SAP Products and OpenSSL Heartbleed

There has been a lot of discussion last week about CVE-2014-0160, also known as the Heartbleed vulnerability. For those unfamiliar with the vulnerability I recommend heartbleed.com and, for a light hearted explanation, XKCD. Along with impacting a good chunk of the Internet it has also taken a toll on a number of products including those from Cisco, VMWare, and Oracle to name just a few. As you can imagine we have been watching the issue pretty closely and performing testing in our lab in order to better understand the impact, if any to SAP and its customers.  Here is our current understanding on the status of some of SAP’s products:

Vulnerable

Continue reading

Share Button

Analyzing SAP Security Notes April 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 23 Security Notes were published by SAP (taking into account the 5 Support Package Notes and the 18 Patch Day Notes). Onapsis Research Labs reported 4 of the 18  Patch Day Notes:CVSS distribution for the Security Notes released in April 2014

  • 1778940 by Nahuel D. Sánchez
  • 1974016 by Nahuel D. Sánchez
  • 1993349 by Will Vandevanter
  • 1929473 by Sergio Abraham

We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in April. 15 out of the 23 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 2.6 to 6.0 with a median of 4.9.

Continue reading

Share Button

Hiding Breadcrumbs – Antiforensics on SAP BusinessObjects

At Troopers 14, JP and I gave a talk called “Anti-Forensics on SAP Systems”. The talk focused on the methods attackers could use to hide their tracks on an SAP system. This blog post highlights one of the attacks we discussed.

SAP BusinessObjects has long supported Auditing and it has been enabled within the product by default for a number of years. By design all Audit events are written to the Auditing Data Store (ADS) on a schedule. However, as BO is designed to be a distributed platform, there is a delay between the moment when an event occurs and the time that event reaches the ADS. As discussed in the Administrator Guide, the steps before an event reaches the ADS are as follows:

  1. After an event occurs (e.g. Logon, Report Generation) the Auditee writes the event to a temporary file.
  2. The Auditor polls all auditees for new events on a set schedule. In BO4, the polling interval is dependent on the utilization of the Auditor. Higher utilization means that the Auditees are polled less often. In one of the lab system’s the delay is typically 3 minutes with 1% utilization.
  3. If an auditee has new events, it takes them from the temporary file and sends them to the auditor in a batch.
  4. The auditee waits to receive confirmation from the auditor that the events have been received.
  5. After confirmation, the auditee deletes the events from the temporary file.

Continue reading

Share Button

Leveraging the Security Audit Log (SAL)

Hi! Today I was reviewing some events generated for the Security Audit Log and noticed an interesting behavior.

For those who are not familiar with it, the Security Audit Log (SAL) allows SAP security administrators to keep track (via a log) of the activities performed in their SAP systems. In a future post we will discuss how to enable and configure this logging.

By default the SAL facility logs the “Terminal Name” which is either the Terminal Name (defined by the computer which performed the logged action) or the IP address of the computer that is the source of events. The IP address is only logged if the source computer does not transmit a Terminal Name with its communications.

This behavior can be abused by an attacker since filling the terminal name value in an RFC call is a task performed by the caller (the user’s machine). Having the ability to manipulate the “Terminal Name” means the attacker could try different attacks such as bruteforce attempts but have each transaction appear to come from a different terminal. Taken even further; the attacker could set an IP address (or cycle through a set of IP addresses) as the Terminal Name; meaning each request would appear to have originated from these IP addresses (as in the logs it is not possible to distinguish between an IP address that has been logged because no Terminal Name value was transmitted vs an IP addressed that has been logged as the Terminal Name).

Continue reading

Share Button

Analyzing SAP Security Notes March 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of  every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended
to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and
vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 9 Security Notes were published by SAP. Onapsis Research Labs reported 2 of the issues that have been addressed by SAP:

  • 1963932 by Sergio Abraham and Manuel Muradas
  • 1964428 by Sergio Abraham

Continue reading

Share Button

SAP Application Users: You can finally sleep at night!

Guest post from: Pete Nicoletti, CISO, Virtustream

As an SAP user, you’re well aware of and are enjoying the benefits of the world best ERP system. The information that you create and use contributes to your companies competitive advantage. Using SAP to make business decisions and report on all facets of your business is among the most critical functions in your company.

In addition to your internal users using this critical function, there is a very large community of… let’s call them “non-authorized users” to be PC. They would love to have access to your critical company data. Protecting your SAP systems and crown jewels information in “Internet time” from these unauthorized users (ok… hackers!) is extremely challenging. Think of all the SAP notes, patches, changes to your versions and landscapes, new mobile related threats, OS patching, network changes, acquisitions… all of these changes are occurring hundreds and thousands times a day! Each change to a system contributes to and increases risk.

Since you are smart security professional at RSA, you don’t use one of the risk mitigation strategies we have to delicately talk our executives out of called: “Ignore the Risk.” So, you are aware that your SAP system is undergoing constant change, and there are hackers working 24/7/365 to gain access to your data.

Those two nightmares should be keeping you up at night. So, let’s do a quick sleep study… you’re tossing and turning all night long… the recurring nightmare you have is that some bad actors are selling your information to your competition. What is the prescription to get a good night’s sleep? Onapsis.

Onapsis is the vulnerability scanner for SAP that identifies every security issue that your SAP system has. Before this tool, there was no way to know just how bad your nightmare is. Trust me… It’s bad. You should be having nightmares. As the world’s largest SAP hosting company we strive to reduce those above listed risks to our clients. How do we sleep at night hosting hundreds of the world’s largest SAP environments? Onapsis. It is the prescription for a restful night’s sleep. Know what your risks are, classify them, assign them to owners for remediation… and then validate they have been fixed. Standard security stuff right?

Before Onapsis there was just no way to do it. Come by booth 2109 here at RSA and let’s talk about we can secure your SAP world… and you can sleep better at night!

 

Guest post from:

Pete Nicoletti CISO
CISSP, CISA, CCSK, FCSE, CCSE
Virtustream Inc – www.virtustream.com

 

Share Button

Securing Your SAP Through Research

In the latest Notes Tuesday Onapsis was credited with discovering and reporting almost half (10 out of 23) of the vulnerabilities addressed by SAP (or alternatively three quarters or one third, depending on how you do the math: there were only 13 Notes that were attributed to third party security researchers of which Onapsis discovered 10. And SAP released 23 security notes on Notes Tuesday; but had also released an additional 10 notes since the last patch Tuesday; bringing the total released during that period to 33).

Having received a number of messages of appreciation and additional questions about the work done by Onapsis Labs to find so many of the vulnerabilities remediated by SAP this month, I thought people should know about the effort and work done to discover and responsibly report these risks every month.

So how do we find these issues in the first place? There are a number of possible ways. It could be a result of a number of activities that the Onapsis Research Labs team or Professional Services team perform. It might be we discover the vulnerability during a services engagement for a client; or as the output from a dedicated bug hunting activity (where our labs team will take a deep dive with SAP technology and attempt to find previously unknown issues in SAP modules and applications) or they are born out of ideas that lead to “What if” and other brain storming conversations that take place internally.

Continue reading

Share Button

Analyzing SAP Security Notes February 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 33 Security Notes were published by SAP. Of these 33 notes, Onapsis Research Labs reported 10 of the underlying issues that have been addressed by SAP:

  • 1791081 by Sergio Abraham
  • 1768049 by Sergio Abraham
  • 1920323 by Sergio Abraham
  • 1915873 by Sergio Abraham
  • 1914777 by Sergio Abraham
  • 1911174 by Sergio Abraham
  • 1795463 by Sergio Abraham
  • 1789569 by Sergio Abraham
  • 1738965 by Sergio Abraham
  • 1939334 by Juan Pablo Perez Etchegoyen, Jordan Santarsieri and Pablo Muller.

Continue reading

Share Button

Security Geeks Introduction to SAP – RFC Destinations

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the third in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

This blog builds on a webcast I was fortunate to take part in. My colleague Sergio Abraham has spent a considerable amount of time research RFC Destinations, the common ways they are configured and how various SAP components install RFC Destinations in order to function. I recommend in addition to this blog you view the webcast recording here and the corresponding question and answer session it generated here.

Continue reading

Share Button

Analyzing SAP Security Notes January 2014 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

CVSS distribution for the Security Notes released in January 2014

In January SAP released a total of 34 Security Notes, of those Notes, six were the result of reports made to SAP by the Onapsis Research Labs.
Notes 1918333, 1917381 and 1894049 were reported by Nahuel D. Sánchez, 1922547 and 1910914 by Jordan Santarsieri and note 1931399 by Willis Vandevanter all from Onapsis Research Labs.

Continue reading

Share Button