Attacks based on security configurations

Transcription

1 SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen March 18 th, 2014 BIZEC Workshop

2 Disclaimer This publication is copyright 2014 Onapsis Inc. All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. 2

3 Agenda Introduction Configurations Attacks Recommendations Conclusions 3

4 Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks (SAP, Siebel, Oracle E-Business Suite TM, PeopleSoft, JD Edwards ). Working with Global Fortune-100 and large governmental organizations. What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit). ERP security professional services. Trainings on ERP security. Who are we? Juan Perez-Etchegoyen (JP), CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs... Speakers/Trainers at the most important Security Conferences 4

5 Introduction 5

6 A Cyber-criminal & SAP systems If an attacker is after an SAP system, he s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. 6

7 What is his goal? The SAP Production System TREASURY PAYROLL FINANCIAL PLANNING SALES INVOICING PRODUCTION LOGISTICS BILLING HUMAN RESOURCES PROCUREMENT 7

8 Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. SAP Solution Base Infrastructure SAP Business Logic SAP Application Layer Database Operating System 8

9 Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. Successful attacks to this layer would result in The SAP Application Layer (NetWeaver/BASIS) is common to most a complete compromise of the SAP system modern SAP solutions, serving as the base technological framework. (SAP_ALL or equivalent) usually even withouth requiring a username or password SAP Solution SAP Business Logic SAP Application Layer Base Infrastructure Database Operating System 9

10 Configurations and SAP systems 10

11 Netweaver framework can be tuned SAP Systems can be configured through different mechanisms: Customizing (IMG) UME Settings (JAVA only) ACL settings Profile Parameters Transport profile User parameters RFC Destinations reginfo secinfo Webdispatcher Management Console Message Server ICM ACL SAPGui ACL 11

12 Profile parameters Conceptually each parameter is a key-value pair Depending on the kernel version, there are close to 1500 parameters Around 10% of them are security-relevant Parameters are configured within profiles: Default Non dynamic Instance Start* No security-relevant Non dynamic Dynamic parameters do not require a system restart Security-relevant Non dynamic Some examples: rdisp/wp_no_dia = 10 rsau/enable = 1 login/min_password_lng = 8 login/password_downwards_compatibility = 1 Security-relevant Dynamic Security-relevant 12

13 Challenges? 13

14 Challenges Each profile parameter seems to be defining simple concepts but It could be challenging to understand Many times little documentation is available For some situations parameters are related so behavior depends on many values parameters take precedence profiles take precedence (kernel default.pfl instance profile dynamic configuration) parameters could change from App. Server to App. Server parameters configuration depend on files/tables contents parameters are created and destroyed within new kernel versions Default values? 14

15 Attack scenarios 15

16 Attack #1 Emergency mechanism 16

17 Attack #1 Emergency mechanism An emergency mechanism to connect to the SAP systems: Enabled by a profile parameter login/no_automatic_user_sapstar User SAP* does not exist in the database Connection with full authorizations Default credentials SAP*:PASS Cross-client issue (could be affecting only one client) Cross-App-Srv issue (could affect a single application server) The connection to the system will be successful based on a profile parameter and the user master record. Impact: Full SAP system compromise. 17

18 Demo 18

19 Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) 19

20 Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar Protection Yes / Countermeasure No No No No Do not delete the user SAP* from any client 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) Secure the user SAP* for all the clients in the SAP system (including standard) configure login/no_automatic_user_sapstar to 1. 20

21 Attack #2 Load Balancing 21

22 Attack #2 Load Balancing The load balance on SAP systems is driven by new application servers registering on the Message Server, which is restricted by: Parameter ms/acl_info Contents of ms_acl_info file. The registration of a new application server will be successful based mainly on the contents of the acl file. Impact: Full SAP system compromise. 22

23 Demo 23

24 Demo Protection / Countermeasure Create and maintain the acl to restrict which SAP Application Servers are allowed to register in the Message Server. 24

