Attacks based on security configurations

Similar documents
Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Attacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. DeepSec, Austria. November 18th,

SAP Forensics Detecting White-Collar Cyber-crime

Layer Seven Security ADVISORY

SAP Security In-Depth

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Layer Seven Security ADVISORY

Rootkits and Trojans on Your SAP Landscape

You ve got mail Owning an SAP running business via

Layer Seven Security ADVISORY

SAP Security anno Tim Lynen, Manager axl & trax 2017

SAP Audit Guide for Basis

Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended

Attacking the Giants: Exploiting SAP Internals

Layer Seven Security ADVISORY. SAP Security Notes

Layer Seven Security ADVISORY

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

Layer Seven Security ADVISORY

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

Disclosure Management. Default font on styles in Disclosure Management

How-to Connect your HANA Cloud Platform Mobile Service Account to your On-Premise OData Service

Protecting SAP HANA from vulnerabilities and exploits. MARCH TROOPERS Security Conference, Heidelberg

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Passing Parameters via Web Dynpro Application

Moving BCM to different IP range

Layer Seven Security ADVISORY

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Data Handling in the SAP NetWeaver System Landscape Directory Step by Step

How to Setup Notifications in Fiori 2.0 Step-by-Step

How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37

SAP NetWeaver Identity Management Identity Center Minimum System Requirements

How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013

BW Workspaces Data Cleansing during Flat File Upload

Exploiting new default accounts in SAP systems

Exploiting new default accounts in SAP systems

Disclosure Management US SEC. Preview

How to Guide to create Sample Application in IOS using SUP ODP 2.2

Create and run apps on HANA Cloud in SAP River RDE

Creating Application Definitions in Hana Cloud Platform Mobile Services

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)

Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System

How To - Extend MDG-M content by new attributes for customer Z-fields in standard tables

OData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario

Access Control 5.3 Implementation Considerations for Superuser Privilege Management ID-Based Firefighting versus Role-Based Firefighting Applies to:

SAP Fiori Toolkit. Marc Anderegg, RIG, SAP February, Provided by Rapid Innovation Group (RIG)

Using Default Values in Backend Adapter

A Sample PhoneGap Application Using SUP

GRC100. GRC Principles and Harmonization COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Testing Your New Generated SAP NetWeaver Gateway Service

Sales Order Inbound via EDI (289)

Quality Inspection Engine (QIE) Security Guide

SDN Community Contribution

BC410. Programming User Dialogs with Classical Screens (Dynpros) COURSE OUTLINE. Course Version: 10 Course Duration: 3 Day(s)

ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES

ADM800 AS Java 7.3 Administration

SAP Directory Content Migration Tool

Management Console Guide SAP BusinessObjects Data Services 4.1 Support Package 1 ( )

AGILE AND CONTINUOUS THREAT MODELS

BC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

NET311. Advanced Web Dynpro for ABAP COURSE OUTLINE. Course Version: 10 Course Duration: 4 Day(s)

How to Check or Derive an Attribute Value in MDG using BRFPlus

Layer Seven Security ADVISORY

Managing Substitutions in My Inbox 2.0 app

BC400 Introduction to the ABAP Workbench

Using Xcelsius 2008 with SAP NetWeaver BW

How To Configure IDoc Adapters

BC490 ABAP Performance Tuning

ADM100 AS ABAP - Administration

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

ADM920 SAP Identity Management

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Crystal Reports Family of Offerings

Onapsis: The CISO Imperative Taking Control of SAP

This document applies to Sybase Unwired Platform For more information, visit the Mobile homepage.

How to Enable Single Sign-On for Mobile Devices?

Information platform services Installation Guide Information platform services 4.0 Support Package 4

BC400. ABAP Workbench Foundations COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

Business Add-Ins (BAdIs) for SD Jam Integration Document Version:

How to Find Suitable Enhancements in SAP Standard Applications

Keep the Door Open for Users and Closed to Hackers

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Enterprise Search Extension for SAP Master Data Governance

Complementary Demo Guide

SAP Single Sign-On 2.0 Overview Presentation

ADM900 SAP System Security Fundamentals

SAP Discovery System V5 Users and Passwords

SAP EXAM - C_TADM51_731. SAP Certified Technology Associate - System Administration (Oracle DB) with SAP NetWeaver 7.31.

About ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008

Visual Composer for SAP NetWeaver Composition Environment - Connectors

Transcription:

SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen jppereze@onapsis.com March 18 th, 2014 BIZEC Workshop

Disclaimer This publication is copyright 2014 Onapsis Inc. All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. 2

Agenda Introduction Configurations Attacks Recommendations Conclusions 3

Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks (SAP, Siebel, Oracle E-Business Suite TM, PeopleSoft, JD Edwards ). Working with Global Fortune-100 and large governmental organizations. What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit). ERP security professional services. Trainings on ERP security. Who are we? Juan Perez-Etchegoyen (JP), CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs... Speakers/Trainers at the most important Security Conferences 4

Introduction 5

A Cyber-criminal & SAP systems If an attacker is after an SAP system, he s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. 6

What is his goal? The SAP Production System TREASURY PAYROLL FINANCIAL PLANNING SALES INVOICING PRODUCTION LOGISTICS BILLING HUMAN RESOURCES PROCUREMENT 7

Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. SAP Solution Base Infrastructure SAP Business Logic SAP Application Layer Database Operating System 8

Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. Successful attacks to this layer would result in The SAP Application Layer (NetWeaver/BASIS) is common to most a complete compromise of the SAP system modern SAP solutions, serving as the base technological framework. (SAP_ALL or equivalent) usually even withouth requiring a username or password SAP Solution SAP Business Logic SAP Application Layer Base Infrastructure Database Operating System 9

Configurations and SAP systems 10

Netweaver framework can be tuned SAP Systems can be configured through different mechanisms: Customizing (IMG) UME Settings (JAVA only) ACL settings Profile Parameters Transport profile User parameters RFC Destinations reginfo secinfo Webdispatcher Management Console Message Server ICM ACL SAPGui ACL 11

Profile parameters Conceptually each parameter is a key-value pair Depending on the kernel version, there are close to 1500 parameters Around 10% of them are security-relevant Parameters are configured within profiles: Default Non dynamic Instance Start* No security-relevant Non dynamic Dynamic parameters do not require a system restart Security-relevant Non dynamic Some examples: rdisp/wp_no_dia = 10 rsau/enable = 1 login/min_password_lng = 8 login/password_downwards_compatibility = 1 Security-relevant Dynamic Security-relevant 12

Challenges? 13

Challenges Each profile parameter seems to be defining simple concepts but It could be challenging to understand Many times little documentation is available For some situations parameters are related so behavior depends on many values parameters take precedence profiles take precedence (kernel default.pfl instance profile dynamic configuration) parameters could change from App. Server to App. Server parameters configuration depend on files/tables contents parameters are created and destroyed within new kernel versions Default values? 14

Attack scenarios 15

Attack #1 Emergency mechanism 16

Attack #1 Emergency mechanism An emergency mechanism to connect to the SAP systems: Enabled by a profile parameter login/no_automatic_user_sapstar User SAP* does not exist in the database Connection with full authorizations Default credentials SAP*:PASS Cross-client issue (could be affecting only one client) Cross-App-Srv issue (could affect a single application server) The connection to the system will be successful based on a profile parameter and the user master record. Impact: Full SAP system compromise. 17

Demo 18

Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) 19

Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Protection Yes / Countermeasure No No No No Do not delete the user SAP* from any client 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) Secure the user SAP* for all the clients in the SAP system (including standard) configure login/no_automatic_user_sapstar to 1. 20

Attack #2 Load Balancing 21

Attack #2 Load Balancing The load balance on SAP systems is driven by new application servers registering on the Message Server, which is restricted by: Parameter ms/acl_info Contents of ms_acl_info file. The registration of a new application server will be successful based mainly on the contents of the acl file. Impact: Full SAP system compromise. 22

Demo 23

Demo Protection / Countermeasure Create and maintain the acl to restrict which SAP Application Servers are allowed to register in the Message Server. 24

Attack #3 Password policies 25

Attack #3 Password policies The ability for a user to connect to the system if password policies are enhanced will depend on: Type of connection (DIAG/RFC) User Type (service,system,dialog ) Parameter rfc/reject_expired_passwd Parameter login/password_compliance_to_current_policy The connection to the system will be successful based on two profile parameters, the user and the protocol. Impact: Effectiveness on brute-force attacks 26

Attack #3 # Parameters Dialg Serv Systm Comm 1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes No No Yes Yes Yes Yes Yes Yes No No Yes Yes Yes Yes 27

Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Pwd Chg Yes No No Yes Yes Yes Yes 28

Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Protection Type: / RFC Countermeasure rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Secure both profile parameters according to business requirements without disrupting any pre-established interface. 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No Yes Yes Yes Yes 29

Attack #4 Interfaces 30

Attack #4 Interfaces The ability for a user to register, start and connect to an interface on the SAP system will depend on: Parameters gw/reg_info, gw/sec_info, gw/acl_mode, gw/sim_mode, gw/reg_no_conn_info Contents of reginfo and secinfo files. The registration of an interface will be successful based on several profile parameters and the proper acl file. Impact: Potential full SAP system compromise. 31

Attack #4 Simplified version of the configuration options acl file gw/acl_mode start/register File exists and is empty 0 or 1 No servers allowed File does not exists 0 Unrestricted File does not exists 1 Only local and internal File properly defined 0 or 1 Only servers defined in ACL If gw/sim_mode is enabled and no explicit denial is included in the ACL, everything is accepted. 32

Demo 33

Attack #4 Evil Twin: MITM Attacks ` SAP FE RESPONSE RCF Call External RFC Server SAP R/3 SAP GW RCF Modified Call Modified RESPONSE - So Here This we we time, have go again, the every same RFC blocking scenario, call received valid legitimate connections is Logged/Modified, client to and the and External innocent forwarded RFC External to Server, the original RCF the Server SAP external R/3 Server server. and the SAP Gateway - Now, the same malicious client/server connects with the SAP R/3 Gateway, and register itself with the same ID as the original external server. External RFC Malicius Server 34

Attack #4 Attacking the R/3 with a Registered Server ` SAP FE RESPONSE RCF Call External RFC Server SAP GW SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 35

Attack #4 Attacking the R/3 with a Registered Server ` SAP FE Protection / Countermeasure RCF Call SAP GW RESPONSE External RFC Server Create and maintain the proper acl files to restrict which servers can be registered and started and who can connect to those servers. Maintain profile parameters according to your security policies. SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 36

Wrapping up... 37

Bizec The BIZEC TEC/11, lists the most common and critical issues affecting the business runtime. BIZEC TEC-01: Vulnerable Software in Use BIZEC TEC-02: Standard Users with Default Passwords BIZEC TEC-03: Unsecured SAP Gateway BIZEC TEC-04: Unsecured SAP/Oracle authentication BIZEC TEC-05: Insecure RFC interfaces BIZEC TEC-06: Insufficient Security Audit Logging BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Dangerous SAP Web Applications Attack #4 Attack #1 Attack #2 BIZEC TEC-09: Unprotected Access to Administration Services BIZEC TEC-10: Insecure Network Environment BIZEC TEC-11: Unencrypted Communications 38

General recommendations Use RZ10 and keep track of profiles and parameter values through the database. Specify values in the default profile whenever possible, to define a value for all App. Servers. Pay attention to the values defined on the Instance profiles, as those will override the default profile. Keep special attention on the dynamic parameters, as the modification of those could remain unnoticed. Keep track of the profile parameters that are security-relevant, as those could have a big impact on the security. 39

Conclusions Configurations are complex on SAP systems and can have a huge impact on its security. Complex situations could expose the system. Proper controls in place and monitoring of all SAP configurations can help reducing the risk. Holistic security at the SAP Application Layer involves every landscape, every system, every instance and every client. 40

References SAP Runs SAP Remote Function Call: Gateway Hacking and Defense (Björn Brencher, SAP) Secure Configuration of SAP NetWeaver Application Server Using ABAP http://www.bizec.org/wiki/bizec_tec11 http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profileparameters https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000 a114084/content.htm Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan Santarsieri ) 41

Stay tuned! @onapsis @jp_pereze Questions? jppereze@onapsis.com 42

Thank you! www.onapsis.com Follow us! @onapsis 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback