The SAP NetWeaver ABAP Platform Vulnerability Assessment Guide

The Enterprise Resource Planning (ERP) systems such as the SAP allow to add some positive quality changes to information processing within an organization. However, while the ERP applications may solve some principal problems, they also may incur new associated risks. That is why the security is the most important aspect on the enterprise application and ERP system implementation.

“The Enterprise Application System Implementation Assessment Guide” describes 9 most known business application security issues relating to implementation and operation (the Top 9 implementation issues). This top issues list was prepared by the authors during vulnerability assessments of multiple business applications; this list may be applied to any of them. These issues are weighty factors for many emerging threats and related attacks. Prevention of these issues means getting ready to prevent numerous attacks targeted at business application security.

This document contains a detailed analysis of the most widespread business application platform – the SAP NetWeaver ABAP. During this analysis 33 key settings were identified and distributed between 9 issues mentioned above (the Top 9 Implementation issues). This guide shows how to protect against the most widespread vulnerabilities in this area as well as provide further steps on securing all 9 areas

The 33 steps to securely configure SAP NetWeaver ABAP platform, that were distributed among 9 issues mentioned above.

The authors’ efforts were to make this list as brief as possible but also to cover the most critical threats for each issue. This approach is the main objective of this Guide: as despite best practices by the SAP, ISACA and DSAG, our intention was not to create just another list of issues with no explanation on why a particular issue was (not) included in the final list, but to prepare a document that may be easily used not only by SAP security experts. Report should also provide comprehensive coverage of all critical areas of SAP Security.

At the same time, the development of the most complete guide would be a never-ending story as at the time of writing there were more than 7000 checks of security configuration settings for the SAP platform as such, without those of specific role-based access and in-house applications. As a result, each of the 9 issues includes major checks that must be implemented first and can be applied to any system regardless of its settings and custom parameters. It also important that these checks are equally applicable both to production systems and those of testing and development.

In addition to major all-purpose checks, each item contains a subsection called “Further steps”. This subsection gives major guidelines and instructions on what should be done in the second and third place, and then how to further securely configure each particular item. The recommended guidelines are not always mandatory and sometimes depend on a specific SAP solution. On the one hand, with this approach, the authors were able to highlight key security parameters for a quick assessment of any SAP solution (from the ERP to the Solution Manager or Industry Solution) based on the NetWeaver ABAP platform and, on the other hand, to cover all issues and give complete recommendations on them.

Full text of the report could be found here

SAP Security in Figures – a global survey 2013

The purpose of this annual report is to show a high level overview of SAP security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan.

Old issues are being patched, but a lot of new systems have vulnerabilities. Number of vulnerabilities per year is going down compared to 2010, but they are more critical. Number of companies who search for issues in SAP is growing, so we can conclude that interest to SAP platform security has been growing exponentially. And there are positive sides to that – for example, the latest SAP products are more secure by default.

Taking into account the growing number of vulnerabilities and vast availability of SAP systems on the Internet, we predict that SAP systems can become a target not only for direct attacks (for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities. And while so many issues have already been closed, there are much more areas still not covered by researchers, where lots of vulnerabilities can be discovered. We are working closely with SAP Security Response Team on discovering and patching security issues, and SAP AG publishes secure recommendations and guidelines showing administrators how to protect their systems from most popular threats. This area has changed a lot during the last year, and SAP now invests much more resources in internal SDLC processes and internal security conferences.

Unfortunately, like a year ago, the best part of the mission still lies on administrators who should enforce the security of their SAP systems by using guidelines, secure configuration, patch management, code review, and continuous monitoring. Furthermore, we think that SAP forensics can be a new research area, because it is not easy to find evidence with as complex a log system as SAP has now, even if it exists. The more attacks will be conducted in SAP systems, the higher the need will be for forensic investigation and continuous monitoring of SAP security.

Link to the complete report: SAP Security in Figures – A Global Survey 2013

“Practical Pentesting ERP Systems And Business Applications”

Today, the whole business of a company depends on enterprise business applications. They are big systems that store and process all the critical data of companies. Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored here. This information can include financial, customer or public relations, intellectual property, personally identifiable information, and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s business application and cause significant damage to the business. There are many types of those applications: ERPs, CRMs, SRMs, ESBs. Unfortunately, there is still very little information about the security of those systems, especially how to pentest them.

Practical pentesting ERP systems and business applications (EASSEC)

SSRF vs Business Critical Applications: XXE Tunneling in SAP

Typical business critical applications have many vulnerabilities because of their complexity, customizable options and lack of awareness. Most countermeasures are designed to secure system using firewalls and DMZ’s so that, for example, to enter technology network from the Internet, attacker has to bypass 3 or more lines of defense. It looks ok until somebody finds a way to attack secured system through trusted sources. With the help of SSRF and one of its implementations – XXE Tunneling  it is possible to root a system within one request which will be from trusted source and will bypass all restrictions.

SSRF, as in Server Side Request Forgery. A great concept of the attack which was discussed in 2008 with very little information about theory and practical examples. We have decided to change it and conducted a deep research in this area. As we deal with ERP security, we take SAP as the example for practicing SSRF attacks. The idea is to find victim server interfaces that will allow sending packets initiated by victim’s server to the localhost interface of the victim server or to another server secured by firewall from outside. Ideally this interface must allow us to send any packet to any host and any port. And this interface must be accessed remotely without authentication or at least with minimum rights. Looks like a dream but this is possible. Why this attack is especially dangerous to SAP? Because many restrictions preventing the exploitation of previously found vulnerabilities, for example in RFC and Message Server or Oracle auth, prevent only attacks from external sources but not from localhost!

We have found various SSRF vulnerabilities which allow internal network port scanning, sending any HTTP requests from server, bruteforcing backend and more but the most powerful technique was XXE Tunneling. We made a deep research of the XXE vulnerability and most of the popular XML parsers and found that it can be used not only for file reading and hash stealing but even for getting shell or sending any packet to any host (0-day). What does it mean for business critical systems? Actually XML interfaces are normally used for data transfer between Portal’s, ERP’s, BI’s, DCS’s, SCADA’s and other systems. Using an XXE vulnerability you can bypass firewalls and other security restrictions. What about practice? To show a real threat we took the most popular business application platform Ð SAP NetWeaver and its various XML parsers. We found that it is possible to bypass almost all security restrictions in SAP systems. Using XXE Tunneling it is possible to reopen many old attacks and conduct new ones which were impossible before.

SSRF vs Businness critical applications – whitepaper

SAP Security in figures – a global survey 2007-2011

The purpose of this report. is to show a high level view of SAP Security in figures so that the problem area is not just theoretically comprehensible but based on actual numbers and metrics – from the information about the number of found issues and their popularity to the number of vulnerable systems, all acquired as a result of a global scan.

One of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network. While all the recommendations from SAP and consulting companies say that even internal access to unnecessary administrative services should be restricted, it was found that many companies configure their landscape improperly and expose critical services to the Internet. In some cases, lack of knowledge is the reason and sometimes companies want easy remote control, which is insecure.

For example, 212 SAP Routers were found in Germany which were created mainly to route access to internal SAP systems. SAP Routers themselves can have security misconfigurations but the real problem is that 8% of that companies also expose, for example, SAP Dispatcher service directly to the Internet circumventing SAP Router. This service can be easily exploited by logging in with default credentials or by exploiting some of the vulnerabilities that were patched by SAP in May, 2012 .

We can conclude that the interest to SAP platform security has been growing exponentially. Taking into account the growing number of vulnerabilities and vast availability of SAP systems on the Internet, we predict that SAP systems can become a target not only for direct attacks (for example APT) but also for mass exploitation using worms targeting one or more vulnerabilities

The original report containing detailed information can be found here SAP Security in figures: a global survey 2007-2011.

Architecture and program vulnerabilities in SAP’s J2EE engine

Whitepaper on which a presentation “A crushing blow at the heart of SAP J2EE Engine” from BlackHat USA 2011 was based.

Today, SAP NetWeaver is the most widespread platform for developing enterprise business applications. This whitepaper is focused on one of the black holes called SAP J2EE engine.

Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical. Here is explained the architecture of SAP’s J2EE engine and its internals. Also a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, information discloses, invoker servlet bypasses, insecure encryption algorithms and cross-system vulnerabilities in J2EE platform are discussed.

A crushing blow at the heart SAP J2EE engine whitepaper

Forgotten World – Security of Enterprise Business Application Systems

Agenda: «Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This paper will describe some basic and advanced threats and attacks on Enterprise Business Applications — the core of many companies».

The whitepaper is about enterprise business applications like SAP, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.

[styled_link link=”/wp-content/uploads/2011/01/Forgotten-World-Security-of-Enterprise-Business-Application-Systems.pdf” type=’attachment’]Forgotten World – Security of Enterprise Business Application Systems[/styled_link]

SAP Security: attacking SAP clients

In this whitepaper I will be talking about the basic problems in sap client’s security. Here will be described the problem containing description of the basic attacks to SAP clients which can be exploited from corporate network and even from public network with getting access to corporate network and user’s workstation which is one step closer to the SAP servers and critical business data.

Author: Alexander Polyakov

Business application security is one of the most important tasks in a complex information security process. Nowadays SAP platform is the most widespread platform for managing enterprise systems and store the most critical data. None the less people still don’t attend much to a technical side of SAP security. There are some well-known problems about access control, SoD matrix and probably SAP router security. But there are also many problems on all levels of SAP system such as: network level, operation system level, database level, application level and presentation level i.e. SAP clients. As for SAP server security there you can get some information from Cybsec presentations on BlackHat 2007 and Blackhat 2009 where you can see how insecure SAP servers and RFC protocol. But there is still so few information about SAP client security which can be the weak point in your company even if it has secure SAP server environment.

[styled_link link=’/wp-content/uploads/2009/09/SAP-Security-Attacking-SAP-clients.pdf’ type=’attachment’]SAP Security – attacking SAP clients[/styled_link]