulnerabilities disclosed by ZDI. Other independent resources also identified the growth of vulnerabilities in SAP Applications.

Another resource published information about total number of vulnerabilities in different vendors products where SAP first time in the history hit’s 10th place by the number of vulnerabilities in commercial products with total number of 178 vulnerabilities (by October 2014).

By the latest statistics about SAP vulnerabilities it takes the 27th place in the list of all vendors (including open source) in CVE Database with 236 vulnerabilities in total. The number of published SAP vulnerabilities in CVE in 2014 is 81, which is 4 times more than in previous year and the highest number during all years if you look at the figures.

By following the link you can find more details.

But in reality the number of vulnerabilities closed in SAP Products is even more than it is listed in any of those resources.

As you may know, CVE’s assigned to vulnerabilities by vendor or by the 3rd party organization, while this process may take time not every organization constantly provide. According to information from SAP Support Portal, only in 2014 there were released 388 so-called SAP Security Notes, 7% more than in 2013 (in 2013 there were 364). SAP Security notes are actually small patches that usually close one or more vulnerabilities in SAP Applications found by the 3rd party companies and SAP Internal security team. So you are right, one or more! It means that actual number of vulnerabilities is even more than the number of SAP Security Notes. And, of course, more than number of vulnerabilities that can be found in CVE, ZDI, and other public resources.

However it is not only about vulnerabilities in SAP products itself. If so experienced people such SAP developers can still left mistakes in their code, imagine what is happening with programs developed by organizations which use SAP systems and customize them, or more importantly outsource development to other companies. And, as you know, security was not a best part of outsource, as high competition between outsourcing companies driving them to minimize time and resources, which usually leaves an imprint on security.

We try to help our customers to meet their security requirements and as part of this process usually publish detailed guidelines how to secure their systems from different issues.

The latest guideline "Securing SAP Systems from XSS vulnerbilities" published by us related to the most popular vulnerability which can be found in SAP Security Notes, - XSS, or Cross-Site Scripting. You can find there our new ultimate sap security guide for improving SAP NetWeaver ABAP, SAP NetWeaver J2EE and SAP HANA Security.

To find this guide and other guides please follow the link.

Attack detection patterns are what powers the ability of SAP Enterprise Threat Detection to alert you to suspicious activity in your network. The patterns were created by our experts to uncover a variety of anomalous events. You have asked what patterns we deliver with our product. Here is an overview of the kinds of patterns you get with SAP Enterprise Threat Detection 1.0 SP01. Don't worry, there is more to come in our future releases.


CategoryDescription
ABAP and HANA AuthorizationThese patterns look for escalation of privileges. An escalation of privileges is when you can exploit a weakness to gain access to resources you should not have access to. These patterns also watch for the assignment of critical roles or profiles.
ABAP Blacklists and WhitelistsA number of patterns function on blacklists and whitelists. We deliver blacklists for function modules, reports, transactions, and URL paths expected not to be used in productive systems. Customers can enhance these blacklists according to their needs. The same applies to several patterns which come with whitelists, which lead to an alert being created in case a certain user is active or function module called but not part of the whitelist.
ABAP Calls to Productive SystemsYour productive system runs your business. We have patterns that watch for calls from non-productive systems to productive systems. The patterns, like those in other categories,  have configurations to eliminate false positives.
ABAP and HANA ConfigurationThe patterns for ABAP and HANA configuration make sure that no one is trying to disable security in the system by making configuration changes to the system. Such changes include deactivating logs or other security functions.
ABAP DebuggingThese patterns attempt to find developers behaving badly, for example, debugging in a productive system. The patterns can find an infiltrator exploring code in an ABAP system.
ABAP Denial of ServiceThere are a number of indicators we can watch to identify if someone is trying to block access to the ABAP server.
ABAP DownloadsIf a user downloads data too often or in too large a volume from an ABAP server, patterns raise alerts in SAP Enterprise Threat Detection.
ABAP Internet Communication FrameworkSAP Enterprise Threat Detection also uses patterns to monitor access to the Internet Communication Framework (ICF).
ABAP and HANA LogonToo many failed logon attempts might indicate someone trying to brute force their way into the system. Suspicious activity is also trying to log on with users, who otherwise should be locked, expired, or deleted. We also look for replay attacks or other attempted manipulation of our security session technology.
ABAP PasswordManipulation of passwords for critical users or by users not normally in an administrative role can warn of an intruder in your system.
HANA SQL FunctionsWe include patterns to detect suspicious calls to SQL functions on SAP HANA platform.
ABAP User MorphingWe also look for changes in users that indicate a manipulation of the user, such as the user type.

