Four Reasons to Look Closer at Business-Critical Application Security

As cyber-threats become more advanced, organizations face a constant dilemma: how to best implement a comprehensive security strategy that covers all areas of the business including critical infrastructure and applications. We hear from many security professionals that their SAP applications and systems are “covered” because they have a firewall and SAP systems sit inside the perimeter. After all, anything inside the firewall is safe from attacks right?

Wrong.

Security professionals that are true thought leaders have long abandoned this notion. In fact, most thought leaders have been able to connect the dots on the reasons why they have to include SAP applications into their security strategy. This type of thought leadership can be summed up in a quote from one of our newly appointed Board of Advisors, Renee Guttmann, Office of the CISO from Accuvant:

“There is a profound transformation taking place in application security right now …..Enterprises across the globe are committing to invest in, and protect, mission-critical applications, and this commitment needs to go beyond technology alone.”

Continue reading

Share Button

SAP Security Advisories – A Preview of a Year in Review and Future Trends

2014 has been an incredible year for SAP security. Advanced threats targeting SAP systems that run business-critical applications are rising at an alarming rate. This year alone there have been 391 security notes to date, with 46% ranking as ‘high priority’ vulnerabilities. Out of these, our Research Labs reported 44 new vulnerabilities and 35 advisories affecting SAP platforms and related products such as SAP HANA, BusinessObjects, and SAP Business Suite running CRM and ERP. The latest two security advisories (fixed by notes 2039905 and 1979454) identified from our research labs include high-profile risk threats revealing that unauthorized users could access business-critical applications leveraging SAP BusinessObjects and SAP BASIS. This is a clear reminder of how key systems are constantly vulnerable to attack, and shows the importance of having a proactive plan in place before at attack occurs.

Continue reading

Share Button

Analyzing SAP Security Notes December 2014 Edition

High-profile risk threats identified by Onapsis Research Labs experts reveals that unauthorized users could access business-critical applications leveraging SAP BusinessObjects

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Between the last published SAP Security Tuesday and today, there were 28 SAP Security notes published by SAP (taking into account 3 Support Packages and 25 Patch Day Notes).

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in December. The only notes taken into account to build it, were the ones to which SAP set a CVSS (14 out of the 28 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 1.5 to 7.5 with a median of 3.9.

Continue reading

Share Button

A Closer Look at SAPGUI History

As most users of SAPGUI know, the application keeps a record of the values that are entered in each field. In the case of having to repeat the same entries multiple times, this is of course a great feature… or maybe not?

Let’s analyze this from a security viewpoint. There are two main questions to ask:

  1. What is being recorded in the history?
  2. Is the history record safely-guarded so none but SAPGUI can access it?

For the first question, we clearly don’t want to have sensitive data lying somewhere around our computers, and in an ERP environment, there is a lot of sensitive data stored. For example, information such as passwords (keep calm, hidden fields where you only see ‘***’ instead of letters do not get recorded), money amounts, bank account numbers, etc. may be being recorded in the history.

Now let’s dive into the second question. Is this information safely guarded? Here the answer is simply “no”. It doesn’t matter whether you are using SAPGUI in Unix or Windows, the recording mechanism changes, but it’s very easy to access and read your history knowing which files to look at.
Continue reading

Share Button

Understanding SAP CODVN H Algorithm

Today’s post will be focused on analyzing the inner workings of the SAP CODVN H algorithm.

Before jumping into the algorithm’s details I will highlight the most important features. For more information you can refer to the SAP security note 991968. The algorithm provides the following capabilities:

  • Support for multiple hashing algorithms (for the time being only salted SHA-1).
  • Supported password length up to 40 characters.
  • Upper and lower case passwords supported.
  • UTF-8 support.
  • Random salt, length can be configured.

Continue reading

Share Button

Bypassing SAP HANA XSS Filter

Last week we were doing some tests on the HANA XS engine trying to understand how an attacker could bypass the XSS filter provided by the ICM.

For what purpose?

As discussed in previous post, a Cross Site Scripting attack could be more effective than a SQL injection due to the SAP HANA inherent design. Continue reading

Share Button

SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:

  • Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
  • Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
  • Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
  • Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
  • Project Systems: Budgeting, planning, forecasting.
Industrial Value Chain via http://practicalanalytics.wordpress.com/

Industrial Value Chain via http://practicalanalytics.wordpress.com/

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

Continue reading

Share Button

Analyzing SAP Security Notes November 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

box-plot-November-2014This month, SAP published an unusually quantity of SAP Security Notes: 86 Security Notes (taking into account 65 Support Packages and 21 Patch Day Notes). It was mostly due to a new feature which enhance the security management of RFC Functions and fixes to missing authority check vulnerabilities.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in November. The only notes taken into account to make it, where the ones to which SAP set a CVSS (14 out of the 86 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 3.5 to 10.0 with a median of 6.

Continue reading

Share Button

Switchable authorization checks and callback whitelists: A note on RFC security

This week SAP published a paper with the Monthly SAP Notes titled Securing Remote Function Calls (RFC) which outlines guidelines on the best practices to configure different RFC security features. In this post we will focus on two of the newest features in the paper:

  • Switchable Authorization Checks
  • RFC Callback White-lists

Switchable Authorization Checks

This new concept is related to a common problem while implementing SAP Notes or Support Packages, as stated in page 19 of the document:

Authorization checks that are newly introduced in existing RFC function modules through SAP Notes or through support packages can interrupt business-critical system communication if legitimate users do not have the newly introduced authorization.

 

To enable a nondisruptive evolution of authorization checks, SAP introduced switchable authorization checks in all software systems based on SAP NetWeaver AS for ABAP 7.0 and higher.

When an action is executed, let’s say through a transaction, the system checks that the user has the authorization object S_TCODE and then, inside the transaction code, the system should check for specific authorization objects related to the action to be executed.

Likewise, when an action is executed through an RFC function something similar must happen. In this case, the system should check for the authorization object S_RFC (this can be changed with the profile parameter auth/rfc_authority_check) instead of S_TCODE and also check for specific authorization objects related to the action to be executed.

For example:

Continue reading

Share Button

5 Questions CISOs Should Ask About SAP Security

Over the last few weeks, Adrian Lane, CTO & Analyst from Securosis, a leading cyber-security analyst firm, published two blog posts from his ongoing series called “Building an Enterprise Application Security Program.” In his current posts, Adrian describes how key business applications running on SAP and Oracle have security and compliance gaps that are not covered by traditional security measures.

This is a problem that tends to be overlooked by many organizations. In the second blog Adrian outlines the critical need for enterprise application security by presenting analysis on key use cases. These include compliance, transaction verification, usage of sensitive information, potential security threats from both inside and outside of an organization, and necessary changes for management and policy enforcement.

In the blog Adrian states:

“None of these drivers are likely to surprise you. But skimming the top-line does not do the requirements justice – you also need to understand why enterprise applications offer different challenges for data collection and analysis, to fully appreciate why off-the-shelf security tools leave coverage gaps.”

This statement had me thinking… a majority of the current problem around SAP security stems from a lack of understanding around why it’s critical to implement new, more adaptive security solutions. Since joining Onapsis I’ve engaged with many of my friends in the cyber-security industry and have found that most CISOs and their teams do not have visibility into their SAP infrastructure, nor do they understand how connections are set-up between their SAP systems. There is truly a lack of insight into what SAP teams are doing to solve security issues. I have also found that when leaders in security ask their SAP counterparts in IT, they receive “old school” security answers like – “We have it covered as we use SAP GRC for access controls and separation of duties measures.”

Continue reading

Share Button