SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:

  • Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
  • Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
  • Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
  • Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
  • Project Systems: Budgeting, planning, forecasting.
Industrial Value Chain via http://practicalanalytics.wordpress.com/

Industrial Value Chain via http://practicalanalytics.wordpress.com/

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

Continue reading

Share Button

Analyzing SAP Security Notes November 2014

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

box-plot-November-2014This month, SAP published an unusually quantity of SAP Security Notes: 86 Security Notes (taking into account 65 Support Packages and 21 Patch Day Notes). It was mostly due to a new feature which enhance the security management of RFC Functions and fixes to missing authority check vulnerabilities.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in November. The only notes taken into account to make it, where the ones to which SAP set a CVSS (14 out of the 86 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 3.5 to 10.0 with a median of 6.

Continue reading

Share Button

Switchable authorization checks and callback whitelists: A note on RFC security

This week SAP published a paper with the Monthly SAP Notes titled Securing Remote Function Calls (RFC) which outlines guidelines on the best practices to configure different RFC security features. In this post we will focus on two of the newest features in the paper:

  • Switchable Authorization Checks
  • RFC Callback White-lists

Switchable Authorization Checks

This new concept is related to a common problem while implementing SAP Notes or Support Packages, as stated in page 19 of the document:

Authorization checks that are newly introduced in existing RFC function modules through SAP Notes or through support packages can interrupt business-critical system communication if legitimate users do not have the newly introduced authorization.

 

To enable a nondisruptive evolution of authorization checks, SAP introduced switchable authorization checks in all software systems based on SAP NetWeaver AS for ABAP 7.0 and higher.

When an action is executed, let’s say through a transaction, the system checks that the user has the authorization object S_TCODE and then, inside the transaction code, the system should check for specific authorization objects related to the action to be executed.

Likewise, when an action is executed through an RFC function something similar must happen. In this case, the system should check for the authorization object S_RFC (this can be changed with the profile parameter auth/rfc_authority_check) instead of S_TCODE and also check for specific authorization objects related to the action to be executed.

For example:

Continue reading

Share Button

5 Questions CISOs Should Ask About SAP Security

Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.

This is a problem that tends to be overlooked by many organizations. In the second blog Adrian outlines the critical need for enterprise application security by presenting analysis on key use cases. These include compliance, transaction verification, usage of sensitive information, potential security threats from both inside and outside of an organization, and necessary changes for management and policy enforcement.

In the blog Adrian states:

“None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.”

This statement had me thinking… a majority of the current problem around SAP security stems from a lack of understanding around why it’s critical to implement new, more adaptive security solutions. Since joining Onapsis I’ve engaged with many of my friends in the cyber-security industry and have found that most CISOs and their teams do not have visibility into their SAP infrastructure, nor do they understand how connections are set-up between their SAP systems. There is truly a lack of insight into what SAP teams are doing to solve security issues. I have also found that when leaders in security ask their SAP counterparts in IT, they receive “old school” security answers like – “We have it covered as we use SAP GRC for access controls and separation of duties measures.”

Continue reading

Share Button

Logging IP addresses in the Security Audit Log

Hi! I was reviewing some events coming from the Security Audit Log and noticed an interesting behavior.

For those who never heard about it, the Security Audit Log (a.k.a SAL) allows SAP security administrators to keep track of the activities performed in their systems. In a future post we will discuss how to enable and configure it.

By default the SAL facility logs the “Terminal Name” which is either the Terminal Name defined by the computer which performed the logged action as the source of events; the “Terminal Name’ if no “Terminal Name” value is sent then the IP address of the computer performing the actions is used.

Continue reading

Share Button

Analyzing SAP Security Notes October 2014 Edition

UPDATE (November 4, 2014): Note 2043404 has been rereleased with an updated priority. The priority was increased from medium to very high. The new CVSS for this Note is 9.3 (AV:N/AC:M/AU:N/C:C/I:C/A:C)

SAP is a complex and ever-changing system. Between changes introduced to SAP implementation to improve your business, and the application of Security Notes (Patches) to ensure mitigation of newly disclosed vulnerabilities, SAP is constantly evolving.

In order to provide a scheduled flow of vulnerability mitigation information and security patches, SAP releases the majority of new Security Notes on the second Tuesday of each month. Due to this regular disclosure of security alerts warning against potentially harmful issues, it is highly recommended to carry out periodic assessments on a monthly basis (at minimum) to ensure that existing security on your SAP systems does not become weakened.

At Onapsis, we’re very concerned about our client’s SAP system security, as well as the state of SAP security in general. In order to best assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with comprehensive information about the newly released notes and vulnerabilities affecting SAP systems, and to help guide testing of these systems within their organization.

This month 34 SAP Security Notes were published by SAP (taking into account 11 Support Packages and 23 Patch Day Notes). Additionally, there were changes on how SAP communicates vulnerabilities reported by external security researchers, as it previously wasn’t clear which were externally reported.

Five of the vulnerabilities fixed this month were discovered by members of the Onapsis Research Labs:

Here you have a plot graph illustrating the distribution of CVSS scores of the Security Notes released in October. The only notes taken into account where the ones for which SAP set a CVSS (19 out of the 34 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 4.3 to 7.5 with a median of 6.4. Continue reading

Share Button

SAP Security Note 2067859 Potential Exposure to Digital Signature Spoofing

OVERVIEW

This week, SAP AG published a hot news item titled: “SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)”, which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.

To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:

  • SAPCRYPTOLIB version 5.555.38
  • CommonCryptoLib version 8.4.30

Furthermore:
SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version.

Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib

Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.

Continue reading

Share Button

SAP HANA post exploitation vectors

This week the Onapsis Research Labs released an advisory for a server-side code injection vulnerability in SAP HANA integrated IDE. For more information about the SAP Note that fixes this issue, please refer to the Onapsis Research Labs advisory.

To define a reasonable exploitation scenario, we will assume the following conditions are met by our testing landscape:

  • There’s a vulnerable application running in our HANA instance.
  • The attacker has access to the vulnerable application.
  • The application is using a standard database user (created by default)

With this kind of vulnerability an attacker would able to inject arbitrary XSJS code that will run with the same privileges of the user running the application in the HANA server, this attack vector brings two powerful post exploitation primitives:

  1. Run arbitrary XSJS code.
  2. Perform an arbitrary SQL query.

By leveraging this vulnerability an attacker could execute SQL statements. For example he could execute something similar to:

var conn = $.db.getConnection();
var st = prepareStatement("SELECT * FROM USERS");

Continue reading

Share Button

Welcome to the New Onapsis

I’m pleased to announce that today we’ve launched both a new product, a re-design of our website and ultimately – a new brand. This is a very exciting day for Onapsis!

Detection Dashboard

Detection Dashboard

After having great success with the Onapsis X1 product, we worked closely with our customers and partners over the last several years to produce this next-generation platform. Combining the unique knowledge and outstanding dedication of our researchers and engineers with the expertise of our product management team, we are confident that we’re delivering not only exactly what our customers and partners require, but the most advanced business-critical application security solution on the market.

Our new product, Onapsis Security Platform, is the first SAP-certified solution that combines a preventative, behavioral-based and context-aware detective approach for identifying and mitigating security risks, compliance gaps and cyber-attacks on business-critical applications. These applications include ERP, CRM, HCM, SCM, SRM and BI solutions.

Our new Platform is able to deliver continuous monitoring, real-time visibility and protection for SAP applications, providing coverage across SAP NetWeaver ABAP, J2EE, HANA, Mobile and BusinessObjects platforms. It also provides compliance gap analysis, automates the security audit process for SAP applications and is able to generate alarms to close windows of vulnerability, as detection and response actions are automatically triggered, including both alerting and real-time mitigation capabilities.

One thing we’ve heard from our customers was to integrate our capabilities with their existing network security, security management and SIEM solutions and workflows. And we always listened. The new platform is not intended to have CISOs, Compliance and SAP teams worry about “yet another platform to manage”, but to serve as the vehicle to seamlessly incorporate business-critical applications security running on SAP into their existing Risk Management, Audit and Incident Response initiatives.

We are so happy to see the launch of this product and look forward to continue developing solutions to ensure our customer’s success, solving their existing and upcoming challenges.

I welcome you to read more about our new platform and look forward to hearing from all of you with continued feedback that will help guide our technology roadmap:

Best regards,

Mariano

Share Button

Analyzing SAP Security Notes September 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month, 29 SAP Security Notes were published by SAP (taking into account 3 Support Packages and 26 Patch Day Notes). There were ten notes reported by external researchers, of the ten Onapsis Research Labs reported two of them.

  • 2039905 by Juan Pablo Perez Etchegoyen and Will Vandevanter
  • 1979454 by Pablo Muller

Here you have a plot graph illustrating the distribution of CVSS scores across the Security Notes released in September. The only notes taken into account were the ones for which SAP calculated a CVSS score (19 out of the 29 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month had a range of values from 2.1 to 6.5 with a median of 5.0.

Continue reading

Share Button