A Security Gap Causes a Cyberattack

For the first time in history, the US Department of Homeland Security has published report on security threats to SAP systems (US-CERT Alert for cybersecurity of SAP business applications). The report describes what a security gap had an impact on taking control over SAP systems.

36 organizations were attacked by a vulnerability

At least 36 organizations (with SAP system in their infrastructure) were attacked using a security vulnerability known for about 6 years. The attack was aimed primarily at systems that were not updated in accordance with the patches provided as part of SAP Security Notes. The described vulnerabilities certainly affected SAP NetWeaver Server Java - Invoker Servlet adons.

What systems are most at risk?

As a result, the DHS report indicates that SAP systems having outdated software are vulnerable. This applies to systems running on the SAP Java platform. Due to the fact that the discussed SAP Java platform is the basic technology for many systems, including SAP:

Enterprise Resource Planning (ERP),
Product Lifecycle Management (PLM),
Customer Relationship Management (CRM),
Supply Chain Management (SCM),
Supplier Relationship Management (SRM),
NetWeaver Business Warehouse (BW),
Business Intelligence (BI),
NetWeaver Mobile Infrastructure (MI),
Enterprise Portal (EP),
Process Integration (PI),
Exchange Infrastructure (XI),
Solution Manager (SolMan),
NetWeaver Development Infrastructure (NWDI),
Central Process Scheduling (CPS),
NetWeaver Composition Environment (CE),
NetWeaver Enterprise Search,
NetWeaver Identity Management (IdM),
Governance, Risk & Control 5.x (GRC).

the security gap is located on the application layer of the SAP system, so its occurrence is independent of the operating system and the database supporting the SAP system.

What are the effects of exploiting the vulnerability?

The use of the discussed Invoker Servlet vulnerability certainly allows remote, unauthenticated, full control over the compromised systems. Therefore, it allows full access to data and business processes on the systems (or even access to other systems connected with SAP).

How to protect yourself?

The surest solution is to use and use SAP Security Note 1445998 and disable the Invoker Servlet.

Comment from our expert

As this vulnerability has been known for at least 6 years, it seems unlikely that this vulnerability was exploited by burglars. It is also worrying that the situation affects so many global systems. What does it mean? Due to the fact that the subject of data security is not approached systematically it causes such omissions at the level of securit The main difficulty lies in convincing decision-makers about the need to invest in solutions that automate SAP security processes.

Daniel Sikorski / SAP Security / BASIS

GOOD TO READ ABOUT SAP SECURITY:

SAP Security

Security requirements are constantly increasing, and securing critical data in an organization is one of the basic issues that ensure the continuity of basic business processes.
System environments are becoming more and more complex (communication with external systems, data exchange and continuous development of existing systems).

During a possible attack on the SAP system (no matter if the attack comes from inside or outside the organization) an attacker might gain access to valuable system information
therefore, it can use this information for further attacks to other SAP systems as well as obtain important company data (customer data, product information, e.g. recipes and drawings ttechnical data, salary data, etc.) unnoticed.

Managing security comes down to managing risk

First, to do it properly, all risks should be recorded and grouped according to prioritize so that the organization with the SAP system can learn and correct any possible threats to the SAP system (e.g. with the help of external support).
The research SAP security and compliance includes checking the network, operating system, database, parameters, and conflicts SoD in the SAP system based on the provided risk and conflict matrices.

6 basic risk areas

We have listed 6 basic risk areas that should be looked at first.
We divided the areas into two parts: technical and users.

Technical part

1. Setting up the SAP configuration

Layer of configuration parameters that should correspond to the organization's security policy. These parameters should be monitored regularly.

Example:

login/password_expiration_time (default 0, our recommendation is 30)
The user has to change the password after a certain number of days (for parameter 0, enforcement is not enabled).

login/min_password_lng (default value 3, our recommendation is 8+)
Setting the minimum password length.

login/fails_to_user_lock (default value 12, our recommendation is 5)
Number of incorrect entered password to lock the user account.

2. Verification of events and settings "on" and "outside" the SAP layer

SAP Level

SAP Security Audit Log:

main security log,
some information is difficult to read from the security perspective,
SAP user login * does not constitute a risk according to the log, while the risk is a wrong login password.

SAP Change Documents and Table Loggin:

logging of document changes and changes to tables,
low quality in the absence of archiving documents in time.

SAP System Log:

główny log systemu SAP,
logs written over after 14 days.

Levels beyond SAP

Operating system log Windows/UNIX -the problem is, for example, the fact that the administrator must have root privileges to read logs only

Database log – no possibility to analyze database settings from the SAP level (e.g. information about accounts and their authorizations)

Web Logs SAP Router/HTTP - the problem is the lack of standard solutions to redirect logs to syslog

3. Updating system patches

Every system is vulnerable to hacking, SAP is no exception, so it's important to regularly install system patches.
Thanks to them, information about break-ins with the use of known vulnerabilities appears.

Example 1 - a report by the US Department of Security pointing to intrusions into at least 36 global SAP systems using a known (and fixed) vulnerability since 2010. More at https://bit.ly/28Kpk5r

Example 2 - the annual meeting of the security community, the PWNIE Awards in 2015 awarded the first prize in the Best Server-Side Bug category for detecting a vulnerability in SAP, allowing for unauthorized access to the system https://bit.ly/29Se5hB

Username

4. Default accounts

During the implementation of the SAP system default user accounts are created. They are used for the initial installation of the system, they are commonly known both by their name and password.
It is extremely important to properly protect these accounts.
The most critical account is SAP * (it allows for virtually unlimited access to and changes in the system)

Default account passwords should be changed and highly privileged profiles (such as SAP_ALL) should be removed.
The important thing is that if you delete the default account - it will be recreated automatically (with the default password).
The SAP account * should therefore have the password changed and the login / no_automatic_user_sapstar parameter set to 1 (no possibility to restore the automatic SAP account *).

5. Default profiles

As in the case of default accounts, SAP has (delivered with the installation) sets of authorization profiles allowing for wide access to the system. The use of these profiles should be very strictly managed, and their use should be limited to emergencies only.

The most important broad access profile is SAP_ALL - it allows you to perform any transaction, access to any object, function or action (there is a reason in the jargon of SAP administrators it is commonly referred to as "God on the system"). It is important that this profile is not assigned anywhere. The same applies to the SAP_NEW profile

6. Conflicts of Permissions

Inadequately providing users with access rights to different parts of the system increases the risk of fraud.

Example: if one person has both the option to change the bank account number and the ability to make a transfer - it is possible to bypass the organization's policies in order to transfer money outside.

To sum up: it is important to properly manage the privilege conflict matrix. Such a matrix allows, first of all, to identify existing conflicts, and verification of individual users' access will allow for risk assessment. The implementation of an effective data access policy in SAP is one of the most important elements of sealing the SAP environment in terms of risks, the main factor of which is user activity.

GOOD TO READ ABOUT SAP SECURITY: