SAP Products and OpenSSL Heartbleed

There has been a lot of discussion last week about CVE-2014-0160, also known as the Heartbleed vulnerability. For those unfamiliar with the vulnerability I recommend heartbleed.com and, for a light hearted explanation, XKCD. Along with impacting a good chunk of the Internet it has also taken a toll on a number of products including those from Cisco, VMWare, and Oracle to name just a few. As you can imagine we have been watching the issue pretty closely and performing testing in our lab in order to better understand the impact, if any to SAP and its customers.  Here is our current understanding on the status of some of SAP’s products:

Vulnerable

Continue reading

Share Button

Analyzing SAP Security Notes April 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 23 Security Notes were published by SAP (taking into account the 5 Support Package Notes and the 18 Patch Day Notes). Onapsis Research Labs reported 4 of the 18  Patch Day Notes:CVSS distribution for the Security Notes released in April 2014

  • 1778940 by Nahuel D. Sánchez
  • 1974016 by Nahuel D. Sánchez
  • 1993349 by Will Vandevanter
  • 1929473 by Sergio Abraham

We have generated a plot graph illustrating the distribution of CVSS scores across the Security Notes released in April. 15 out of the 23 SAP Security Notes were assigned a CVSS number by SAP. As you may observe in the graph, the SAP Security Notes this month have a range of values from 2.6 to 6.0 with a median of 4.9.

Continue reading

Share Button

Leveraging the Security Audit Log (SAL)

Hi! Today I was reviewing some events generated for the Security Audit Log and noticed an interesting behavior.

For those who are not familiar with it, the Security Audit Log (SAL) allows SAP security administrators to keep track (via a log) of the activities performed in their SAP systems. In a future post we will discuss how to enable and configure this logging.

By default the SAL facility logs the “Terminal Name” which is either the Terminal Name (defined by the computer which performed the logged action) or the IP address of the computer that is the source of events. The IP address is only logged if the source computer does not transmit a Terminal Name with its communications.

This behavior can be abused by an attacker since filling the terminal name value in an RFC call is a task performed by the caller (the user’s machine). Having the ability to manipulate the “Terminal Name” means the attacker could try different attacks such as bruteforce attempts but have each transaction appear to come from a different terminal. Taken even further; the attacker could set an IP address (or cycle through a set of IP addresses) as the Terminal Name; meaning each request would appear to have originated from these IP addresses (as in the logs it is not possible to distinguish between an IP address that has been logged because no Terminal Name value was transmitted vs an IP addressed that has been logged as the Terminal Name).

Continue reading

Share Button

Analyzing SAP Security Notes March 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of  every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended
to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and
vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 9 Security Notes were published by SAP. Onapsis Research Labs reported 2 of the issues that have been addressed by SAP:

  • 1963932 by Sergio Abraham and Manuel Muradas
  • 1964428 by Sergio Abraham

Continue reading

Share Button

SAP Application Users: You can finally sleep at night!

Guest post from: Pete Nicoletti, CISO, Virtustream

As an SAP user, you’re well aware of and are enjoying the benefits of the world best ERP system. The information that you create and use contributes to your companies competitive advantage. Using SAP to make business decisions and report on all facets of your business is among the most critical functions in your company.

In addition to your internal users using this critical function, there is a very large community of… let’s call them “non-authorized users” to be PC. They would love to have access to your critical company data. Protecting your SAP systems and crown jewels information in “Internet time” from these unauthorized users (ok… hackers!) is extremely challenging. Think of all the SAP notes, patches, changes to your versions and landscapes, new mobile related threats, OS patching, network changes, acquisitions… all of these changes are occurring hundreds and thousands times a day! Each change to a system contributes to and increases risk.

Since you are smart security professional at RSA, you don’t use one of the risk mitigation strategies we have to delicately talk our executives out of called: “Ignore the Risk.” So, you are aware that your SAP system is undergoing constant change, and there are hackers working 24/7/365 to gain access to your data.

Those two nightmares should be keeping you up at night. So, let’s do a quick sleep study… you’re tossing and turning all night long… the recurring nightmare you have is that some bad actors are selling your information to your competition. What is the prescription to get a good night’s sleep? Onapsis.

Onapsis is the vulnerability scanner for SAP that identifies every security issue that your SAP system has. Before this tool, there was no way to know just how bad your nightmare is. Trust me… It’s bad. You should be having nightmares. As the world’s largest SAP hosting company we strive to reduce those above listed risks to our clients. How do we sleep at night hosting hundreds of the world’s largest SAP environments? Onapsis. It is the prescription for a restful night’s sleep. Know what your risks are, classify them, assign them to owners for remediation… and then validate they have been fixed. Standard security stuff right?

Before Onapsis there was just no way to do it. Come by booth 2109 here at RSA and let’s talk about we can secure your SAP world… and you can sleep better at night!

 

Guest post from:

Pete Nicoletti CISO
CISSP, CISA, CCSK, FCSE, CCSE
Virtustream Inc – www.virtustream.com

 

Share Button

Securing Your SAP Through Research

In the latest Notes Tuesday Onapsis was credited with discovering and reporting almost half (10 out of 23) of the vulnerabilities addressed by SAP (or alternatively three quarters or one third, depending on how you do the math: there were only 13 Notes that were attributed to third party security researchers of which Onapsis discovered 10. And SAP released 23 security notes on Notes Tuesday; but had also released an additional 10 notes since the last patch Tuesday; bringing the total released during that period to 33).

Having received a number of messages of appreciation and additional questions about the work done by Onapsis Labs to find so many of the vulnerabilities remediated by SAP this month, I thought people should know about the effort and work done to discover and responsibly report these risks every month.

So how do we find these issues in the first place? There are a number of possible ways. It could be a result of a number of activities that the Onapsis Research Labs team or Professional Services team perform. It might be we discover the vulnerability during a services engagement for a client; or as the output from a dedicated bug hunting activity (where our labs team will take a deep dive with SAP technology and attempt to find previously unknown issues in SAP modules and applications) or they are born out of ideas that lead to “What if” and other brain storming conversations that take place internally.

Continue reading

Share Button

Analyzing SAP Security Notes February 2014 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or applying Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation and security patches, SAP releases their latest Security Notes information the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it is highly recommended to carry out periodic assessments on a monthly basis in the least.

At Onapsis we are very concerned about not only our client’s SAP system security but the state of SAP security in general, so to assist SAP’s customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

This month 33 Security Notes were published by SAP. Of these 33 notes, Onapsis Research Labs reported 10 of the underlying issues that have been addressed by SAP:

  • 1791081 by Sergio Abraham
  • 1768049 by Sergio Abraham
  • 1920323 by Sergio Abraham
  • 1915873 by Sergio Abraham
  • 1914777 by Sergio Abraham
  • 1911174 by Sergio Abraham
  • 1795463 by Sergio Abraham
  • 1789569 by Sergio Abraham
  • 1738965 by Sergio Abraham
  • 1939334 by Juan Pablo Perez Etchegoyen, Jordan Santarsieri and Pablo Muller.

Continue reading

Share Button

Security Geeks Introduction to SAP – RFC Destinations

As means of a background, I have been in the security field, specifically the pro-active testing (penetration testing) side of security for over a decade. As part of my role I would present at public and private conferences, helping to educate organizations about the benefits of pen testing or helping to educate pen testing teams about the latest techniques.

I say all of this in order to communicate that I would grade myself as having an above average knowledge of the security space and significant familiarity with commonly used terms in the industry. So when I recently took a product manager roles at Onapsis and was told I would have to learn about SAP and the security and risk implications around SAP in the enterprise I smiled and thought “well, I guess I know what I am doing the first couple of days”. As it turns out SAP is a world unto itself, with a lot of history and complexity.

This blog is the third in a series that documents the self-education that I have been undertaking as I learn about SAP, assessing the security of a SAP system and then implementing secure practices.

This blog builds on a webcast I was fortunate to take part in. My colleague Sergio Abraham has spent a considerable amount of time research RFC Destinations, the common ways they are configured and how various SAP components install RFC Destinations in order to function. I recommend in addition to this blog you view the webcast recording here and the corresponding question and answer session it generated here.

Continue reading

Share Button

Analyzing SAP Security Notes January 2014 Edition

SAP is a complex and ever evolving implementation; whether that is through changes introduced to your SAP implementation to better serve the business or the newly disclosed vulnerabilities targeting SAP products. In order to provide a predictable and scheduled flow of security, vulnerability and mitigation information SAP releases their latest Notes and security information regarding their products on the second Tuesday of every month. Because of this regular disclosure of new issues that could potentially weaken an organizations security SAP security assessments should be carried out on a regular basis. In order to ensure our customers are testing for all the published vulnerabilities in their SAP implementations we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published.

CVSS distribution for the Security Notes released in January 2014

In January SAP released a total of 34 Security Notes, of those Notes, six were the result of reports made to SAP by the Onapsis Research Labs.
Notes 1918333, 1917381 and 1894049 were reported by Nahuel D. Sánchez, 1922547 and 1910914 by Jordan Santarsieri and note 1931399 by Willis Vandevanter all from Onapsis Research Labs.

Continue reading

Share Button

The Ignored World of SAP Cyber Security: How organizations are waking up to attacks targeting their SAP cyber-layer

By now I am sure you have seen the public posting with details and a how-to guide regarding an exploitable SAP vulnerability in a major organizations’ internet facing website. It is always disheartening to see a company exposed in this way. It is a cliché (though truth be told I tend to think clichés have an element of truth to them) but when I read about this type of event and the recent Target breach I look for the teachable moment or lessons I can learn. Good security is an ounce of prevention and a dash of luck, and the more you can learn about appropriate preventions the less luck you will need.

When thinking about this event I actually thought of five teachable elements I can use to provide support for my security approach and philosophy. I wanted to start a discussion about SAP and security, something which has only recently been discussed, and review the silent points from what has occurred thanks to the Full Disclosure posting and WooYun report from the Chinese hacker known as Finger.

This event touches on a couple important areas:

  1. Responsible disclosure

In the posting they cite the date 2013-11-21 as when they submitted a report to the vendor and 2014-01-05 as the date they published the details of the vulnerability and how to exploit it on NVIDIA’s servers, despite the vulnerability not having been addressed, due to a lack of a response. This is less than two months (during a busy holiday season) and it is unclear how many times they attempted to contact the security team. While I agree that it is important to get vulnerability information public so issues can be addressed I think it is more important to do so responsibly. Typically attackers/cyber criminals have less change control processes to go through and can weaponize and take advantage of this information long before organizations have been able to test and apply the remediation across their environment. In fact Mariano Nunez, Onapsis CEO, has said “It is critical when you have information that could cause harm to companies effected that you make best efforts to ensure that information is communicated to those companies along with the information needed to remediate those issues before making that information publicly known.”

Continue reading

Share Button