Another critical use case of Protect4S SAP Threat Detection
It’s no secret that during SAP implementations (and also during normal operations) the topic of security has not been given the highest priority for a long time. This has often led to an insecure (default) state of SAP systems. One of the often-forgotten SAP insecure defaults has long time been present in a technical component called the SAP Message Server. This component has the potential for abuse since it was shipped with insecure default settings like an Access Control List that would allow all network traffic by default. Detecting abuse of the SAP Message Server at an early stage is key to preventing further abuse and exploitation of your SAP systems, minimizing impact of data breaches and costs.
What is the SAP Message Server?
The SAP Message Server is amongst other tasks, used to load-balance users logging on to an SAP system, as shown below:
This component is present in any SAP system, and is critical to properly secure since it is typically exposed to the network.
What risks are related the SAP Message Server?
The SAP Message Server is a component that can be configured by parameters and Access Control Lists. When these parameters or the ACL files are set incorrect, you run the risk of a complete SAP compromise. Therefore SAP advices specific security settings for this component. One of the high risks involves the Access Control List (ACL) for Application Servers which has been shipped for many years with the line “HOST=*”. This means that the Message Server internal port allows traffic from any source, but also registration of SAP application server requests from any host in the network. This was always just a theoretical risk until researchers Dmitry Chastuhin & Mathieu Geli released a practical proof-of-concept exploit on github which was marketed by a vendor as the #10Kblaze exploit and could lead to a fully compromised SAP system. Even though there are several factors that need to be misconfigured for exploitation, we still find these present in penetration tests we conduct.
How to detect Abuse?
Detecting abuse of the SAP Message Server need to take place for both ABAP- and JAVA-based SAP systems since they both rely on this component. The data source involved is the Message Server log (a file on the Operating System called dev_ms) as this keeps track of events related to the SAP Message Server. It logs for example registration (attempts) from (real or fake) SAP application servers. This data source is being read constantly for events and it is determined if unwanted malicious behaviour has occurred. An example of how Protect4S Threat Detection alerts related to the #10Kblaze exploit look like is found below:
If denied access to the Message Server or registration of potentially fake Application Servers is detected, it is critical to immediately follow up on this. Threat Detection Solutions can be configured to immediately send out e-mails to monitored mailboxes or threats to your SIEM Solution. Next steps typically are to see why this Threat occurred, why access was denied, why registration of Application Servers took place and if this was legitimate or not, etc.
Key takeaways
To summarise the above, detecting abuse of the SAP Message Server is important since this component can be used to take over an SAP system and can lead to access to productive data. By detecting abuse of the SAP Message Server at an early stage, you can prevent further risks to your SAP systems.
Protect4S SAP Threat Detection is a powerful solution that helps organisations protect their sensitive data in SAP systems from unauthorised access and other threats. By using default best-practice values and setting up custom rules, organisations can quickly detect and respond to suspicious activities and prevent compliance and security breaches which might lead to fraud, espionage or sabotage.
Interested to learn more? Want a demo? Or start a free Proof of Concept? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
