Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Similar documents
Attacks based on security configurations

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Attacks to SAP. Web Applications Your crown jewels online. Mariano Nuñez Di Croce. DeepSec, Austria. November 18th,

Layer Seven Security ADVISORY

SAP Security In-Depth

Layer Seven Security ADVISORY

SAP Forensics Detecting White-Collar Cyber-crime

Protecting SAP HANA from vulnerabilities and exploits. MARCH TROOPERS Security Conference, Heidelberg

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

SAP Audit Guide for Basis

Layer Seven Security ADVISORY

Exploiting new default accounts in SAP systems

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

Layer Seven Security ADVISORY

Onapsis: The CISO Imperative Taking Control of SAP

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Exploiting new default accounts in SAP systems

Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended

Moving BCM to different IP range

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY. SAP Security Notes

Layer Seven Security ADVISORY

MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)

SAP Security anno Tim Lynen, Manager axl & trax 2017

You ve got mail Owning an SAP running business via

How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37

How-to guide: OS Command Adapter

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

ADM100 AS ABAP - Administration

Quality Inspection Engine (QIE) Security Guide

BW Workspaces Data Cleansing during Flat File Upload

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

ALE Introduction and Administration

Information platform services Installation Guide Information platform services 4.0 Support Package 4

SAP Single Sign-On 2.0 Overview Presentation

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

ADM900 SAP System Security Fundamentals

Disclosure Management US SEC. Preview

Passing Parameters via Web Dynpro Application

Access Control 5.3 Implementation Considerations for Superuser Privilege Management ID-Based Firefighting versus Role-Based Firefighting Applies to:

Rootkits and Trojans on Your SAP Landscape

Disclosure Management. Default font on styles in Disclosure Management

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013

Roadmap. How to implement GDPR in SAP?

Forwarding Alerts to Alert Management (ALM)

Layer Seven Security ADVISORY

INTERNAL USE ONLY SAP BusinessObjects EPM Add-in for Microsoft Office Support Package 17 / Patch XX Installation Procedure

Managing Substitutions in My Inbox 2.0 app

How to Set Up and Use Electronic Tax Reporting

ADM920 SAP Identity Management

Part 1: Anatomy of an Insider Threat Attack

Testing Your New Generated SAP NetWeaver Gateway Service

How To Configure IDoc Adapters

Configure Enhanced CTS for SAP NetWeaver Exchange Infrastructure 7.0 SPS14. How-to Guide. Version 1.10 March 2008

Using Xcelsius 2008 with SAP NetWeaver BW

How-to Connect your HANA Cloud Platform Mobile Service Account to your On-Premise OData Service

ADM800 AS Java 7.3 Administration

SAP NetWeaver 04 Security Guide. Network and Communication Security

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

How to Enable Single Sign-On for Mobile Devices?

Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System

Business Objects Integration Scenario 2

Single Sign-on For SAP NetWeaver Mobile PDA Client

BC490 ABAP Performance Tuning

How to Find Suitable Enhancements in SAP Standard Applications

EAS- SEC: Framework for Securing Enterprise Business Applica;ons

Layer Seven Security ADVISORY

SAP Policy Management, group insurance add-on 1.1

About ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008

opensap How-to Guide for Exercise Instructor-Led Walkthrough of SAML2 Configuration (Week 4 Unit 5)

Quick View Insider: How Do I Set Quick View as SNC s Entry Screen?

SAP Composite Application Framework. Creating an External Service type Callable Object in Guided Procedures

Sales Order Inbound via EDI (289)

Obtain Configuration Parameters for LPD_CUST Provide the base path of your BSP application (1/2)

EDB785 SAP IQ Administration

SECURE DATA EXCHANGE

SAP BusinessObjects Integration Option for Microsoft SharePoint Getting Started Guide

Simplified Configuration of Single System Update in Maintenance Optimizer

CyberArk Privileged Threat Analytics

SAP BusinessObjects Enterprise Upgrade Guide

BC480 PDF-Based Print Forms

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

How to Setup Notifications in Fiori 2.0 Step-by-Step

EAS- SEC: Framework for Securing Enterprise Business ApplicaCons

BC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

EDB377. Fast Track to SAP Replication Server Administration COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES

How To - Extend MDG-M content by new attributes for customer Z-fields in standard tables

HA200 SAP HANA Installation & Operations SPS10

How to do a Manual Kernel Upgrade of an SAP Server

Transcription:

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen Etchegoyen jppereze@onapsis.com September 20 th, 2012 Ekoparty, Buenos Aires Disclaimer This publication is copyright 2012 Onapsis, Inc. All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. Attacks on SAP Solution Manager 2 1