25 Attack #3 Password policies 25

26 Attack #3 Password policies The ability for a user to connect to the system if password policies are enhanced will depend on: Type of connection (DIAG/RFC) User Type (service,system,dialog ) Parameter rfc/reject_expired_passwd Parameter login/password_compliance_to_current_policy The connection to the system will be successful based on two profile parameters, the user and the protocol. Impact: Effectiveness on brute-force attacks 26

27 Attack #3 # Parameters Dialg Serv Systm Comm 1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes No No Yes Yes Yes Yes Yes Yes No No Yes Yes Yes Yes 27

28 Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Pwd Chg Yes No No Yes Yes Yes Yes 28

29 Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Protection Type: / RFC Countermeasure rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Secure both profile parameters according to business requirements without disrupting any pre-established interface. 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No Yes Yes Yes Yes 29

30 Attack #4 Interfaces 30

31 Attack #4 Interfaces The ability for a user to register, start and connect to an interface on the SAP system will depend on: Parameters gw/reg_info, gw/sec_info, gw/acl_mode, gw/sim_mode, gw/reg_no_conn_info Contents of reginfo and secinfo files. The registration of an interface will be successful based on several profile parameters and the proper acl file. Impact: Potential full SAP system compromise. 31

32 Attack #4 Simplified version of the configuration options acl file gw/acl_mode start/register File exists and is empty 0 or 1 No servers allowed File does not exists 0 Unrestricted File does not exists 1 Only local and internal File properly defined 0 or 1 Only servers defined in ACL If gw/sim_mode is enabled and no explicit denial is included in the ACL, everything is accepted. 32

33 Demo 33

34 Attack #4 Evil Twin: MITM Attacks ` SAP FE RESPONSE RCF Call External RFC Server SAP R/3 SAP GW RCF Modified Call Modified RESPONSE - So Here This we we time, have go again, the every same RFC blocking scenario, call received valid legitimate connections is Logged/Modified, client to and the and External innocent forwarded RFC External to Server, the original RCF the Server SAP external R/3 Server server. and the SAP Gateway - Now, the same malicious client/server connects with the SAP R/3 Gateway, and register itself with the same ID as the original external server. External RFC Malicius Server 34

35 Attack #4 Attacking the R/3 with a Registered Server ` SAP FE RESPONSE RCF Call External RFC Server SAP GW SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 35

36 Attack #4 Attacking the R/3 with a Registered Server ` SAP FE Protection / Countermeasure RCF Call SAP GW RESPONSE External RFC Server Create and maintain the proper acl files to restrict which servers can be registered and started and who can connect to those servers. Maintain profile parameters according to your security policies. SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 36

37 Wrapping up... 37

38 Bizec The BIZEC TEC/11, lists the most common and critical issues affecting the business runtime. BIZEC TEC-01: Vulnerable Software in Use BIZEC TEC-02: Standard Users with Default Passwords BIZEC TEC-03: Unsecured SAP Gateway BIZEC TEC-04: Unsecured SAP/Oracle authentication BIZEC TEC-05: Insecure RFC interfaces BIZEC TEC-06: Insufficient Security Audit Logging BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Dangerous SAP Web Applications Attack #4 Attack #1 Attack #2 BIZEC TEC-09: Unprotected Access to Administration Services BIZEC TEC-10: Insecure Network Environment BIZEC TEC-11: Unencrypted Communications 38

39 General recommendations Use RZ10 and keep track of profiles and parameter values through the database. Specify values in the default profile whenever possible, to define a value for all App. Servers. Pay attention to the values defined on the Instance profiles, as those will override the default profile. Keep special attention on the dynamic parameters, as the modification of those could remain unnoticed. Keep track of the profile parameters that are security-relevant, as those could have a big impact on the security. 39

40 Conclusions Configurations are complex on SAP systems and can have a huge impact on its security. Complex situations could expose the system. Proper controls in place and monitoring of all SAP configurations can help reducing the risk. Holistic security at the SAP Application Layer involves every landscape, every system, every instance and every client. 40

41 References SAP Runs SAP Remote Function Call: Gateway Hacking and Defense (Björn Brencher, SAP) Secure Configuration of SAP NetWeaver Application Server Using ABAP a114084/content.htm Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan Santarsieri ) 41

42 Questions? 42

43 Thank you! Follow 43