SAP Security 2014 Protecting Your SAP Systems Against Attacks based on security configurations Juan Perez-Etchegoyen jppereze@onapsis.com March 18 th, 2014 BIZEC Workshop
Disclaimer This publication is copyright 2014 Onapsis Inc. All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. 2
Agenda Introduction Configurations Attacks Recommendations Conclusions 3
Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks (SAP, Siebel, Oracle E-Business Suite TM, PeopleSoft, JD Edwards ). Working with Global Fortune-100 and large governmental organizations. What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit). ERP security professional services. Trainings on ERP security. Who are we? Juan Perez-Etchegoyen (JP), CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs... Speakers/Trainers at the most important Security Conferences 4
Introduction 5
A Cyber-criminal & SAP systems If an attacker is after an SAP system, he s probably looking forward to perform: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. 6
What is his goal? The SAP Production System TREASURY PAYROLL FINANCIAL PLANNING SALES INVOICING PRODUCTION LOGISTICS BILLING HUMAN RESOURCES PROCUREMENT 7
Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. The SAP Application Layer (NetWeaver/BASIS) is common to most modern SAP solutions, serving as the base technological framework. SAP Solution Base Infrastructure SAP Business Logic SAP Application Layer Database Operating System 8
Where an attacker would probably hit SAP systems are built upon several layers. Segregation of Duties (SoD) controls apply at the Business Logic layer. Successful attacks to this layer would result in The SAP Application Layer (NetWeaver/BASIS) is common to most a complete compromise of the SAP system modern SAP solutions, serving as the base technological framework. (SAP_ALL or equivalent) usually even withouth requiring a username or password SAP Solution SAP Business Logic SAP Application Layer Base Infrastructure Database Operating System 9
Configurations and SAP systems 10
Netweaver framework can be tuned SAP Systems can be configured through different mechanisms: Customizing (IMG) UME Settings (JAVA only) ACL settings Profile Parameters Transport profile User parameters RFC Destinations reginfo secinfo Webdispatcher Management Console Message Server ICM ACL SAPGui ACL 11
Profile parameters Conceptually each parameter is a key-value pair Depending on the kernel version, there are close to 1500 parameters Around 10% of them are security-relevant Parameters are configured within profiles: Default Non dynamic Instance Start* No security-relevant Non dynamic Dynamic parameters do not require a system restart Security-relevant Non dynamic Some examples: rdisp/wp_no_dia = 10 rsau/enable = 1 login/min_password_lng = 8 login/password_downwards_compatibility = 1 Security-relevant Dynamic Security-relevant 12
Challenges? 13
Challenges Each profile parameter seems to be defining simple concepts but It could be challenging to understand Many times little documentation is available For some situations parameters are related so behavior depends on many values parameters take precedence profiles take precedence (kernel default.pfl instance profile dynamic configuration) parameters could change from App. Server to App. Server parameters configuration depend on files/tables contents parameters are created and destroyed within new kernel versions Default values? 14
Attack scenarios 15
Attack #1 Emergency mechanism 16
Attack #1 Emergency mechanism An emergency mechanism to connect to the SAP systems: Enabled by a profile parameter login/no_automatic_user_sapstar User SAP* does not exist in the database Connection with full authorizations Default credentials SAP*:PASS Cross-client issue (could be affecting only one client) Cross-App-Srv issue (could affect a single application server) The connection to the system will be successful based on a profile parameter and the user master record. Impact: Full SAP system compromise. 17
Demo 18
Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Yes No No No No 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) 19
Attack #1 Client SAP* Record in Database Server 1 (Central Instance) Server 2 (Dialog Instance) Server 3 (Dialog Instance) login/no_automatic_user_sapstar 1 1 0 1 000 Protection Yes / Countermeasure No No No No Do not delete the user SAP* from any client 001 Yes No No No No 066 Yes No No No No 200 Yes No No No No 230 No No No Yes No 300 Yes No No No No Server 4 (Dialog Instance) Secure the user SAP* for all the clients in the SAP system (including standard) configure login/no_automatic_user_sapstar to 1. 20
Attack #2 Load Balancing 21
Attack #2 Load Balancing The load balance on SAP systems is driven by new application servers registering on the Message Server, which is restricted by: Parameter ms/acl_info Contents of ms_acl_info file. The registration of a new application server will be successful based mainly on the contents of the acl file. Impact: Full SAP system compromise. 22
Demo 23
Demo Protection / Countermeasure Create and maintain the acl to restrict which SAP Application Servers are allowed to register in the Message Server. 24
Attack #3 Password policies 25
Attack #3 Password policies The ability for a user to connect to the system if password policies are enhanced will depend on: Type of connection (DIAG/RFC) User Type (service,system,dialog ) Parameter rfc/reject_expired_passwd Parameter login/password_compliance_to_current_policy The connection to the system will be successful based on two profile parameters, the user and the protocol. Impact: Effectiveness on brute-force attacks 26
Attack #3 # Parameters Dialg Serv Systm Comm 1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0 3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0 Yes Yes No No Yes Yes Yes Yes Yes Yes No No Yes Yes Yes Yes 27
Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Pwd Chg Yes No No Yes Yes Yes Yes 28
Attack #3 # Parameters Dialg Serv Systm Comm 5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 6 Connection Protection Type: / RFC Countermeasure rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1 7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No No Yes Yes No Secure both profile parameters according to business requirements without disrupting any pre-established interface. 8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1 Pwd Chg Yes No No Yes Yes Yes Yes 29
Attack #4 Interfaces 30
Attack #4 Interfaces The ability for a user to register, start and connect to an interface on the SAP system will depend on: Parameters gw/reg_info, gw/sec_info, gw/acl_mode, gw/sim_mode, gw/reg_no_conn_info Contents of reginfo and secinfo files. The registration of an interface will be successful based on several profile parameters and the proper acl file. Impact: Potential full SAP system compromise. 31
Attack #4 Simplified version of the configuration options acl file gw/acl_mode start/register File exists and is empty 0 or 1 No servers allowed File does not exists 0 Unrestricted File does not exists 1 Only local and internal File properly defined 0 or 1 Only servers defined in ACL If gw/sim_mode is enabled and no explicit denial is included in the ACL, everything is accepted. 32
Demo 33
Attack #4 Evil Twin: MITM Attacks ` SAP FE RESPONSE RCF Call External RFC Server SAP R/3 SAP GW RCF Modified Call Modified RESPONSE - So Here This we we time, have go again, the every same RFC blocking scenario, call received valid legitimate connections is Logged/Modified, client to and the and External innocent forwarded RFC External to Server, the original RCF the Server SAP external R/3 Server server. and the SAP Gateway - Now, the same malicious client/server connects with the SAP R/3 Gateway, and register itself with the same ID as the original external server. External RFC Malicius Server 34
Attack #4 Attacking the R/3 with a Registered Server ` SAP FE RESPONSE RCF Call External RFC Server SAP GW SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 35
Attack #4 Attacking the R/3 with a Registered Server ` SAP FE Protection / Countermeasure RCF Call SAP GW RESPONSE External RFC Server Create and maintain the proper acl files to restrict which servers can be registered and started and who can connect to those servers. Maintain profile parameters according to your security policies. SAP R/3 Poisoned RCF Callback - Yes, Here Again, But now, again we the are when the same again, a same malicious RFC blocking scenario: call is client/server valid received, the valid connections we client, connects perform to the with a valid the External innocent SAP callback R/3 server, RFC External Server, and RCF register the Server. SAP R/3 itself Server with and the the ID SAP of the Gateway - SAP R/3 Application Server OWNED!! original external server. External RFC Malicius Server 36
Wrapping up... 37
Bizec The BIZEC TEC/11, lists the most common and critical issues affecting the business runtime. BIZEC TEC-01: Vulnerable Software in Use BIZEC TEC-02: Standard Users with Default Passwords BIZEC TEC-03: Unsecured SAP Gateway BIZEC TEC-04: Unsecured SAP/Oracle authentication BIZEC TEC-05: Insecure RFC interfaces BIZEC TEC-06: Insufficient Security Audit Logging BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Dangerous SAP Web Applications Attack #4 Attack #1 Attack #2 BIZEC TEC-09: Unprotected Access to Administration Services BIZEC TEC-10: Insecure Network Environment BIZEC TEC-11: Unencrypted Communications 38
General recommendations Use RZ10 and keep track of profiles and parameter values through the database. Specify values in the default profile whenever possible, to define a value for all App. Servers. Pay attention to the values defined on the Instance profiles, as those will override the default profile. Keep special attention on the dynamic parameters, as the modification of those could remain unnoticed. Keep track of the profile parameters that are security-relevant, as those could have a big impact on the security. 39
Conclusions Configurations are complex on SAP systems and can have a huge impact on its security. Complex situations could expose the system. Proper controls in place and monitoring of all SAP configurations can help reducing the risk. Holistic security at the SAP Application Layer involves every landscape, every system, every instance and every client. 40
References SAP Runs SAP Remote Function Call: Gateway Hacking and Defense (Björn Brencher, SAP) Secure Configuration of SAP NetWeaver Application Server Using ABAP http://www.bizec.org/wiki/bizec_tec11 http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profileparameters https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000 a114084/content.htm Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan Santarsieri ) 41
Stay tuned! @onapsis @jp_pereze Questions? jppereze@onapsis.com 42
Thank you! www.onapsis.com Follow us! @onapsis 43