Who is Onapsis, Inc.? Company focused in the security of ERP systems and business-critical infrastructure (SAP, Siebel, Oracle E-Business Suite TM, PeopleSoft, JD Edwards ). Working with Global Fortune-100 and large governmental organizations. What does Onapsis do? Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA). ERP security consulting services. Trainings on business-critical infrastructure security. Who am I? Juan Pablo Perez Etchegoyen, CTO at Onapsis. Discovered several vulnerabilities in SAP and Oracle ERPs... Speakers/Trainers at BlackHat, HITB, Ekoparty, Source,... Collaborator in the SAP Security In-Depth publication. Attacks to on SAP Web Solution Applications Manager 3 Agenda Introduction The SAP Solution Manager (SolMan) Central User Administration (CUA) Computing Center Management System (CCMS) Solution Manager Diagnostics (SMD) Conclusions Cyber-Attacks to on SAP to Web Solution SAP Applications Systems Manager 4 2

Introduction 5 What is SAP? Largest provider of business management solutions in the world. More than 140.000 implementations around the globe. More than 90.000 customers in 120 countries. Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. Such as Revenue / Production / Expenditure business cycles. FINANCIAL PLANNING SALES PRODUCTION TREASURY INVOICING PAYROLL LOGISTICS PROCUREMENT BILLING Attacks on SAP Solution Manager 6 3

A Business-Critical Infrastructure ERP systems store and process the most critical business information in the Organization. If the SAP platform is breached, an intruder would be able to perform different attacks such as: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc. Attacks on SAP Solution Manager 7 Over 95% of the SAP systems we evaluated were exposed to espionage, sabotage and fraud cyber attacks. Attackers do not need access credentials to perform these attacks! 4

The SAP Solution Manager 9 What is the SAP Solution Manager? SAP component required in every SAP implementation. Central point for the administration of SAP systems. Typically, it is connected to several customer s SAP systems Does not hold any business data, but technical information about customer s SAP systems. Administrators connect to it to manage users, incidents, download and apply patches, among other activities. If an attacker breaks into the SolMan, all the connected systems can be ultimately compromised! Attacks on SAP Solution Manager 10 5

SAP SolMan Infrastructure DEV QA PRD Attacks on SAP Solution Manager 11 The Initial Compromise If not compliant with BIZEC TEC/11, an anonymous attacker could easily compromise a satellite SAP system. BIZEC TEC-01: Vulnerable Software in Use BIZEC TEC-02: Standard Users with Default Passwords BIZEC TEC-03: Unsecured SAP Gateway BIZEC TEC-04: Unsecured SAP/Oracle authentication BIZEC TEC-05: Insecure RFC interfaces BIZEC TEC-06: Insufficient Security Audit Logging BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Dangerous SAP Web Applications BIZEC TEC-09: Unprotected Access to Administration Services BIZEC TEC-10: Insecure Network Environment BIZEC TEC-11: Unencrypted Communications Attacks on SAP Solution Manager 12 6

The Initial Compromise If not compliant with BIZEC TEC/11, an anonymous attacker could easily compromise a satellite SAP system. BIZEC TEC-01: Vulnerable Software in Use BIZEC TEC-02: Standard Users with Default Passwords BIZEC TEC-03: Unsecured SAP Gateway BIZEC TEC-04: Unsecured SAP/Oracle authentication BIZEC TEC-05: Insecure RFC interfaces BIZEC TEC-06: Insufficient Security Audit Logging BIZEC TEC-07: Unsecured SAP Message Server BIZEC TEC-08: Dangerous SAP Web Applications BIZEC TEC-09: Unprotected Access to Administration Services BIZEC TEC-10: Insecure Network Environment BIZEC TEC-11: Unencrypted Communications Attacks on SAP Solution Manager 13 SAP SolMan RFC Connections RFC connections to and from the Solution Manager created by default RFC Destination SM_<SID>CLNT<Client>_LOGIN SM_<SID>CLNT<Client>_READ SM_<SID>CLNT<Client>_TRUSTED SM_<SID>CLNT<Client>_TMW SM_<SID>CLNT<Client>_BACK TRUSTED connections imply a trust relationship (a user with S_RFCACL authorization is required) BACK connections imply access from satellite systems to Solution Manager. Connections with stored password can be used to do remote logons or remotely execute RFC-enabled function modules. 14 7

Abuse of default RFC connections Remote Logon Using SAP GUI 15 Abuse of default RFC connections Remote Execution of RFC Function Modules 16 8

