cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Detect capture-replay vulnerabilities & exploits with the Sentinel solution for SAP® applications
By
OferInbar
Published Feb 03 2023 04:22 AM 6,165 Views
OferInbar
Microsoft
‎Feb 03 2023 04:22 AM

Detect capture-replay vulnerabilities & exploits with the Sentinel solution for SAP® applications

‎Feb 03 2023 04:22 AM

 

Detect capture-replay vulnerabilities and exploits with Microsoft Sentinel solution for SAP® applications

 

The Capture Replay Weakness

As per MITRE, authentication bypass by capture-replay is a weakness that exists “when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes)”. These types of attacks are best prevented by encrypting communications, to avoid exposing authentication tokens and other reusable commands.   

 

Capture-replay Weakness in SAP RFC

With CVE-2023-0014, we learn of a weakness in the remote function call (RFC) framework of SAP, where the system identification is not uniquely determined, allowing an attacker to capture the authentication from normal communication between trusting SAP systems, and reuse it. The SAP correction for this vulnerability (as detailed in the SAP wiki Note 3089413requires patching of the SAP kernel, the SAP_BASIS component and migration of the existing connections. Once patching is done and migration is complete, a parameter is set at the system level to make sure that only secured trusting connections are allowed.

 

How the Microsoft Sentinel solution for SAP® applications can help

The Microsoft Sentinel solution for SAP® applications is an add on that allows to extend the state-of-the-art SIEM and SOAR capabilities of Microsoft Sentinel to the security coverage of SAP systems. Shortly after the introduction of this vulnerability, we have added two detections to the solution's content, designed to help identify which systems are vulnerable, and safeguard the RFC trusting mechanism against future tempering. 

 

SAP - (Preview) Capture-replay vulnerability in SAP NetWeaver [CVE-2023-0014]

Screenshot 2023-02-01 at 12.17.53.png

Screenshot 2023-02-01 at 12.19.44.png

This analytics alert rule investigates your landscape's configuration ingested from SAP table PAHI and specifically the value of parameter 'rfc/allowoldticket4tt' which reflects the status of the fix of this vulnerability. We make sure that for every instance of every SAP system which sends data into Sentinel, we have the value of 'no'- which means all trusted and trustee RFC connections have been migrated as per SAP note 3089413. This alert rule will produce an incident with a severity level of high for every system which is not protected, with the exception of a system which is undergoing a migration and provides a value of 'client' for parameter 'rfc/allowoldticket4tt'. Systems which are in the process of being migrated will create an incident of medium severity.

Prerequisites:

  1. Make sure you are running a recent version of the Microsoft Sentinel Solution for SAP® applications.
  2. Check if you have entries for PAHI table coming in from each of the relevant SAP systems. Note that PAHI table is loaded from SAP on a daily basis. If PAHI entries are missing for any of the SAP systems you have, consider SAP note 1733253 recommended actions and verify that your systemconfig.ini file has PAHI_FULL = True see examples here.

 

SAP - (Preview) New trusted RFC connection [capture-replay vulnerability in SAP NetWeaver CVE-2023-0014]

Screenshot 2023-02-01 at 13.37.55.png

Screenshot 2023-02-01 at 13.37.27.png

 

One important recommendation of the FAQ for Security Note 3089413 is to activate table logging for table RFCSYSACL and periodically check for newly added trusted connections.

This alert rule detects a successful addition of a trusted RFC connection to an SAP system by continuously listening for changes to tables RFCSYSACL and RFCTRUST which document the trusted RFC communications allowed, in near real time.

 

Prerequisites

  1. Make sure you are running a recent version of the Microsoft Sentinel Solution for SAP® applications.
  2. Table logging is set for tables RFCSYSACL and RFCTRUST (this should be on by default) in your entire SAP landscape.
  3. The Sentinel agent is configured to ingest table changes from table DBTABLOG (ABAPTableDataLog = True ) see examples here

 

Learn More

Microsoft is committed to empowering our customers with security tools and platforms to enable critical protection for your organization and users. To learn more about Microsoft Sentinel solution for SAP please refer to:

 

Version history
Last update:
‎Feb 03 2023 04:22 AM
Updated by:
Labels