SAP NetWeaver ABAP security configuration. Part 2: Patch management
In our previous articles , we’ve already introduced you to the list of the 9 most important business application security issues. We’ve also had a chance to present to you the skeleton of our guideline with its 33 security assessment steps. As you’ve seen only the roadmap of it, now it’s high time to pay attention to a more detailed explanation of each step to be taken.
In order to ensure full-scale system security it is crucial to install security support packages regularly. The number of nesessary support packages may be huge. In fact the the number of SAP Security Notes grew up to more than 3000 by the mid-2014. As some of you may know, each SAP Security Note serves to fix one or more vulnerabilities. About 50 Security Notes are issued monthly. Sometimes one can even find an SAP Security Note that was based on the results of a third-party researcher’s work . Also, when it comes to prompt vulnerability elimination we should take into consideration all the possible consequences of the implementation of such projects as Metasploit which may provide getting free access to the corporate information. According to the arguments given above, the development and the establishment of a patch management process that would ensure the implementation of adequate preventive measures against potential threats, is highly necessary at this stage. Now, let us now focus on the two major checks that must be in place to address the most critical problems.
To verify security of SAP components, particularly those of them that are installed separately from the application server you can use such services as SAProuter, SAP Web Dispatcher, SAP GUI. Also, it’s convenient to use systems that are linked to the NetWeaver ABAP application server, but operate on the basis of the NetWeaver J2EE or SAP BusinessObjects application servers. Their security is regulated by a separate document included in the EAS-SEC. It’s substantial that a security patch should be checked for operating systems where SAP services are installed, as well as for DBMS that stores SAP solution data.
[EASAI-NA-01] Check for components update (SAP Security Notes)
The essence of the whole patching procedure is that a patch is designed to substitute outdated and vulnerable objects. There are two ways to fix a vulnerability: one can either implement the correction instructions from an SAP Security Note in the system or have a Support Package installed. Normally a particular SAP Security Note (with appropriate correction instructions) is issued first. After that, a Support Package is applied. It usually contains changed or new functionality with a set of correction instructions for a certain period of time.
As mentioned above, the number of support packages and SAP Security Notes required by the system may be huge. That’s why the development of patch management process should also involve the establishment of a priority of patch installation. While determining the right priority one should consider the following factors:
- Threat severity,
- Threat probability,
- Required system privileges,
- Complexity of exploitation, and
- Public exploit availability.
WARNING! Sometimes vulnerability management processes can mix up. It means that vulnerabilities may be fixed with either a support package or with the help of the SAP Security Notes. The matter is they won’t synchronize. For instance, a vulnerability fixed with a support package would not be implemented as fixed via the SNOTE transaction to the SAP Security Notes list.
As soon as there appears a new security patch, newly identified vulnerabilities quickly become publicly available and anyone can gain access to their description. Accordingly, in case a security patch was implemented after a long period of time it gives an adversary a chance to exploit those vulnerabilities, to get an unauthorized access to sensitive business data.
It is imperative to perform regular checks for security patches updates. To do that, one should strictly follow the main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring). Using SAP Patch Manager (SPAM) offered by the SAP one can download and implement required support packages from the Online Server System (OSS). Note that this is only related to versions 3.0 and higher. In order to start the SPAM, you should enter the command “SPAM” in the transaction code field.
Also, it’s possible to use the multi-purpose SAP Software Update Manager (SUM) to implement various system updates. The good news is that a demo version of this product is publicly available at the time 
To implement SAP Security Notes, use the SNOTE transaction to get a list of Security Notes required for a particular system. As mentioned above, these two mechanisms are not synchronized, so it is preferable to make some changes manually or with some additional third-party tools.
Before proceeding to our next security check let’s make a small digression. We’ve decided to be proactive in terms of information security so that each item of our guideline contains a subsection called “Further steps”. This subsection gives major instructions on how to further securely configure each particular item.
[EASAI-NA-02] Check for kernel updates
We should keep in mind that in SAP System Kernel there are executable files containing SAP Dispatcher, SAP Gateway, SAP Message Server, SAProuter and some other SAP services. For that reason, SAP System Kernel has its own update mechanism that differs from other components. Kernel updates are released as service packs for a specific kernel type.
So as to clarify, support packages are cumulative. Therefore, they include all the previous updates, even though sometimes releases contain updates for a certain support package only.
As soon as the new security patch appears, newly identified vulnerabilities also become publicly available rather quickly. It means that anyone can gain access to their description. Accordingly, in case security patch was implemented after a long period of time it gives an adversary a chance to exploit those vulnerabilities, to get an unauthorized access to sensitive business data.
Kernel updates mostly fix highly critical vulnerabilities, as any system has a kernel. So, it’s crucial that kernel update should have the highest priority and should be installed before other components.
It is imperative to perform regular checks for security patches updates. To do that one should strictly follow main patch management process steps (data collection, risk assessment, implementing security patch software, result monitoring).
In case you want to check out the current version of a service pack using SAP GUI you need to open the Status window in System tab and click on the Other kernel info button (Shift+F5 by default). There is always some information on the latest service pack version published on the SAP support portal
The SAP Security Note is usually downloaded as a system and executable files directory that replaces the previous files. Software Update Manager (SUM) utility is also available to facilitate the manual process a lot (ref. to the operating manual ).
That’s it for today. We’ve checked out the first critical issue “patch management flow” and two steps relating to it. We hope you like’d our work and share our urge to promote information security to a higher level.