SAP SolMan and Gateway attacks SAP Solution Manager is highly dependent on the Gateway: several external servers are registered by default. If the attacker knows/can guess the TPNAME, and the Gateway is not protected (by default), then all the well-known Gateway attacks can be triggered: RFC callback attacks. Cancellation of required external servers (DoS). Man-in-the-middle attacks through RFC. No sensitive business data, but technical information, useful for other attacks, can be intercepted (and modified). 17 SAP SolMan and Gateway attacks SAP Solution Manager is highly dependent on the Gateway: several Protection / Countermeasure external servers are registered by default. Restrict the assignment of user authorizations to logon from trusted systems (S_RFCACL and S_RFC). If the Use attacker authorization knows/can object S_ICF guess on calling the TPNAME, systems, controlling and the who Gateway can use is not protected which RFC (by default), destination. then all the well-known Gateway attacks can be Restrict who can access RFC destinations by transaction (SM59), by table triggered: (RFCDES) and by authorization object (S_RFC_ADM). Restrict RFC callback authorization attacks. object S_DEVELOP with activity 16 (execute) to control who Cancellation can test function of required modules using external SE37. servers (DoS). Check Man-in-the-middle References attacks slide for more through information! RFC. No sensitive business data, but technical information, useful for other attacks, can be intercepted (and modified). 18 9

SAP Central User Administration (CUA) 19 Central User Administration (CUA) CUA enables the administration of users from a central SAP system (usually the SolMan). 20 10

Central User Administration (CUA) The CUA Parent system needs to be allowed to create and administrate users on every Child system. It allows SAP administrators to easily manage users of ALL the SAP systems from a single point. Useful for ABAP and J2EE systems integration. 21 Central User Administration (CUA) RFC Connections are created: From Parent to Child system (Trusted) From Child to Parent system (Normal) http://help.sap.com/saphelp_nw73/helpdata/en/a9/1a1ba3db9343beb2723452255003c5/content.htm 22 11

Attacks on Central User Administration If the CUA Parent (usually the SolMan) is compromised, arbitrary users with any profiles can be created in all satellite systems. Note: Common RFC function modules used to create users do not work neither on child or parent systems when CUA is enabled Other set of functions need to be used (the ones used by CUA itself). 23 Attacks on Central User Administration If the CUA Parent (usually the SolMan) is compromised, arbitrary users with any profiles can be created in all satellite systems. Protection / Countermeasure Note: Common RFC function modules used to create users do not Restrict the usage of CUA RFC destinations for user work neither administrators on child or parent only, by systems using authorization when CUA object is S_ICF enabled on the Other set of functions CUA need master. to be used (the ones used by CUA itself). Use a special client within the SolMan to run the CUA master. 24 12

SAP Computing Center Management System (CCMS) 25 SAP CCMS Monitoring infrastructure provided by SAP to monitor SAP Application Servers. It can be configured centrally, using a central server (CEN) defined to receive all alerts. An AGENT is required to be executed on each monitored server. The agent : Is implemented as an RFC server, which exposes several functions. Registers itself as an EXTERNAL SERVER in the CEN, with a specific TPNAME (following a well-known pattern). Is running as <SID>adm Any abuse or exploitation would imply a full compromise of the SAP system information. 26 13

SAP CCMS Infrastructure DEV QA PRD In many cases the Solution Manager is used as the CCMS Central Server (CEN), receiving information from all managed systems. Attacks on SAP Solution Manager 27 SAP CCMS RFC Connections RFC Connections from the CEN are created by default RFC Destination <SID>_RZ20_COLLECT <SID>_RZ20_ANALYZE The COLLECT destination has stored logon data and can be used to remotely execute function modules in the monitored systems. The ANALYZE destination is typically used with a highly-privileged user, but has no stored logon information. Additionally, the agent connects back to the CEN using the CMSREG user, whose credentials are stored in a local file in the agent system (/usr/sap/sid/instance/log/sapccm4x/passwd). 28 14

Attacks on the SAP CCMS Agent One of the functions exposed by the CCMS agent can be used to execute OS commands remotely without authentication. As the agent is executed with SIDadm privileges An attacker could get full compromise of the monitored SAP System going through the CEN s gateway. 29 Attacks on the SAP CCMS Agent One of the functions exposed by the CCMS agent can be used to execute OS commands remotely without authentication. As the agent Protection is executed / Countermeasure with SIDadm privileges An attacker could get full compromise Secure of the the SAP monitored Gateway, only SAP allowing System connections going from through the authorized systems to the CCMS agents working as registered CEN s gateway. servers. 30 15

