Thursday, June 1, 2023

What is the SAP attack surface? How to reduce it?

SoftwareWhat is the SAP attack surface? How to reduce it?

Knowing the attack surface is so much more important than you might think. It is important to cut down the risk of exploitation of the so-called unknown-unknown. Zero days are vulnerabilities that have not been patched and are also not well known. Organizations need to expect that any application, also the enterprise-critical solutions from SAP, harbors a severe weakness that can’t be patched since no patch is accessible. Waiting for the moment the vulnerability gets published and patched by the software vendor may not be a safe bet, since threat actors may already be aware and use the open breach.

What is the attack surface?

The attack surface is the sum of all possible entry spots, or attack vectors, where an illegal assailant can enter a system or application to pull out data or use sensitive information. The smaller the attack surface, the easier it is to defend.

At SecurityBridge we collaborate with associates and clients to understand their risk appetite and to find a solution to soften the intolerable risks. 

Why is it so important?

Organizations must continually cover their attack surface to identify and stop implicit pitfalls as snappily as possible. They also must try to decrease the attack surface area to reduce the threat of cyberattacks succeeding – in an SAP environment the Internet Communication Manager (ICM) or Internet Communication Framework (ICF) available via SAP sale SICF, but also the remote function call connection setup, which is prone to overusing services to the outside. 

SAP customers concerned about SAP security need to endlessly assess and catalog the exposed services (SOAP, WebService, APIs). Any service that isn’t used or doesn’t serve a specific SAP business script should be shut down to reduce the attack surface and therefore also to lower the threat of exploitation.

Likewise, services that do not authenticate must be kept a close eye on. In SAP they are located in the /sap/public/ namespace that can be found in transaction SICF. Services like /sap/public/info are the main place for troublemakers to retrieve information in the exploration phase of an attack. 

sap-public-info

Are there effective countermeasures against SAP Zero-Day exploitation?

Every second Tuesday of a month, SAP releases the new security patches. This event initiates the battle between attackers and defenders, who can only triumph by installing the patch before the exploitation.

SAP supports bug bounty programs to help bug hunters and security investigators. There are various individual investigators but also entire research labs that examine regular software for vulnerabilities, however, even with a combined effort zero-days can’t be prevented.

SecurityBridge Patch Management notifies you as soon as a new patch has been released that is applicable for your specific system installation to lower effort and lead time before patching. Furthermore, the SecurityBridge product team instantly issues signature updates that permit clients to track potential achievements of yet unpatched vulnerabilities.

However, as no patch is available for a zero-day, there are a few other things that you need to think about:

  • List of attack vectors
    Knowing your attack surface fully is important and acts as a foundation for further counteractions. It also helps institutions to entirely understand their respective risk situations.
  • Decrease the attack vectors
    Any connection point such as the previously mentioned SAP Internet Communication Framework (ICF) services that are not used or needed, shall be switched off. Also, confirm that all touch points with unsecured networks or the public internet are adequately secured. 
  • Software Components
    That do not serve a distinct aim, shall be uninstalled or at least deactivated. Most of the SAP clients still run at least one SAP NetWeaver system where the client 066 exists, which is not required anymore but until recently was sent with the standard installation. There are lots of other examples that SecurityBridge instantly identifies after being installed.
  • Surveillance of change
    Whenever a new service is enabled or introduced, there are security considerations to make. SecurityBridge helps customers to monitor any change to the attack surface. Those changes are immediately reflected in the overall SAP security posture.
  • Threat detection
    The recent Log4j incident but also the somewhat older RECON release has impressively proven that vulnerabilities can exist for a long time without being discovered. Detecting and monitoring malicious actions with impacts on the SAP system security are key elements to protect against severe damage.
  • Layered security
    Introduce additional security sheets. Besides precise hardening, patching, and monitoring it is beneficial to consider inserting intrusion prevention systems and network segmentations tailored to your individual risk situation.

How to reduce the SAP attacker surface?

This is not an easy task and especially becomes difficult for SAP organizations that expand their digital presence and embrace new technologies. Reducing means

  • Deactivation of services of SAP Internet Communication Framework  (ICF) and Internet Communication Manager (ICM)
  • Deinstallation of unused software components
  • Deletion of unused or obsolete RFC Destination and service endpoints. Those in use have to be sufficiently hardened
  • Elimination of trusting (SMT1), which is not needed
  • Deletion of SAP clients that are not utilized
  • Governance and tracking of SSL certificate handling in SAP (STRUST)

And so much more…

It may be a balancing act between accepting the danger and fulfilling the corporate department’s wish for a new service. Especially, if the new service only offers additional comfort but is accompanied by a very particular risk. This already describes the one challenge to master the minute SAP experts evaluate a change request. SecurityBridge offers the missing part of the information through an elaborated classification system that sets the probability of exploitation on the horizon. Additional security layers can be established by network segmentation and intrusion prevention systems contained in intelligent firewalls like the FortiGate by Fortinet.  

Conclusion

Every second Tuesday of a month, SAP customers will see new security patches. It is very likely that some of the security upgrades released will again force you to patch serious vulnerabilities within your enterprise-critical SAP implementations.

If services are affected that are disabled, the chance of exploitation is usually decreased – therefore, disabling an affected service is often mentioned as a solution and tip for those that can’t apply the patch.

More From Author