JVM Vulnerabilites and SAP Systems

In January, Oracle published a Critical Patch Update (CPU) with 19 vulnerabilities affecting JAVA SE (among other products): http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA

SAP has its own specific JAVA virtual machine implementation called SAPJVM, which according to SAP documentation:  “…is derived from Sun’s HotSpot VM and JDK implementation …  the SAP JVM is only targeting server-side applications. Certain features related to client environments are intentionally omitted or are not supported for general use.”.[1]

This information could be important to identify whether or not the vulnerabilities are affecting the SAP JVM because only 4 out of the 19 are affecting the server-side functionality of the Oracle JVM: CVE-2015-0383, CVE-2015-0410, CVE-2014-3566 and CVE-2014-6593. However, that information is not conclusive.

Continue reading

Share Button

Dealing with Authorization Groups: Part 1

Authorization groups are a difficult topic to tackle in SAP as they can be considered a double-edged sword. With proper implementation it’s possible to take security to the next level, however if not properly implemented, authorization groups can lead to usage issues and can create a false sense of security. These problems arise due to different reasons:

  • Lack of understanding on the usage of an authorization group.
  • Finding where to set the authorization groups for each function.
  • Link with the proper authorization object. And finally,
  • Assign the correct values to the right users.

In this post, we will go through some of the most critical and technical authorization groups:

  • For RFC Destinations.
  • For Tables.
  • For Programs.
  • For ICF services.

Authorization Groups For RFC Destinations

RFC destinations are very sensitive since they can be used to jump from one system to another. By using this type of authorization group, we can limit each user only to the destinations he requires.

The creation of authorization groups for RFC Destinations can be done using transaction SM59 by assigning a value in field “Authorization for Destination”.

 

 

There are two objectives for assigning an authorization to an RFC destination:

  • Limit the users who can maintain the RFC Destination: which is related to the authorization object S_RFC_ADM – field ICF_VALUE
  • Limit the users who can use the RFC destinations: which is related to the authorization object S_ICF – field ICF_VALUE

In this case, we need to check the systems in which users are responsible for maintaining the RFC destinations, and who those users are. Then, we must group the destinations in a way that is suitable for both, and assign the corresponding values to their roles.

Continue reading

Share Button

Analyzing SAP Security Notes February 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to SAP implementation to better suit the business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at the very least.

At Onapsis, we are very concerned about our client’s SAP system security and the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide their testing of these systems within their organization.

On this Patch Day (second Tuesday of each month) SAP published 16 Security Notes (taking into account 2 Support Packages and 14 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2109818 discovered by security researchers Nahuel D. Sánchez and Fernando Russ.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account were the ones for which SAP set a CVSS (12 out of the 16 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 3.5 to 7.5 with a median of 5.25.

Continue reading

Share Button

SAP and GHOST vulnerability (CVE-2015-0235)

UPDATE (02-04-2015): It is important to note that all SAP HANA Appliances are shipped by default with Operating Systems containing vulnerable versions of the library, therefore the base OS of the appliances must be updated. One example of this is the SAP HANA One hosted in Amazon AWS, as this image is delivered with the vulnerable library.

Last week a new vulnerability was reported, affecting the GNU C library (glibc). This vulnerability affects a wide range of Linux distributions, among which are some supported by SAP products as stated in SAP Note 171356.

It’s important to understand that even though this vulnerability does not directly affect any SAP application, it affects a lower layer, the operating system, allowing any application to potentially use the vulnerable function.

The following list details the OS that were reported as vulnerable and are supported by SAP, therefore there could be SAP applications running on top of the following vulnerable operating systems
Continue reading

Share Button

Profile parameters… the never ending story

The world of profile parameters in SAP is vast and complicated as a user can change the entire behavior of the SAP by modifying some of these parameters.

But just when we thought that we knew everything about profile parameters, we recently discovered something very interesting.

SAP Security Note 1979454 is related to a vulnerability in transaction SHDB (a very sensitive transaction since it’s used to create recordings) which introduced a new profile parameter called “bdc/shdb/auth_check”.

The problem with SHDB is that it wasn’t checking any authorization object besides from the S_TCODE, and a user with access only to the transaction could see any recording made by any user. If the user recorded a user creation the password would be shown in plain text. To mitigate this risk an authority check was introduced inside the programs, which would check for the authorization object S_BDC_MONI. However to enable this check, the parameter bdc/shdb/auth_check needs to be set to TRUE.

While going through the correction instructions for this note, we noticed that there wasn’t an update for the SAP Kernel (whenever a new profile parameter is introduced, there should be an update to the Kernel), so we decided to test the correction instructions to see how this parameter worked.

Continue reading

Share Button

Analyzing SAP Security Notes January 2015 Edition

NEW NOTE (January 21, 2015): Note 2120370 has been released after the official SAP post of January 12nd. The note extends the security note 2001109, covering further affected releases (BI 4.1 SP04 & BI 3.1 Patch 6.5).
UPDATE (January 19, 2015): Note 1951171 has been rereleased translated into English, since it was originally published in German.
NEW NOTE (January 14, 2015): Note 1964201 has been released after the official SAP post of January 12nd. The note fixes a directory traversal in INTRASTAT module.

SAP is a complex and ever changing system, whether because of changes introduced to SAP implementation to better suit the business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at the very least.

At Onapsis we are very concerned about our client’s SAP system security and the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems, and to help guide their testing of these systems within their organization.

Box-Plot image - January 2015Between the last SAP Security Tuesday and the notes published in January, there were 19 SAP Security notes (taking into account 7 Support Packages and 12 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2109565 by researchers Sergio Abraham, Nahuel D. Sánchez and Fernando Russ.

The plot graph illustrates the distribution of CVSS scores across the Security Notes released. The only notes taken into account were the ones for which SAP set a CVSS (6 out of the 19 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 4.9 to 8.5 with a median of 6.0.

Continue reading

Share Button

Analyzing SAP Security Notes December 2014 Edition

High-profile risk threats identified by Onapsis Research Labs experts reveals that unauthorized users could access business-critical applications leveraging SAP BusinessObjects

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Between the last published SAP Security Tuesday and today, there were 28 SAP Security notes published by SAP (taking into account 3 Support Packages and 25 Patch Day Notes).

The plot graph illustrates the distribution of CVSS scores across the Security Notes released in December. The only notes taken into account to build it, were the ones to which SAP set a CVSS (14 out of the 28 SAP Security Notes). As you may observe in the graph, the SAP Security Notes this month have a range of values from 1.5 to 7.5 with a median of 3.9.

Continue reading

Share Button

A Closer Look at SAPGUI History

As most users of SAPGUI know, the application keeps a record of the values that are entered in each field. In the case of having to repeat the same entries multiple times, this is of course a great feature… or maybe not?

Let’s analyze this from a security viewpoint. There are two main questions to ask:

  1. What is being recorded in the history?
  2. Is the history record safely-guarded so none but SAPGUI can access it?

For the first question, we clearly don’t want to have sensitive data lying somewhere around our computers, and in an ERP environment, there is a lot of sensitive data stored. For example, information such as passwords (keep calm, hidden fields where you only see ‘***’ instead of letters do not get recorded), money amounts, bank account numbers, etc. may be being recorded in the history.

Now let’s dive into the second question. Is this information safely guarded? Here the answer is simply “no”. It doesn’t matter whether you are using SAPGUI in Unix or Windows, the recording mechanism changes, but it’s very easy to access and read your history knowing which files to look at.
Continue reading

Share Button

Understanding SAP CODVN H Algorithm

Today’s post will be focused on analyzing the inner workings of the SAP CODVN H algorithm.

Before jumping into the algorithm’s details I will highlight the most important features. For more information you can refer to the SAP security note 991968. The algorithm provides the following capabilities:

  • Support for multiple hashing algorithms (for the time being only salted SHA-1).
  • Supported password length up to 40 characters.
  • Upper and lower case passwords supported.
  • UTF-8 support.
  • Random salt, length can be configured.

Continue reading

Share Button

SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:

  • Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
  • Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
  • Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
  • Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
  • Project Systems: Budgeting, planning, forecasting.
Industrial Value Chain via http://practicalanalytics.wordpress.com/

Industrial Value Chain via http://practicalanalytics.wordpress.com/

Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

Continue reading

Share Button