 

 

Want to know more?

You may have seen the wiki that I help manage, Home of TCP-IP Ports. I want to take the TCP/IP port documentation in a new direction and I am looking for you to give me feedback. Interested? Either send me a message through SCN or reply to this blog and we'll work out the details.

tcpip_screenshot.png

In our previous [1] article we’ve already introduced you to the list of the 9 most important business application security critical issues. We’ve also had a chance to present to you the skeleton of our guideline with its 33 security assessment steps. As you’ve seen only the skeleton of it, now it’s high time to pay attention to a more detailed explanation of each step to be taken.

In order to insure full-scale system security it is crucial to regularly install security support packages. The number of support packages necessary for a system may be huge. Supporting this idea is the fact that the number of SAP Security Notes grew up to more than 3000 by the mid-2014. As some of you may know, each Sap Security Note serves to fix one or more vulnerability. About 50 Security Notes are issued monthly. Sometimes one can even find a SAP Security Note that was made based on the results of a third-party researcher’s work [2]. Also, when it comes to prompt vulnerability elimination we should take into consideration all the possible consequences implementation of such utilities as Metasploit to get free access to corporate information can lead to. Given the above arguments, it is reasonable to conclude that to develop and establish a patch management process that would ensure the implementation of adequate preventive measures against potential threats is highly necessary at this stage. Let us now focus on the two major checks that must be in place to address the most critical problems.

Further Steps.

To verify security of SAP components, particularly those of them that are installed separately from the application server you can use such services as SAP Router, SAP Webdispatcher, SAP GUI. Additionally, it’s convenient to use those systems that are linked to the NetWeaver ABAP application server, but operate on the basis of the NetWeaver J2EE or SAP BusinessObjects application servers. Their security is regulated by a separate document included in the EAS-SEC. It’s substantial that, a security patch should be checked for operating systems where SAP services are installed, as well as for DBMS that store SAP solution data.

[EASAI-NA-01] Check for components update (SAP Security Notes)

Description

The essence of the whole patching procedure is that a patch is designed to substitute outdated and vulnerable objects. There are two ways to fix a vulnerability: one can either implement the correction instructions from an SAP Security Note in the system, or have a Support Package installed. As a rule, initially a particular SAP Security Note (with appropriate correction instructions) is issued. After that, a Support Package is applied. The Support Package usually contains changed or new functionality with a set of correction instructions for a certain period of time.
As mentioned above, the number of support packages and SAP Security Notes required by the system may be huge. That's why the development of patch management process should also involve establishing a priority of patch installation. While determining the right priority one should consider the following factors:

  • Threat severity,
  • Threat probability,

  • Required system privileges,

  • Complexity of exploitation, and
  • Public exploit availability.

 

WARNING! Sometimes vulnerability management processes can mix up. That is to say, vulnerabilities may be fixed with either a support package, or with the help of the SAP Security Notes. The matter is, they won’t synchronize. For instance, a vulnerability fixed with a support package would not be implemented as fixed via the SNOTE transaction to the SAP Security Notes list.

Threat

As soon as there appears a new security patch, newly identified vulnerabilities rather quickly become publicly available. To put it another way, anyone can gain access to their description. Accordingly, in case security patch was implemented after a long period of time it gives an adversary a chance to exploit those vulnerabilities, to get an unauthorized access to sensitive business data.

Solution

It is imperative to perform regular checks for security patches updates. To do that, one should strictly follow main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring).
 Using SAP Patch Manager (SPAM) offered by the SAP one can download and implement required support packages from the Online Server System (OSS). Note that this is only related to versions 3.0 and higher. In order to start the SPAM, you should enter the command “SPAM” in the transaction code field.

Also, it’s possible to use the multi-purpose SAP Software Update Manager (SUM) to implement various system updates. The good news is that a demo version of this product is publicly available at the time [3]

To implement SAP Security Notes, use the SNOTE transaction to get a list of security notes required for a particular system. As mentioned above, these two mechanisms are not synchronized, so it is preferable to make some changes manually or with some additional third-party tools.

Before proceeding to our next security check let us make a small digression. The thing is we’ve decided to be proactive in terms of information security, thus in addition to major all-purpose checks, each item of our guideline contains a subsection called "Further steps". This subsection gives major instructions on how to further securely configure each particular item.

[EASAI-NA-02] Check for kernel updates

Description

We should keep in mind that in SAP system kernel there are executable files containing SAP Dispatcher, SAP Gateway, SAP Message Server, SAP Router and some other SAP services. For that reason, SAP system kernel has its own update mechanism that is different from other components. Kernel updates are released as service packs for a specific kernel type.

So as to clarify, support packages are cumulative. Therefore they include all the previous updates, even though sometimes releases contain updates for a certain support package only.

Threat

As soon as there appears a new security patch, newly identified vulnerabilities rather quickly become publicly available. To put it another way, anyone can gain access to their description. Accordingly, in case security patch was implemented after a long period of time it gives an adversary a chance to exploit those vulnerabilities, to get an unauthorized access to sensitive business data.

Kernel updates mostly fix highly critical vulnerabilities, as any system has a kernel. So, it’s crucial that kernel update should have highest priority and should be installed before other components.

Solution

It is imperative to perform regular checks for security patches updates. To do that one should strictly follow main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring).


In case you want to check out the current version of a service pack using SAP GUI you need to open the Status window in System tab and click on the Other kernel info button (Shift+F5 by default). There is always some information on the latest service pack version published on the SAP support portal[4]

The SAP Security Note is usually downloaded as a system and executable files directory that replaces the previous files. Software Update Manager (SUM) utility is also available to facilitate the manual process a lot (ref. to the operating manual [5]).

That’s it for today’s article, we’ve checked out the first critical issue “patch management flows” and the two steps relating to it. We hope you like our work and share our urge to promote information security to a higher level.

With this article we are starting a new series of guidelines describing some basic assessment procedures one can carry out on various business applications that would help security professionals to expand their ERP systems’ immunity to attacks.

 

As we all know, ERP systems such as SAP may favour the quality of management of all the information and resources involved in a company's operations.

 

However, while ERP applications promote the way business processes are organized, they also may undermine information security within organizations.


We should not forget how important it is to secure enterprise applications and various ERP systems.

 

No need to say, that the ERP system is in the core of any large company: it deals with all processes critical for business – purchases, payments, logistics, HR, product management, financial planning etc.  All information stored in the ERP systems is sensitive, and any unauthorized access to this information can cause huge damages up to a business interruption.

 

According to the report[1] by the Association of Certified Fraud Examiners (ACFE), in 2006 - 2010, the organizations losses caused by the internal fraud (the IT-frauds) amounted to app. 7% of annual revenue [2].

 

For the last five years, a widespread myth that the ERP security is only a SOD matrix was over, and today this belief seems to become a history for many people. For that time, the SAP security experts have presented lots of detailed reports on various attacks on the internal SAP subsystems:


     — the RFC protocol,

     — the SAP ROUTER access control system,
     — the SAP web-applications, 
     — the SAP GUI client workstations, and many others.

 

The interest for this area grows exponentially every year: compared to only 1 report on SAP Security [3] in 2006, more than 30 of such reports were presented in 2013 at specialized hacking and security technical conferences. Lately, a number of hacking utilities were released, and thus confirmed the possibility of attacks on the SAP solutions.

 

According to the business application vulnerability statistics [4] and [5], more than one hundred vulnerabilities in the SAP products were fixed in 2009, while this figure was more than 500 in 2010. In July 2014, there were more than 3000 SAP Security Notes, i.e. notifications on various SAP components vulnerabilities.


This entry will help you to get extended info about what is going to come next. And why it is so important to know everything about it.


General information


"The Enterprise Application System Vulnerability Assessment Guide" describes 9 most known business application security areas relating to implementation and operation. This top list was prepared by the authors during vulnerability assessments of multiple business applications; this list may be applied to any of them. These areas are weighty factors for many emerging threats and related attacks. Securing of these areas means getting ready to prevent numerous attacks targeted at business application security.

 

This series of posts contains a detailed analysis of the most widespread business application platform - the SAP NetWeaver ABAP. During this analysis 33 key settings were identified and distributed between 9 areas mentioned above. This post will  show how to protect against the most widespread vulnerabilities in this area as well as provide further steps on securing all 9 areas  .


The top-9 critical areas for business applications

 

Below, you can find the list of Top-9 critical areas for vulnerability assessment of business application. They are ranked from 1 to 9 according to their severity and impact on the ERP system, business applications and related security. For this list, 3 main parameters were considered:

 

     1. initial access to exploit the vulnerability;
     2. severity of vulnerability (a potential impact if exploited);
     3. complexity of vulnerability exploitation.

 

This list is the same for all the business applications. In the next chapters, checks for each of these items (specific to the SAP NetWeaver ABAP platform) are described in detail. However, these descriptions are stated in a way to ensure understanding of the basic principles relating to vulnerability assessment for any enterprise application systems.

 

    Critical areaAccessSeverity  Simplicity
1. Patch management flawsAnonymousHighHigh
2. Default passwords for access to the applicationAnonymousHighHigh
3.Unnecessary functionalityAnonymousHighHigh
4. Open remote management interfacesAnonymousHighMedium
5. Insecure settingsAnonymousMediumMedium
6. Unencrypted connectionsAnonymousMediumMedium
7. Access control and SOD conflictsUserHighMedium
8. Insecure trusted connectionsUserHighHigh
9. Security events loggingAdministratorHighMedium

 

The Guide description


Our approach contains 33 steps to securely configure SAP NetWeaver ABAP platform, that were distributed among 9 areas mentioned above.


The authors' efforts were to make this list as brief as possible but also to cover the most critical threats for each area. This approach is the main objective of this Guide: as despite best practices by the SAP, ISACA and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide comprehensive coverage of all critical areas of SAP Security.

 

At the same time, the development of the most complete guide would be a never-ending story as at the time of writing there were more than 7000 checks of security configuration settings for the SAP platform as such, without those of specific role-based access and in-house applications.

 

As a result, each of the 9 areas includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom  parameters. It also important that these checks are equally applicable both to production systems and those of testing and development.

 

In addition to major all-purpose checks, each item contains a subsection called "Further steps". This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all issues and give complete recommendations on them.

 

In terms of quality, this makes the present Guide different from the SAP best practices that also contain few items, but do not cover the overall picture, as well as from best practices by ISACA and DSAG that have a lot of items, but the priorities are unclear and too complicated for the first step (though these papers are highly valuable and necessary).

 

33 steps to security


So, here it is. Our list of most critical checks for SAP NetWeaver ABAP - based systems


1. Patch management flaws
[EASAI-NA-01] Check for components update (SAP Security Notes)
[EASAI-NA-02] Check for kernel updates


2. Default passwords for access to the application
[EASAI-NA-03] Default password check for a SAP* user
[EASAI-NA-04] Default password check for the DDIC user
[EASAI-NA-05] Default password check for the SAPCPIC user
[EASAI-NA-06] Default password check for the TMSADM user
[EASAI-NA-07] Default password check for the EARLYWATCH user


3. Unnecessary functionality
[EASAI-NA-08] Access to the RFC-function via the SOAP interface
[EASAI-NA-09] Access to the RFC-function via the form interface
[EASAI-NA-10] Access to the Exchange Infrastructure (XI) via the SOAP interface


4. Open remote management interfaces
[EASAI-NA-11] Unauthorized access to the SAPControl (SAP MMC) service functions
[EASAI-NA-12] Unauthorized access to the SAPHostControl service functions
[EASAI-NA-13] Unauthorized access to the Message Server service functions
[EASAI-NA-14] Unauthorized access to the Oracle DBMS


5. Insecure settings
[EASAI-NA-15] Minimal password length
[EASAI-NA-16] Number of invalid logon attempts before the user account lock out
[EASAI-NA-17] Password compliance with the security policies in place
[EASAI-NA-18] Access control settings for RFC-service (reginfo.dat)
[EASAI-NA-19] Access control settings for RFC-service (secinfo.dat)


6. Access control and SOD conflicts
[EASAI-NA-20] The check for SAP_ALL profile accounts
[EASAI-NA-21] The check for accounts that may start any programs
[EASAI-NA-22] The check for accounts that may modify USH02 table
[EASAI-NA-23] The check for accounts that may execute OS commands
[EASAI-NA-24] Check for disabled authorizations


7. Unencrypted connections
[EASAI-NA-25] The SSL encryption to protect HTTP connections
[EASAI-NA-26] The SNC encryption  to protect the SAP GUI client connections
[EASAI-NA-27] The SNC encryption  to protect RFC connections between systems


8. Insecure trusted connections
[EASAI-NA-28] RFC connections that store user authentication data
[EASAI-NA-29] Trusted systems with low security level


9. Logging of security events
[EASAI-NA-30] Logging of security events
[EASAI-NA-31] Logging of HTTP requests
[EASAI-NA-32] Logging of table changes
[EASAI-NA-33] Logging of SAP Gateway activities

 

As you can see – the guide is not as enormous as it could have been due to the complicity of the topic. We tried to maximize the clarity of the guide to security assessments for you.