SAP Solution Manager Diagnostics (SMD) 31 SAP SMD Solution Manager Diagnostics provides all functionality to centrally analyze and monitor a complete NetWeaver system landscape. An AGENT is required to be executed on each monitored server. The agent : Is developed in JAVA and installed as a new SAP system (typically using a high system number like 97 or 98). Exposes an anonymous P4 interface with a reduced set of methods. Connects back to the Solution Manager, using a highly-privileged user account. 32 16

Abuse of SMD stored credentials If a monitored system is compromised, the credentials of the user used for the connection can be decrypted (kudos to Jordan Santarsieri @Onapsis). Using these credentials, an attacker can connect back to the Solution Manager with high privileges. Once logged to the Solution Manager, the compromise can be extended by using default RFC connections to all managed/satellite systems. 33 Abuse of SMD stored credentials If a monitored system is compromised, the credentials of the user used for the connection can be decrypted (kudos to Jordan Santarsieri @Onapsis). Protection / Countermeasure Avoid the initial compromise of SAP system running the SDM Using these credentials, an attacker can connect back to the Solution agent. Manager with Restrict high privileges. access to the secure storage file at the file-system level. Once logged to the Solution Manager, the compromise can be extended by using default RFC connections to all managed/satellite systems. 34 17

Abuse of SMD P4 interface Once the SMD agent is installed, the P4 interface is exposed on TCP service 5XX04 (instance num. XX). The P4 interface configured in the SMD agent is exposing a method that allows the installation of an application in the SMD agent, leading to remote OS command execution. Commands are executed as the <SID>adm user (daaadm, smdadm ) This leads to a full compromise of any SAP system configured on the Application Server. 35 Abuse of SMD P4 interface Once the SMD agent is installed, the P4 interface is exposed on TCP service 5XX04 (instance num. XX). The P4 interface configured in the SMD agent is exposing a method that allows the Protection installation / Countermeasure of an application in the SMD agent, leading to remote OS command Follow SAP execution. recommendations and restrict access to P4 interface in SAP systems, as potentially insecure services Commands are executed as the <SID>adm user (daaadm, smdadm ) might be exposed. This leads to a full compromise of any SAP system configured on the Application Server. 36 18

Conclusions 37 Conclusions If an attacker breaks into the SAP Solution Manager, the game is over: he would be able to compromise all managed satellite systems. Trust relationships are necessary in most SAP implementations. Extra caution: Which users can log-in using this feature (S_RFCACL). Which authorizations are being granted to these users. RFC connections are necessary in all SAP implementations. Whenever possible: Use encryption (SNC). It should be mandatory for business related communications. Avoid using connections with stored credentials. Avoid using connections from systems with lower security classification to systems with higher security classification (DEV PRD!) Monitor the creation/management of RFC connections, as one single connection from DEV PRD could result in a full system compromise if exploited. 38 19

Conclusions If possible, use different Solution Manager/CEN systems for Production environments. Secure the Solution Manager as ANY other Productive System Secure all satellite systems managed by an SAP Solution Manager: Segregation of Duties (SoD) is really necessary, but not enough. Implement a secure technical configuration of satellite systems. Perform continuous/automated security monitoring. Do not expose the Solution Manager to the Internet! Restrict network access to the SAP Systems. Use firewalls/network filters to restrict potentially insecure interfaces. Update the systems, use the latest versions of all SAP solutions and apply all relevant SAP Security Notes. 39 References 1. Additional Information about Gateway and RFC security - Secure Configuration SAP NetWeaver Application Server ABAP https://websmp109.sap-ag.de/~sapdownload/011000358700000968282010e/sap-sec- Rec.pdf 2. Best Practice - How to analyze and secure RFC connections http://wiki.sdn.sap.com/wiki/display/security/best+practice+- +How+to+analyze+and+secure+RFC+connections 3. RFC/ICF Security Guide http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/92486caa6b17cee10000000a421937/frameset.htm 4. Security Settings in the SAP Gateway http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/b2096e7895307be10000000a42189b/frameset.htm 5. Securing RFC Connections http://scn.sap.com/docs/doc-17089 6. Security Guide for Connectivity with the AS Java http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b3/17d13fa69a4921e10000000a1550b0/frameset.htm 7. SolMan Security Guide: http://service.sap.com/~form/sapnet?_shortkey=01100035870000735220&_object=011000358700000 482312011E 8. Onapsis X1 http://www.onapsis.com/x1 40 20

Questions? jppereze@onapsis.com Follow us! @onapsis @jp_pereze 41 Thank you! Attacks on SAP Solution Manager 42 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback