Security Geeks Introduction to SAP – RFC Destinations

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the third in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

This blog builds on a webcast I was fortunate to take part in. My colleague Sergio Abraham has spent a considerable amount of time research RFC Destinations, the common ways they are configured and how various SAP components install RFC Destinations in order to function. I recommend in addition to this blog you view the webcast recording here and the corresponding question and answer session it generated here.

Continue reading

Share Button

Analyzing SAP Security Notes January 2014 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

CVSS distribution for the Security Notes released in January 2014

In January SAP released a total of 34 Security Notes, of those Notes, six were the result of reports made to SAP by the Onapsis Research Labs.
Notes 1918333, 1917381 and 1894049 were reported by Nahuel D. Sánchez, 1922547 and 1910914 by Jordan Santarsieri and note 1931399 by Willis Vandevanter all from Onapsis Research Labs.

Continue reading

Share Button

Don’t be hoisted by your own petard

In the closing stages of Victor Hugo’s Les Misérables the chief character, Jean Valjean, while carrying another key character seeks to evade the authorities. He does so by traveling through the sewers of Paris, while the search for him and other rebels is focused on the streets above him. In this way Valjean is able to use a critical but commonly forgotten part of the maintenance infrastructure of the city against the city itself.

As I reviewed the research into the Transport Management System (TMS) carried out by the world renowned Research Labs here at Onapsis the parallels of how organizations ignore their Transport Management System when considering the risk and attack surface of their SAP systems and the method employed by Valjean to evade capture were very striking to me. In both cases we have a system that has equal access to all points on the network, from Dev to QA and Productive systems.

The research team has boiled all the relevant risk information and best practices to secure the Transport Management System in this SAP Security In-Depth (SSID) publication. Understanding how to secure your TMS becomes critical when you understand the interconnected nature of a Transport Domain, and the level of access an attacker could gain to the entire landscape if they are able to get a foothold to just one system within the Transport Domain.

This SSID publication is just one in an ongoing series of educational publications researched and produced by Onapsis; all with the goal of providing SAP customers with the information they need to both understand the risks inherent in certain components and the best practices by which to manage these risks.

 

Share Button

A Simple Method for Fingerprinting SAP BusinessObjects

The main component of a BusinessObjects installation is the Central Management Server (CMS). It’s rarely changed and default TCP port is 6400. A simple way to identify if you are communicating with a BusinessObjects installation is to make a socket connection to the remote server and send the string ‘aps’. If everything is running correctly you should receive the IOR of the CMS.

Note that the hostname of the server is given at the end of the response which is useful in further attacks. Furthermore, if you parse the IOR you will get the IP and port of the CMS’s dynamic listening port which can be added to your Reconnaissance data.

A note on Defense

The most critical point of prevention is firewalling the CMS from unauthorized connections.

Share Button

Security Geeks Introduction to SAP – SAProuter and you

There has been a lot of attention in the news recently about vulnerabilities in SAProuter and how these vulnerabilities could be leveraged. The news spun out of a report that a piece of malware was actively learning about SAP systems known to any PC the malware infected. We wrote about this malware and the possible implications in a recent blog post; but the summary is it seems that the professional bad guy community is starting to take an interest in SAP.

So what is the SAProuter? It is a lot like the name suggests; an application produced by SAP which facilitates, logs (if enabled) and filters communications and network connections between different SAP systems, or between a SAP system and other networks or resources. However it is not a gateway/firewall technology; it only filters communications if the clients are configured to send their communication to the router; and not directly to the end point.

Because of this it should be used in conjunction with a firewall; or else a user who the SAProuter is configured to deny access to a specific backend SAP system could simply manually reconfigure their SAP client to attempt to connect directly with the sensitive SAP systems and start interacting with them directly; bypassing all the ACLs and controls in the SAProuter. A firewall is required to block those direct connections and only allow users to access SAP systems via SAProuter; thus allowing the SAProuter’s rules to be enforced (and connections to be logged).

Continue reading

Share Button

How Malware is evolving into the first step of attacks against SAP systems

When I talk to CISOs and other business leaders who are responsible for critical applications that rely on SAP a common question I get is how I would quantify the threat to their SAP systems. We talk about stories that have been shared with them by their colleagues, and the importance and value of following best practices. This morning I have been sharing with them an article showing some apparent reconnaissance activities being taken to discover deployed SAP systems.

The article describes a newly discovered Trojan that primarily targets gaining access to victims online banking accounts. What this malware does that is setting of alarm bells for everyone who is responsible for SAP systems is it analyses each machine the malware runs on to determine if that end user computer is used to communicate with SAP systems. This information is then passed back to the owners of the malware.

So what kind of information are we talking about? A PC with a SAP client installed will have configuration information for that client stored locally. This will contain at least the IP address of the SAP servers that the client connects to. If these clients are configured to login automatically those credentials are obtainable; if not then it is a simple matter to hook the application and capture the password the next time the user logs in.

Now, for those people who are itching to tell  me that they don’t care is an external attacker learns the IP address of their internal SAP systems because they cannot reach these systems I would refer you to this blog post; which debunks the myth of “internal” systems. I’d also point out the reason why the attacker is able to learn the IP addresses of your internal SAP systems if because they have taken control of an internal machine on your network already. Of course if you think I am wrong then you are gambling with the safety and soundness of your SAP systems; which is a high stakes game to play.

Continue reading

Share Button

SAP HANA Security: Do You Want a Basic or Secure Implementation?

Different software companies take different approaches to the security of their products after they have been sold to their customers. Some would prefer it if previously released software had no security research attention paid to it where as others take a more realistic and therefore positive (to their customers) attitude. This positive approach is not only to provide their customers with security guidance for each component but to also release vulnerability information to them along with patches or remediation information in a regular and predictable way that allows their customers to anticipate and plan for application of remediation.

SAP falls into the positive camp; as well as releasing vulnerability information for HANA and other SAP components on the second Tuesday of every month they also publish security guidance for best practices to securely install and maintain HANA deployments.

Now, you could try and argue that the ultimate best practice is for SAP to release completely perfect and secure code and products; and to not allow their customers to reconfigure it so it can run in an insecure manor. That and unicorn hamburgers would be fantastic; but I am not holding my breath for either to present itself to me any time soon…

Continue reading

Share Button

Complementing GRC – Testing the Forgotten Layer of SAP

For those of us old hands in the security industry we know that when security is done right processes flow smoothly, issues are rare, identified and mitigated before there is any real public perception of the potential for an issue; and businesses continue to achieve their goals of profitability and sustainability. In those circumstances security is often invisible; leading those not connected to the security team to speculate quietly or loudly about the value or worth of the security team to the business.

When security is done poorly the results are obvious and painful. Publicly announced loss of customer information or intellectual property; inefficient processes and costly internal remediation to shore up holes that are identified. Worse still is the effect on the relationship between security and the business; because security isn’t seen for the enablement function it can be the security team may have to force itself into projects – trying to force consistency and security where it didn’t previously exist. Because those (unfortunate) security teams are playing catchup the recommendations delivered for projects often come at the end of the project, causing delays in go-live dates and increased project costs. As a result the security team is seen as the “no-team”, gaining a negative imagine within the organization. So teams with projects try to hide them from security, only disclosing them to security at the last possible minute – causing the cycle of “security team generated delays” to continue.

When I am at conferences a common theme from my peers is to discuss how we can better show the business the positive results that a healthy relationship with security can bring. From more efficient processes, decreased risk and a healthier bottom line; consistently and intelligently applied security has numerous benefits any intelligent business would want to reap.

SAP is a company that understand the importance of security to its customers. It has introduced a regular monthly cycle of releasing patches, notes and other information about new vulnerabilities that effect their software components. Also, SAP proactively publishes security guidance for SAP software; providing customers with the information they need to ensure they are doing all they can to secure their SAP installations.

And for good reason, I am not sure it is possible to calculate the value of the business processed and enabled by SAP systems every day; but given the range of companies that run SAP I am sure it is a more than respectable percentage of the world’s GDP.

Continue reading

Share Button

Security Geeks Introduction to SAP – Vulnerabilities

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the second in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

As I mentioned in my first post in this series, the typical reaction of a business when asked about the security of their SAP systems is to refer to the SoD checks they do. That is the testing they do to ensure proper Segregation of Duties is enforced; which is, the system has the logic in place to prevent fraud – so the person who submits an expense report cannot approve it as well, for example.

Given 10 years of dealing with buffer overflows, ClientSide attacks, SQLi and numerous other ways to exploit weaknesses in how systems have been coded and implemented, I was more than a little surprised to learn that the testing of the underlying SAP applications and their configuration was not common practice.

There are numerous presentations and articles online that talk about the day SAP released 500 notes; and those that talk about the current rate at which SAP releases their notes. Suffice it to say that SAP is a large and mature technology that has the typical amount of issues of any large and mature technology.

Continue reading

Share Button

Security Geeks Introduction to SAP

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my past role, I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager role at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

I know that more and more ‘traditional’ security professionals are being asked to evaluate the security posture and risk of a business’s SAP system; which makes sense as SAP typically runs the most critical processes and workflows for an organization, as well as housing the most important data. Given the amount of time and effort it is taking me to learn SAP I thought it would be beneficial to publish a little resource for other professionals making the same jump.

So, SAP? For those like me who need to know what an acronym stands for it is Systems, Applications and Products in data processing, also it is never said as a single word, but spelled out S-A-P. It started in and is still based in Germany and according to Wikipedia has a revenue of over 16 billion Euro in 2012 – so not a small company by any stretch of the imagination.

Continue reading

Share Button