 

Stay in touch with us as next week we’ll come back with the new article where the guideline will reappear in its all glory. We’ll provide you with detailed explanation of each step.

SAP has released the monthly critical patch update for April 2015. This patch update closes a lot of vulnerabilities in SAP products. Most of them are potential information disclosure vulnerabilities.

 

The most critical issues found by other researchers

Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Notes:

2067830: SAP Web Dynpro Java has an Implementation Flaw (CVSS Base Score: 5.8). An attacker can upload a malicious file to a system when the virus scanner is not configured correctly. It is recommended to install this SAP Security Note to prevent risks.

2094830: SAP Sybase Unwired Platform Online Data Proxy has an Information Disclosure vulnerablity (CVSS Base Score: 4.7). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

2084037: SAP NetWeaver RFC SDK has an Information Disclosure vulnerability (CVSS Base Score: 4.3). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

Visit us in Orlando and learn about SAP's security offerings and strategy.

 

 

We'll be there with a booth as well as a number of lectures, demos, and discussion forums around various

security features.

 

One of the focus topics this year is preventing cyber attacks: Come to one of our demos to see how our new SAP Enterprise Threat Detection product can help you safeguard your organization. Compliant identity and access management is on the agenda as well as an overview of our current security functionality, cloud security, best practices, and an outlook into planned enhancements in a roadmap session.

Presenters range from SAP experts to savvy customers and partners providing an insight into their implementations.

 

Sapphire Now and the ASUG Conference run from May 5-7 in the Orange County Convention Center in Orlando, Florida.

 

We look forward to seeing you there!


To register, stay informed, and build your agenda, visit http://events.sap.com/sapandasug/en/home

April 17, 2015 – As a part of monthly updates Microsoft released security update MS15-034 which closes vulnerability in driver HTTP.sys which enables an attacker to execute arbitrary code on OS remotely.

This update has a critical status as almost every modern version of Microsoft operating systems (Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2) is vulnerable.

We think it is necessary to report about this kind of vulnerabilities due to the fact that a part of SAP products uses web server IIS for their work and as a result is also vulnerable to this issue.

At the least the following components and SAP modules could be threatened:

  • SAP Afaria
  • SAP TREX
  • SAP Content Server
  • SAP DB Web Tools.

 

To compromise a system an attacker just have to send a specially generated HTTP-request to a vulnerable server.

The vulnerability is an improper processing of HTTP header "Range" in function HTTP! UlpParseRange. It allows an attacker to use the vulnerability of an integer overflow to execute arbitrary code in the OS.

To secure your systems you must install Microsoft security update.

To check whether your systems are vulnerable, you can use the following script.

As our mission is to close the gap between technical and business security, we constantly monitor the important news about the security of business applications so that our customers are always warned about the latest facts in this sphere.

Mobile devices are actively integrated into business processes. Companies have more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to critical corporate information.

SAP Mobile Platform (or SMP, formerly called Sybase Unwired Platform, or SUP) is a MEAP (Mobile Enterprise Application Platform) solution. SMP is used for monitoring and controlling applications which are installed on mobile phones and have access to business data. The main goal of SMP is providing business data to mobile devices with enterprise security. Platform capabilities allow users to work with data from SAP business applications using mobile applications both online and offline. This data can be accessed through all modern mobile devices. Android, Blackberry, iPhone / iPad and Windows / Windows Mobile devices are used by end users. Installed client applications are connected to SMP. These programs can be found on Play Market, Apple Store, or Windows Store.

SMP security service supports secure connections using SSL between app and server. Data on the device or in-transit can be encrypted using user supplied key. It supports authentication, authorization, access control to various apps and roles, single-sign-on, security audit logging etc. to provide an end to end security from device to the platform.

In order to further secure the access, Mobile Device Management software should be used. All of the security functionality from device to SMP such as SSL, authentication, authorization, and single-sign-on are provided along with the device management, app configurations, and device data security. SMP works with any MDM provider besides Afaria/Mobile Secure for mobile device management.

SMP is also a platform for development. This platform includes tools for rapid development of client applications for various platforms and much more, but let’s focus on risks first.

Risks associated with attacks on SAP Mobile Technology

Risks related to business applications usually include espionage, sabotage, and fraud. Some of the potential risks for SAP Mobile Platform if somebody finds vulnerabilities in this platform and exploits them are provided below:

  • (ESPIONAGE/FRAUD). Unauthorized Access to business applications, such as ERP, CRM, BI, by hacking SAP Mobile platform. SMP can be considered a “proxy” for access to business systems. Usually, mobile devices and mobile applications, especially from 3rd parties, are for security reasons not allowed to connect directly to ERP but use SMP instead. If a cybercriminal is able to get access to SMP, they will be able to get almost direct access to mission-critical systems inside the company, such as ERP, SCM, BI, and others.
  • (ESPIONAGE). Access to critical data stored on mobile devices, such as personal data (SSN), personal healthcare data (PHI), credit card data (PCI). Unauthorized access to this data can turn into a data breach if somebody exploits this vulnerability against multiple mobile devices, or into a targeted attack against high-level executives from commerce, government, or military.
  • (SABOTAGE/FRAUD). Modification of critical data stored or presented on mobile devices. Some vulnerabilities may allow changing critical data stored on a mobile device, or show fake data by means of a Man-in-the-Middle attack. Imagine what will happen if a nurse sees the wrong results, executives get modified information about financial results from a BI system, warehouse logistics employees will be informed about the lack of goods in stock, and many other examples.
  • (SABOTAGE). Denial of Service attacks on SAP Mobile Infrastructure. Imagine that nobody will be able to connect to the latest business data via a mobile device. This risk is especially critical due to the reason that mobile access is mostly used by C-level executives to analyze the latest dashboards. Also, mobile devices can be used in a warehouse, so the entire supply chain can be deactivated with a simple DoS attack.

 

Vulnerabilities identified by ERPScan researchers:Now let’s see how real the listed risks are and if there are vulnerabilities which can be exploited to prove that those risks exist. We found multiple vulnerabilities in SAP Mobile Technology including SAP Mobile Platform, SAP Mobile Applications, and SAP Afaria MDM. We will now show 4 of them, which were recently patched by SAP. Each of them is associated with a particular risk described in the previous section. The first two vulnerabilities are server-side and the last two are client-side.

  • Sabotage attack example. SAP Mobile Platform uses Sybase SQL Anywhere as the database. An attacker can use a special request to crash the Sybase SQL Anywhere database server resulting in a denial of service.
    Advisory
    Vulnerability reported: 09.12.2014
    Vendor response: 10.12.2014
    Date of Public Advisory: 15.03.2015
    Defense: SAP Note 2108161
  • Vulnerability in SAP Mobile Platform Portal page. An XXE (XML External Entity) vulnerability allows multiple attack vectors. First of all, XXE can be used for a Denial of Service attack on Portal, which would make impossible all interactions between mobile devices and ERP system or any other mission-critical application. Secondly, it is possible to get access to the file system and potentially get full control over the server. Sometimes, access to business systems is provided to 3rd parties or subcontractors only via SAP Mobile, so they can use this XXE vulnerability to obtain broader and direct access to ERPs or other mission-critical systems. Then they may proceed to espionage, sabotage, and fraud attacks against SAP ERP using vulnerabilities in SAP ERP, and there are plenty of them there according to our report.
    Advisory
    Vulnerability reported: 29.12.2014
    Vendor response: 30.12.2014
    Date of Public Advisory: 15.03.2015
    Defense: SAP Note 2125513
  • Espionage attack example. Critical healthcare information disclosures in the SAP EMR Unwired application for Android. Google store indicates that the number of installations is 1000-5000. SAP EMR Unwired allows doctors and nurses to get up-to-date information of all patients, including findings and charts, view X-ray and CT images (non-diagnostic quality images), clinical orders, risk factors, demographics, lab results, patients’ latest vital signs, progress notes, DRG, diagnoses, procedure codes, etc. The app connects to clinical back-end systems, including hospital information and imaging systems (PACS), and displays the patient’s data in a clear and easy-to-read format on the Android device (information from the app description in Android store). An unauthorized access vulnerability in the mobile application allows attackers to get access to short-lived temporary documents. To exploit this kind of vulnerability, you need to upload a malicious app to the victim’s phone. Normally, you can’t get access to an application from another one without a local privilege escalation exploit.
    Advisory
    Vulnerability reported: 20.04.2013
    Vendor response: 21.04.2013
    Date of Public Advisory: 16.11.2013
    Defense: SAP Note 1864518
  • Sabotage/Espionage. Vulnerability in the SAP EMR Unwired application for Android. It is possible to reconfigure this application so that it will connect to a malicious server. The threat exists only if the user confirms the settings changes, but the attacker can show this confirmation window infinitely until they click OK. Thus, it will be possible to send fake medical data into the mobile application so nurses will receive wrong information about the patient’s health and assign the wrong course of treatment. This can lead to unpredictable damage for patients.
    Advisory
    Vulnerability reported: 20.04.2013
    Vendor response: 21.04.2013
    Date of Public Advisory: 15.02.2015
    Defense: SAP Note 2117079

What's New?

 

We have just finished recording a number of video tutorials for the SAP HANA Academy on SAP Cloud Identity service, a cloud solution for identity lifecycle management for SAP HANA Cloud Platform applications and optionally for on-premise applications.


Complete playlist: SAP Cloud Identity - YouTube


SAP Cloud Identity provides a number of security related services:

  • authentication
  • single sign-on
  • on-premise integration
  • self-services such as registration or password reset


Target use-case scenarios for SAP Cloud Identity services are:

  • employees (B2E)
  • customer partners (B2B)
  • consumers (B2C)

 

For features and functions, see the SAP Cloud Identity service release note: SAP Cloud Identity Service.

 

For more information about SAP Cloud Identity service, see

 

Introduction

 

In the first video, we provide a brief introduction to the SAP Cloud Identity services.

 

 

Operations: Administration Console

 

The next video provides an overview of the Administration Console

 

 

Operations: SAML Trust

 

The next video shows how to configure SAML trust between service provider and identity provider.

 

 

Operations: Configure Forms

 

The next video shows to configure forms for registration and upgrade.

 

 

Operations: Password Policy

 

The next video shows how to configure a password policy.

 

 

Operations: Terms of Use and Privacy Policy

 

The next video discusses how to configure a custom Terms of Use document and Privacy Policy document.

 

 

Operations: Branding

 

The next video shows discusses how to configure application branding.

 

 

Operations: Social Sign-On

 

The next video shows discusses how to configure social sign-on.

 

 

Thank you for watching

 

You can view more free online videos and hands-on use cases to help you answer the What, How and Why questions about SAP HANA and the SAP HANA Cloud Platform on the SAP HANA Academy at youtube.com/saphanaacademy, follow us on Twitter @saphanaacademy., or connect to us on LinkedIn.

With SAP NetWeaver Application Server ABAP 7.40 SP8 it is possible to activate an encrypted and authenticated communication between the SAP Netweaver AS ABAP server components. This security measure is very easy to configure and allows to replace ACLs that have been used so far to secure the communication between server components.  (For the ACL configuration see for example the SAP Help Doku . This will not be explained in this blog.)


IMPORTANT: The functionality is currently in a pilot phase. Interested customers should check SAP Note 2040644 for current limitations.


Use Cases

There exist several options to secure the communication between the ABAP server components. one possibility is to secure the network segment where the server components reside to ensure that they can not be reached from outside the segment. It is still possible to use the ACLs .

The new option allows to encrypt and authenticate the traffic between the system components with SSL.


How it works

During the first system restart after the activation of the secure server communication, the SAP Start Service sets up a certificate infrastructure (a system internal PKI). All instances of the SAP NetWeaver AS for ABAP server are integrated into the PKI and receive an instance specific certificate with private key that they can use to authenticate and to encrypt their system internal communication with other system instances.

  • The certificates are automatically renewed.
  • The root PSE file is stored in the secure store of the file system.
  • All other instance PSE files are encrypted with a PIN that is stored in the secure store of the file system as well.

After the setup of the PKI, all communication between system instances uses SSL for encryption and authentication.

 

Keep in Mind: This encryption is only active for the system internal communication . All external communication for example RFC communication with external RFC server is NOT encrypted unless it is done separately via SNC or SSL. The trust of the system PKI can only be used internally in the system.

 

Overview: Secured connections between application server components with activated secure server Communication

 

communications.jpg

  • The "red" connections that are encrypted via Secure Server Communication and the internal PKI
  • The "green" connections are external HTTP communications that can be secured using SSL
  • The "blue" connections are external RFC communications that can be secured using SNC
  • The "black" connections are connections to the Message Server. They are used top gather the list of application servers.
  • The "violet" connections are local host internal
  • The "yellow" internal ICM communication can be secured as described in the SAP Help Documentation.

  • The connections that are described with a circle (ICM and GW) are internal RFC or HTTP communications between these components.

 

Limitations and Possible Incompatibilities

  • The usage of SSL results in a higher CPU consumption and a modest performance impact (~1%)
  • For ABAP servers with a high load of internal RFC communication the performance impact can be higher.
  • If customer components addressed a server component via an internal port this is no longer possible as external components cannot be  part of the internal PKI infrastructure.  External components now necessarily need to communicate over the external ports. All external SAP components use the external ports as well for example GWMON MSMON DPMON or LGTST.
  • For the SAP tool SAPEVT please check SAP Note 2000417


Configuration

  1. Stop all instances of the system (including e.g. ASCS, ERS) by using e.g. SAP MMC:  "Stop..." context menu on the system node or Command line tool: "sapcontrol ... -function StopSystem".

  2. Add the following profile parameter to the default profile DEFAULT.PFL of the system: system/secure_communication = ON

    It is also possible to use the value "BEST" instead of "ON" . If best is used and for some reason a server component is unable to communicate via SSL an unencrypted communication is possible as a fallback mechanism without an error. All other communications remain encrypted via SSL.

  3. Restart of Start Services of all instancesof the system by using e.g. SAP MMC: "All Tasks->Restart Service" context menu for each instance

    Command line tool: "sapcontrol ... -function RestartService".

  4. Start the system using e.g. SAP MMC: "Start..." context menu on the system node or Command line tool: "sapcontrol ... -function StartSystem ALL".

  5. Verify that all instances are displayed "green" in SAP MMC or "sapcontrol ... -function GetSystemInstanceList".

 

In transaction SM51 you will see that SSL is now used:

 

sm51.jpg

 

See also the  SAP Help Documentation.

 

Troubleshooting

 

IMPORTANT: The parameter system/secure_communication can be safely switched back to the OFF position without harming the system.

 

Using the command line tool "sapcontrol"

 

Checking the system status with "sapcontrol"


It is possible to check the usability of the System PKI with "sapcontrol" (without changing anything in the system). To do this use:


      sapcontrol -nr <NR> -systempki <Profile> [-host <HOST>] [-debug] -function AccessCheck Stop

 

Remarks:

  • Result: You should get an "AccessCheck OK" if no error is found.
  • The parameter <Profile> needs to contain the profile of a local instance.
  • With the parameters "-nr" and "-host" the connection to all system instances using the system PKI can be tested.
  • The parameter "-debug" allows to trace the SSL handshake

 

Reset the System PKI with "sapcontrol"

 

In general it should not be necessary to reset the PKI as the whole certificate lifecycle is triggered automatically. If ever you want to enforce it there exist 2 web service methods in the "sapcontrol" which are also used by the system internally to maintain the PKI:

  • UpdateSystemPKI[<force>]       "Updates the whole system PKI
  • UpdateInstancePSE[<force>]     "Updates an instance PSE

If the parameter force=0 (default value) the update is only done when considered necessary by the system with force=1 the update is enforced.

 

ABAP check reports

 

To check the internal PKI some ABAP check reports exist that can be executed in SE38 . They should not show any error messages:

  • SSFPKITEST1      Checks the system PKI (root and instance PSE)
  • SSFPKITEST2      Checks a remote application server of the system
  • SSFPKITEST3      Shows the certificate and the certificate list of the application server

 

Useful information for SAP Support

 

If you need help from SAP Support the following information is helpful to analyze problems with the System PKI :

  • Secure store files in $(rec/ssfs_datapath)
  • If available secure store key files in $(rec/ssfs_keypath)
  • The Instance PSEs of all instances: $(DIR_INSTANCE)/sec/sap_system_pki_instance.pse

Actions

Filter Blog

By author:
By date:
By tag: