Bring your own device (BYOD) tendency is changing the way IT is managed, delivered, and, most importantly, secured. BYOD encourages a company’s employees to work on devices they prefer. So, modern organizations and enterprises may either supply their employees with multi-function mobile devices or allow staff to bring their own handhelds of different types. BYOD sometimes includes specific concepts like bring your own computer (BYOC), bring your own laptop (BYOL), bring your own apps (BYOA), and bring your own PC (BYOPC).
The main aim of BYOD is to increase productivity and work pace. Despite all the benefits, BYOD poses cybersecurity risks to the organization because of connection to the corporate network and access corporate data. To minimize the threats, the businesses should adopt BYOD policies and somehow manage the devices.
There is a variety of turnkey solutions to administrate and secure corporate devices. These products are called MDM (Mobile Device Management). SAP Afaria, an MDM solution from German-based software developer, is considered the leader on the market with about 6,300 enterprise customers using it to manage more than 130 million mobile devices.
SAP Afaria history
SAP Afaria history dates back to 1997; several versions of the solution were released. Here you can find a list of them from the beginning.
- Version 7.0 SP7: Released October 2015 (as SAP Afaria SP7)
- Version 7.0 SP6: Released September 2015 (as SAP Afaria SP6)
- Version 7.0 SP5: Released August 2014 (as SAP Afaria SP5)
- Version 7.0 SP4: Released December 2013 (as SAP Afaria SP4)
- Version 7.0 SP2: Released December 2012 (as SAP Afaria SP2)
- Version 7.0: Released April 2012 (as SAP Afaria)
- Version 6.6: Released September 2010
- Version 6.5: Released November 2009
- Version 6.0: Released December 2008
- Version 5.0: Released November 2003
- Version 4.0: Released June 2000 (as Afaria)
- Version 3.5: Released May 2000 (as Afaria for Handhelds)
- Version 3.0: Released October 1999
- Version 2.0: Released February 1999 (as CONNECT:Manage)
- Version 1.2: Released October 1997 (as RemoteWare Express)
- Version 1.0: Released February 1997 (as SessionXpress)
SAP Afaria 101
First, let’s define some essential terms.
Server — Afaria is a server-based solution that supports a single server or server farm environment. The server communicates with the Afaria database, the Afaria Administrator, the Afaria Over-the-Air (OTA) Deployment Center, the relay server, and Afaria Clients. It is the central point for all Afaria activity.
Afaria Administrator — Afaria Administrator is a web application that provides an interface for Afaria Server. Afaria Administrator is used to define the server configuration and access policies for Afaria Administrator users, create and manage Afaria Clients, monitor system activity, and communicate with other Afaria Servers.
Clients — Afaria Clients are a wide range of users’ devices, such as laptops, handhelds, phablets, and phones that run Afaria Client software. Clients initiate connections with the Afaria Server to run sessions. Servers use these sessions to manage the Clients, deliver Client updates, and to collect data from the Client. Depending on your licence, several Client types are available, so you can choose the one which best suits the users’ requirements.
Relay server is a secure, load-balance proxy server that relays communication between mobile devices and one or more Sybase server-based products.
OTA Deployment Center — Afaria supports the usage of optional OTA Deployment Center, a web server established to provide software deployment services for the Afaria solution. An administrator pushes Afaria Client installation packages out to the deployment center and then sends notices to device holders. They can download the Client directly onto their device to instal.
Package server - special servers that the Afaria application packages to devices.
Self-Service Portal Server (EUSSP or SSP) lets end users enroll their device in Afaria management and view their device information and issue commands.
Enrollment Server is required for handheld device enrollment.
Relay Server Outbound Enabler (RSOE) – its primary function is to initiate an outbound connection to all relay servers in the relay server farm on behalf of the backend server.
Afaria DB server is a database server that contains Afaria database.
Afaria server farm combined Afaria servers operating together in an Afaria installation.
SAP Afaria Architecture
As an MDM solution, SAP Afaria requires an installation of a client program on a mobile devise to be synced with the Afaria system. To connect a client to the server, you should set up a connection. This can be done in several ways:
- Touch tuning
- Use special codes
- via Self-Service Portal
SAP Afaria Services: Have you checked your ports?
By default, two protocols HTTP and XNET are in place. The first one is used to enroll server and package server; the second protocol is used to connect devices to the Afaria server directly. The connection is made via an open port on servers 3005 and 3007, which are the most vulnerable.
XCListener listens to the port 3005. Windows Mobile and Windows client may be vulnerable to a buffer overflow vulnerability in certain landscape configurations. XcListener does not provide proper authorization checks. This can result in undesired behavior. To be vulnerable, XcListener must be an active process. The Windows client enrollment policy allows administrators to enable/disable XcListener with the advanced option “Outbound listener and firewall”. If port 3005 is not exposed externally, then the vulnerability is only accessible locally on the machine.
XCListener plays a vital role in SAP Afaria Security, as it’s a management interface which can accept many critical commands and has some vulnerabilities. We recommend to Install SAP Notes 2134905 and 2153690 to fix the issue.
There is a Stored XSS vulnerability, which also associates with the open port 3007.
SAP Afaria vulnerabilities
The graph shows that DoS, Buffer Overflow, and Gain Privileges are the most common attack vectors against SAP Afaria.
The average CVSS score for SAP Afaria vulnerabilities is 7.2; three issues have the highest CVSS score of 7.5.
Securing SAP Afaria from remote Cyber Attacks
It’s worth mentioning that SAP Afaria can be configured in a way to enable connections to critical services remotely from the Internet. To prove this fact, we have found about 140 Afaria servers accessible via the Internet.
As you can see from the graph, the largest number of Afaria services is implemented in the US and China. Exposed to the Internet, Afaria will open a door for attackers. The most critical thing here is that it’s very easy to find SAP Afaria servers via the Internet, and cyber criminals can use it to conduct attacks on SAP Afaria via vulnerabilities that we have recently disclosed:
It was a brief overview of SAP Afaria just to provide the basics. Next time we will speak about SAP Afaria vulnerabilities in detail and how to exploit them.