2014 has been an incredible year for SAP security. Advanced threats targeting SAP systems that run business-critical applications are rising at an alarming rate. This year alone there have been 391 security notes to date, with 46% ranking as ‘high priority’ vulnerabilities. Out of these, our Research Labs reported 44 new vulnerabilities and 35 advisories affecting SAP platforms and related products such as SAP HANA, BusinessObjects, and SAP Business Suite running CRM and ERP. The latest two security advisories (fixed by notes 2039905 and 1979454) identified from our research labs include high-profile risk threats revealing that unauthorized users could access business-critical applications leveraging SAP BusinessObjects and SAP BASIS. This is a clear reminder of how key systems are constantly vulnerable to attack, and shows the importance of having a proactive plan in place before at attack occurs.
This week, SAP AG published a hot news item titled: “SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)”, which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.
To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:
- SAPCRYPTOLIB version 5.555.38
- CommonCryptoLib version 8.4.30
SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version.
Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib
Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.
SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.
To date this is been a service we have carried out quietly on behalf of our customers. However due to wider requests for better understanding regarding the information being published by SAP this will be the first in a monthly series of posts that summarize and explain the analysis we performed in order to promptly update our products with the latest security checks.
In the last posts we have already presented a variety of approaches for SAP security assessment. Today we will address a more complex path an attacker might follow. In order to understand what is going on we must first dive deeper in some SAP concepts and components.
The SAP Gateway is a component present in every SAP Instance. As we discussed in a previous post It is responsible for managing RFC connections between the SAP Instance where it is running and other instances or with external servers (such as government regulation agencies, payment processors, SWIFT connectors, etc.). All RFC calls go through the SAP Gateway.
In order to receive connections and potentially communicate with an SAP Instance, an external server must register itself with the SAP Gateway (becoming what we will call an external registered server). Once registered, communication between the SAP instance and the external server will flow smoothly over the SAP RFC protocol.
The SAP Management Console (SAP MC) is the centralized system management component. It allows you to monitor and control each SAP instance, display log and trace files, profiles and other parameters. You can also monitor system alerts and deep information about memory usage and processes in the system (e.g. Java VM® garbage collection and heap memory).
In this post, we will be running bizploit modules, if you are not familiar with the bizploit framework, consider reading this introductory post.
MC Assessment #1: Getting Password Policies
As seen in the figure below it is possible to run the
mcParameterValue exploit in order to retrieve all profile parameters. Keep in mind that, to figure out the vulnerability id, you should list all the exploits under the exploit option and check the Exploitable Vulnerabilities column for the
mcParameterValue row. We’ll use this module in order to discover the SAP password policies being used.
In order to look for the Password Policy parameters among the 1600 profile parameters we need to find those starting with
login/. We open the file saved by Bizploit and the parameters can be found there. Below we list some of the retrieved Password Policy parameters: