Attacks based on security
configurations
March 18th, 2014
BIZEC Workshop
Juan Perez-Etchegoyen [email protected]
SAP Security 2014 – Protecting Your SAP Systems
Against Hackers And Industrial Espionage
2 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Disclaimer
This publication is copyright 2014 Onapsis Inc. – All rights reserved.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions,
Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are
trademarks or registered trademarks of Business Objects in the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content,
and SAP Group shall not be liable for errors or omissions with respect to the materials.
3 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Agenda
Introduction
Configurations
Attacks
Recommendations
Conclusions
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
4 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Who is Onapsis Inc.? Company focused in protecting ERP systems from cyber-attacks
(SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …).
Working with Global Fortune-100 and large governmental organizations.
What does Onapsis do?
Innovative ERP security software (Onapsis X1, Onapsis IPS, Onapsis Bizploit).
ERP security professional services.
Trainings on ERP security.
Who are we? Juan Perez-Etchegoyen (JP), CTO at Onapsis.
Discovered several vulnerabilities in SAP and Oracle ERPs...
Speakers/Trainers at the most important Security Conferences
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
5 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Introduction
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
6 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
A Cyber-criminal & SAP systems
● If an attacker is after an SAP system, he’s probably looking
forward to perform:
ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc.
SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc.
FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
7 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
What is his goal?
The SAP Production System
SALES
PRODUCTION
FINANCIAL PLANNING
INVOICING
PROCUREMENT
TREASURY
LOGISTICS
PAYROLL
BILLING
HUMAN RESOURCES
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
8 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Where an attacker would probably hit…
• SAP systems are built upon several layers.
• Segregation of Duties (SoD) controls apply at the Business Logic
layer.
• The SAP Application Layer (NetWeaver/BASIS) is common to most
modern SAP solutions, serving as the base technological framework.
Operating System
Database
SAP Business Logic
SAP Application Layer SAP Solution
Base Infrastructure
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
9 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Where an attacker would probably hit…
• SAP systems are built upon several layers.
• Segregation of Duties (SoD) controls apply at the Business Logic
layer.
• The SAP Application Layer (NetWeaver/BASIS) is common to most
modern SAP solutions, serving as the base technological framework.
Operating System
Database
SAP Business Logic
SAP Application Layer SAP Solution
Base Infrastructure
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
Successful attacks to this layer would result in
a complete compromise of the SAP system
(SAP_ALL or equivalent) usually even
withouth requiring a username or password
10 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Configurations and
SAP systems
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
11 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Netweaver framework can be tuned…
SAP Systems can be configured through
different mechanisms:
• Customizing (IMG)
• UME Settings (JAVA only)
• ACL settings
• Profile Parameters
• Transport profile
• User parameters
• RFC Destinations
• …
reginfo
secinfo
Webdispatcher
Management Console
Message Server
ICM ACL
SAPGui ACL
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
12 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Profile parameters
• Conceptually each parameter is a key-value pair
• Depending on the kernel version, there are close to 1500 parameters
• Around 10% of them are security-relevant
• Parameters are configured within profiles:
• Default
• Instance
• Start*
• Dynamic parameters do not require a system restart
• Some examples:
• rdisp/wp_no_dia = 10
• rsau/enable = 1
• login/min_password_lng = 8
• login/password_downwards_compatibility = 1
Non dynamic
No security-relevant Non dynamic
Security-relevant Non dynamic
Security-relevant Dynamic
Security-relevant
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
13 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Challenges?
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
14 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Challenges
• Each profile parameter seems to be defining simple concepts but
• It could be challenging to understand
• Many times little documentation is available
• For some situations…
• parameters are related so behavior depends on many values
• parameters take precedence
• profiles take precedence
• (kerneldefault.pflinstance profiledynamic configuration)
• parameters could change from App. Server to App. Server
• parameters configuration depend on files/tables contents
• parameters are created and destroyed within new kernel versions
• Default values?
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
15 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack scenarios
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
16 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #1 Emergency mechanism
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
17 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #1 – Emergency mechanism
An emergency mechanism to connect to the SAP systems:
• Enabled by a profile parameter login/no_automatic_user_sapstar
• User SAP* does not exist in the database
• Connection with full authorizations
• Default credentials SAP*:PASS
• Cross-client issue (could be affecting only one client)
• Cross-App-Srv issue (could affect a single application server)
The connection to the system will be successful based on a
profile parameter and the user master record.
Impact: Full SAP system compromise.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
18 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
Demo
19 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #1
Client SAP* Record in Database
Server 1 (Central Instance)
Server 2 (Dialog Instance)
Server 3 (Dialog Instance)
Server 4 (Dialog Instance)
login/no_automatic_user_sapstar 1 1 0 1
000 Yes No No No No
001 Yes No No No No
066 Yes No No No No
200 Yes No No No No
230 No No No Yes No
300 Yes No No No No
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
20 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #1
Client SAP* Record in Database
Server 1 (Central Instance)
Server 2 (Dialog Instance)
Server 3 (Dialog Instance)
Server 4 (Dialog Instance)
login/no_automatic_user_sapstar 1 1 0 1
000 Yes No No No No
001 Yes No No No No
066 Yes No No No No
200 Yes No No No No
230 No No No Yes No
300 Yes No No No No
Protection / Countermeasure
Do not delete the user SAP* from any client
Secure the user SAP* for all the clients in the SAP system (including standard)
configure login/no_automatic_user_sapstar to 1.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
21 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #2 Load Balancing
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
22 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #2 – Load Balancing
The load balance on SAP systems is driven by new application servers
registering on the Message Server, which is restricted by:
• Parameter ms/acl_info
• Contents of ms_acl_info file.
The registration of a new application server will be successful
based mainly on the contents of the acl file.
Impact: Full SAP system compromise.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
23 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Demo
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
24 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Demo
Protection / Countermeasure
Create and maintain the acl to restrict which SAP Application Servers are allowed
to register in the Message Server.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
25 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #3 Password policies
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
26 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #3 – Password policies
The ability for a user to connect to the system if password policies are
enhanced will depend on:
• Type of connection (DIAG/RFC)
• User Type (service,system,dialog…)
• Parameter rfc/reject_expired_passwd
• Parameter login/password_compliance_to_current_policy
The connection to the system will be successful based on two
profile parameters, the user and the protocol.
Impact: Effectiveness on brute-force attacks
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
27 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #3
# Parameters Dialg Serv Systm Comm
1 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0
Yes Yes No No
2 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=0
Yes Yes Yes Yes
3 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0
Yes Yes No No
4 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=0
Yes Yes Yes Yes
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
28 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #3
# Parameters Dialg Serv Systm Comm
5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1
Pwd Chg
Yes No No
6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1
No Yes Yes No
7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1
Pwd Chg
Yes No No
8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1
Yes Yes Yes Yes
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
29 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #3
# Parameters Dialg Serv Systm Comm
5 Connection Type: GUI rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1
Pwd Chg
Yes No No
6 Connection Type: RFC rfc/reject_expired_passwd=1 login/password_compliance_to_current_policy=1
No Yes Yes No
7 Connection Type: GUI rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1
Pwd Chg
Yes No No
8 Connection Type: RFC rfc/reject_expired_passwd=0 login/password_compliance_to_current_policy=1
Yes Yes Yes Yes
Protection / Countermeasure
Secure both profile parameters according to business requirements without
disrupting any pre-established interface.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
30 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #4 Interfaces
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
31 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #4 – Interfaces
The ability for a user to register, start and connect to an interface on the
SAP system will depend on:
• Parameters gw/reg_info, gw/sec_info, gw/acl_mode,
gw/sim_mode, gw/reg_no_conn_info …
• Contents of reginfo and secinfo files.
The registration of an interface will be successful based on
several profile parameters and the proper acl file.
Impact: Potential full SAP system compromise.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
32 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attack #4
acl file gw/acl_mode start/register
File exists and is empty
0 or 1 No servers allowed
File does not exists 0 Unrestricted
File does not exists 1 Only local and internal
File properly defined
0 or 1 Only servers defined in ACL
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
If gw/sim_mode is enabled and no explicit denial is included
in the ACL, everything is accepted.
Simplified version of the configuration options
33 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Demo
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
34 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
- So we have the same scenario, legitimate client and
External RFC Server, the SAP R/3 Server and the SAP Gateway
RESPONSE
- Here we go again, blocking valid connections to the
innocent External RCF Server
- Now, the same malicious client/server connects with the
SAP R/3 Gateway, and register itself with the same ID as the
original external server.
- This time, every RFC call received is Logged/Modified, and
forwarded to the original external server.
RCF Call
`
SAP FE
SAP GW RCF Modified Call
Evil Twin: MITM Attacks
Modified
RESPONSE SAP R/3
External RFC
Server
External RFC
Malicius Server
Attack #4
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
35 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
- Yes, again the same scenario: the valid client, the valid
External RFC Server, the SAP R/3 Server and the SAP Gateway
RESPONSE
- Here we are again, blocking valid connections to the
innocent External RCF Server.
- Again, the same malicious client/server connects with the
SAP R/3 server, and register itself with the ID of the
original external server.
RCF Call
`
SAP FE
External RFC
Server
SAP GW
Attacking the R/3 with a Registered Server
Poisoned RCF Callback
External RFC
Malicius Server
SAP R/3SAP R/3
- But now, when a RFC call is received, we perform a
callback…
- SAP R/3 Application Server OWNED!!
Attack #4
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
36 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Attacking the R/3 with a Registered Server Attack #4
- Yes, again the same scenario: the valid client, the valid
External RFC Server, the SAP R/3 Server and the SAP Gateway
RESPONSE
- Here we are again, blocking valid connections to the
innocent External RCF Server.
- Again, the same malicious client/server connects with the
SAP R/3 server, and register itself with the ID of the
original external server.
RCF Call
`
SAP FE
External RFC
Server
SAP GW
Poisoned RCF Callback
External RFC
Malicius Server
SAP R/3SAP R/3
- But now, when a RFC call is received, we perform a
callback…
- SAP R/3 Application Server OWNED!!
Protection / Countermeasure
Create and maintain the proper acl files to restrict which servers can be
registered and started and who can connect to those servers.
Maintain profile parameters according to your security policies.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
37 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Wrapping up...
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
38 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
The BIZEC TEC/11, lists the most common and critical issues affecting the
business runtime.
● BIZEC TEC-01: Vulnerable Software in Use
● BIZEC TEC-02: Standard Users with Default Passwords
● BIZEC TEC-03: Unsecured SAP Gateway
● BIZEC TEC-04: Unsecured SAP/Oracle authentication
● BIZEC TEC-05: Insecure RFC interfaces
● BIZEC TEC-06: Insufficient Security Audit Logging
● BIZEC TEC-07: Unsecured SAP Message Server
● BIZEC TEC-08: Dangerous SAP Web Applications
● BIZEC TEC-09: Unprotected Access to Administration Services
● BIZEC TEC-10: Insecure Network Environment
● BIZEC TEC-11: Unencrypted Communications
Bizec
Attack #1
Attack #4
Attack #2
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
39 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
General recommendations
• Use RZ10 and keep track of profiles and
parameter values through the database.
• Specify values in the default profile whenever
possible, to define a value for all App. Servers.
• Pay attention to the values defined on the Instance profiles, as
those will override the default profile.
• Keep special attention on the dynamic parameters, as the
modification of those could remain unnoticed.
• Keep track of the profile parameters that are security-relevant,
as those could have a big impact on the security.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
40 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Conclusions
● Configurations are complex on SAP systems and can have a huge
impact on its security.
● Complex situations could expose the system.
● Proper controls in place and monitoring of all SAP configurations can
help reducing the risk.
● Holistic security at the SAP Application Layer involves every
landscape, every system, every instance and every client.
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
41 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
References
● SAP Runs SAP – Remote Function Call: Gateway Hacking and Defense (Björn
Brencher, SAP)
●Secure Configuration of SAP NetWeaver Application Server Using ABAP
●http://www.bizec.org/wiki/BIZEC_TEC11
●http://scn.sap.com/community/netweaver/blog/2012/07/28/change-sap-profile-
parameters
●https://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000
a114084/content.htm
● Special Thanks to the Onapsis Team ( Sergio Abraham, Pablo Muller, Jordan
Santarsieri…)
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
42 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Questions? [email protected]
Stay tuned!
@onapsis
@jp_pereze
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage
43 www.onapsis.com – © 2014 Onapsis, Inc. – All rights reserved
Thank you!
www.onapsis.com
Follow us! @onapsis
SAP Security 2014 – Protecting Your SAP Systems Against
Hackers And Industrial Espionage