Saprouter-sap Security in-Depth Vol 06

2012 Onapsis, Inc. All Rights Reserved.

SAP Security In-DepthSecuring the Gates to the Kingdom: Auditing the SAProuter

by Nahuel Sanchez

Vol. 06 / Sep 2012

Abstract

The SAProuter is one of the most critical components of any SAP platform. Working as an

application-level gateway, it is usually connected to untrusted networks and restricts

access to the backend SAP systems.

If not properly secured, remote attacks on an SAProuter implementation could result in

malicious parties accessing the SAP platform and other systems in the organization's

internal network.

This issue provides an introduction to the SAProuter, followed by an analysis of security

threats and obscure attack vectors on such components.

Each of the described risks is presented with countermeasures and protection strategies,

to effectively mitigate it and increase the protection of the organization's SAP platform

against cyber-attacks.

Copyright Onapsis, Inc. 2012 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written permission of Onapsis, Inc.

Onapsis offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Onapsis makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

What is the SAP Security In-Depth Publication?

Until 2007, SAP security was regarded as a synonym for Segregation of Duties (SoD) by the majority of the Information Security community. While this aspect of security is mandatory and of absolute importance, many threats which entail much higher levels of business risks, have so far been omitted from Auditing and Information Security practices.

The technological components of these business-critical solutions introduce many specific security concerns that, if not addressed appropriately, can be the source of information security attacks on the confidentiality, integrity and/or availability of the critical business information processed. Therefore, failing to properly protect these components can leave business information at risk of espionage, fraud and sabotage attacks. SAP Security In-Depth is a publication led by the Onapsis Research Labs with the purpose of providing specialized information about current and future risks in this area, allowing different actors (financial managers, information security managers, SAP administrators, auditors, consultants and others) to better understand the risks involved and the techniques and tools available to assess and mitigate them.

TABLE OF CONTENTS

1. INTRODUCTION..............................................................................................62. THREATS & COUNTERMEASURES.............................................................133. ATTACK VECTORS........................................................................................154. CONCLUSIONS..............................................................................................205. REFERENCES...............................................................................................21

SAP Security In-Depth Vol.6Securing the Gates to the Kingdom: Auditing the SAProuter

EXECUTIVE SUMMARY

While the SAP Security In-Depth publication delves into complex technical security aspects of these platforms, we consider it important to provide an executive summary, using a non-technical language, to highlight outstanding concepts and risks presented in this volume.

Key concepts analyzed in this edition:

SAP provides different technologies to enable remote access to the company's business applications.

Each of these technologies features complex and different security architectures, which must be holistically understood in order to be properly evaluated.

This publication analyzes the current risks affecting these components and the necessary measures that must be taken in order to mitigate them.

Key findings and risks:

2012 Onapsis, Inc 5

Certain features of the SAProuter are only supposed to be used by SAP AG for remote support. However, if not properly secured, attackers may abuse them to access systems in the organization's internal network (File Servers, Intranets, etc.).

If an attacker is able to exploit security vulnerabilities in misconfigured SAProuters, there is a high probability that he will be able to access the backend SAP systems.

Many organizations are currently exposing their backend SAP systems to the Internet through SAProuters. Remote attackers can easily discover these backend SAP systems by scanning the network.


1. INTRODUCTION

1.1. What is a SAProuter?In a typical network environment, the organization's SAP Systems are located behind several perimeter security devices such as proxies or firewalls. The following diagram illustrates a typical network infrastructure, showing the different network-related components and hosts:

Image 0. Typical network environment.

Strictly speaking, the SAProuter is an SAP program that tunnels or routes ingoing and outgoing connections to the organization's SAP systems, from other systems in the Local Area Network, from partners or from SAP AG(typically in situations where the company requires support). In other words, the SAProuter acts as a controlled gate to the organization's SAP systems. [1]

2012 Onapsis, Inc 6


1.2. Why should you use a SAProuter?SAProuter has the following capabilities, among others:

Control and log connections to organization's SAP systems.

Solve network address conflicts between network systems.

Improve overall security allowing connections only from trusted addresses.

Enforce the use of Secure Network Communications (SNC).

From a security point of view, the SAProuter is useful as it can be used to add an extra layer of security by logging the connections to the SAP platform and enforcing SAP protocol-level controls, such as SNC encryption and the use of connection passwords.

SAP system connections without SAProuterThe next diagram shows a network topology without the use of SAProuter.

Image 1. Connections without SAProuter

In this scenario, it is possible to note that the access management to the SAP platforms is managed at the network firewall. For each new connection that is required, new exceptions in the firewall policy need to be created.

2012 Onapsis, Inc 7


SAP system connections implementing SAProuterThe following picture shows the network topology when SAProuter is implemented.

Image 2. Connections through SAProuter

In this case only one exception in the firewall is needed, client systems to the target SAProuter. The SAProuter restricts access to the backend SAP systems through its Route Permission Table. [2]

IMPORTANT SECURITY NOTE: SAProuter does NOT replace firewalls or other network security devices, but complements them.It is critical to understand this concept - the SAProuter was not designed to stop attacks like firewalls or packet filters do. Additionally, if the SAPRouter is exposed without a firewall, all the Operating System services and ports will be accessible from the untrusted network.

1.3. How does it work?SAProuter's behavior is driven by a configuration file called the Route Permission Table.This file comprises a set of rules allowing or denying access to specific hosts and services. The Route Permission Table contains the host names and port numbers of the predecessor and successor points of route (from SAPRouter's point of view) as well as the passwords required to set up the connection (if configured). [2].

2012 Onapsis, Inc 8


Using this access control list, the SAProuter decides which connections should be allowed and which shouldn't. Also it is possible to use SNC connections with SAPRouter (for further information refer to the section SAProuter and Secure Network Communications).Clients connecting through a SAProuter must first configure a Route String, which will be explained into details at the end of this section.

Configuring the Route Permission TableThe Route Permission Table file, by default called saprouttab, is a text-file containing a set of lines, each having the following format:

P / S / D

The first letter is the command. There are three options for the command, which are:[P]ermit: SAProuter grants the connections.Including a number after the P is also possible, specifying the maximum number of hops allowed for this route.[S]ecure: Only allows connections using the SAP Protocol, connections with other protocols are not allowed.Including a number after the S is also possible, specifying the maximum number of hops allowed for this route.[D]eny: Prevents the connections from being set up. It is a straightforward denial of the connection.

Following the command, there are three other mandatory options that should be configured for every entry:: Source host of the connection to the SAProuter. This option can be configured as a Host Name, an IP address or an IP Subnetwork.: Destination host that the connection is connecting to. This option can be configured as a Host Name, an IP address or an IP Subnetwork.: (TCP) Service that the connection is pointing to. This is the TCP port and can be configured as a single TCP port (IE 3200), as a service name (IE sapgw00) or as a port range, separated by . (dot) (IE: 3200.3299).

NOTE: The SAProuter follows the First Match, Deny on No-Match criteria. Therefore, if there is an entry in the saprouttab that matches for the connection,

2012 Onapsis, Inc 9


then the SAProuter acts according to the entry (Permit/Deny). If there is no entry matching the connection, then the connection is automatically denied.

Examples of regular (non-SNC) entries in the Route Permission Table:

SAProuter and Secure Network CommunicationsSAProuter allows its users to increase the overall level of communication security (network level) using SNC. The SAP Secure Network Communications protocol provides authentication and encryption to data that needs to be transferred over unreliable networks such as the Internet. [4]

The following are the prerequisites to use SNC with SAProuter:

SAProuter's version must be 30 or higher.

The Source and Destination's SAProuter need be started with the -K option. (to get further information, please refer to [1])

There must be a KT entry in the source and in the destination SAProuter's permission tables. These type of entries define the use of SNC.

There must be a KP entry in the source and in the destination SAProuter's permission tables. These entries allow the SNC connection.

Entries in the Route Permission Table to use SNCThe SNC routes start with K. Entries can be of two types:

1. KT entries: These entries define which connections are to be encrypted using SNC. Connections can be ingoing or outgoing.

2. KD, KP and KS entries: Follow the syntax K . This format is equivalent to the format used for normal connections, but adding a K at the beginning of the entry.

2012 Onapsis, Inc 10

D 192.168.1.10 192.168.3.100 3200P 192.168.1.5 * 5000.5010 s3cr3tP 192.168.1.6 192.168.3.101 sapdp00

#Comment


Examples of SNC entries on the Route Permission Table:

Route String configurationRoute Strings are connections strings which define the path that clients must follow to reach the SAP systems through SAProuters.These connections strings have the following syntax:

(/H/host/S/serv/W/pass)*

Where:

/H/ = next hop host. /S/ = next hop port/service. /W/ = next hop connection password (optional).

Example of a valid Route String:

Where:

192.168.0.150 = SAProuter's IP address.

3299 = SAProuter's TCP listening port.

192.168.3.100 = SAP system IP address.

3200 = SAP system TCP listening port.

Note: SAProuters can be chained.


#Connectionstoandfromsaprouter02shouldbeSNCKTp:CN=saprouter02,OU=Test,O=Company,C=JM10.20.30.40 *

#Connectionstoandfromsaprouter03shouldbeSNCKTp:CN=saprouter03,OU=Test,O=Company,C=JM10.20.30.50 *

#AllowSNCconnectionsfromsaprouter02withpasswordKPp:CN=saprouter02,OU=Test,O=Company,C=JM172.16.1.13200pwd321

/H/192.168.0.150/S/3299/H/192.168.3.100/S/3200/W/secret


SAP Network Interface (SAP NI Protocol)The SAProuter implements the Network Interface protocol (NI protocol). This protocol has been designed to support a platform-independent interface and is used to communicate between different components and services of the SAP systems. [3]NI protocol can work in three different modes:

1. NI_RAW_IO The NI_RAW_IO mode is used to communicate between SAP

applications. Furthermore, this mode is used for native protocol routing.

2. NI_MESG_IO Primarily used for communication between SAP applications, this

mode is also known as SAP Protocol. This communication mode supports three different types of special messages: NI_PING, NI_PONG and NI_RTERR used for keepalive, test and error messages respectively.

3. NI_ROUTE_IO Similar to NI_MESG_IO but keepalive responses are ignored. Most

common message used by the SAProuter.



2. THREATS & COUNTERMEASURESThis section outlines some of the most important threats affecting SAProuter implementations, along with key concepts on how to mitigate them.

2.1. Vulnerable SAProuter versionAs any other program, the SAProuter can be prone to software security vulnerabilities, such as memory corruption issues, that would enable an attacker to perform unauthorized activities over the SAProuter system.

2.2. Permissive Route Permission TablesThe Route Permission Table is probably the most critical aspect of the SAProuter's security, as it defines which connections are the allowed/denied.It is possible to configure wildcards for the entry fields of the Route Permission Table, which would match any value for that specific parameter. It is very common to find SAProuters configured with vulnerable tables, having wildcards in many fields. A typical example of misconfiguration found in real-world assessments performed by Onapsis, is shown in the following excerpt:

The last rule defines a Permit command with a wildcard in every field. Therefore, the SAProuter will allow any incoming connection and attempt to establish it with the target system specified by the client.


P 192.168.0.* sapserver013200P * sapserver02 3201P * * * #PERMITALL

Ensure that the latest available version of the SAProuter provided by SAP AG is being used. Keep the SAProuter binary updated with security patches released by SAP.

Protection / Countermeasures



Only allow the necessary connections through the SAProuter. The Route Permission Table entries should be as restrictive as possible. Specifically:- Avoid the use of wildcards in the and fields as much as possible.- If only SAP-protocol connections are being used, use S instead of P to prevent the routing of native protocols.- Ensure that there are no rules that allow connections to the SAProuter host and service themselves from unauthorized sources, as they can be abused to perform Information Requests.- Set D * * * * as the last entry of the file. While probably redundant today, it may be useful to prevent future attacks or changes in the SAProuter evaluation policy.



3. ATTACK VECTORSThis section describes possible attack vectors over vulnerable SAProuters.The presented techniques that can be used to perform security assessments over SAProuters in a blackbox approach. These vulnerability assessment and exploitation techniques can be used to detect unsafe configurations and to illustrate the risks that unprotected SAProuters could pose to the SAP infrastructure, as well as to other systems of the organization.

3.1. SAProuter Connection Table RetrievalIf connections from unauthorized hosts to the SAProuter itself are permitted, an attacker would be able to obtain valuable information such as details about connected clients, SAP servers and services being used.To retrieve the information provided by the SAProuter, using the SAProuter executable itself, the following command should be executed:

saprouter -l -H

The results of the execution of the information retrieval command are shown in the following image. Performing this attack, a malicious party would be able to obtain the following information:

Currently established connections

Allowed clients

Internal network IP addresses

Services use

Version of SAProuter

Version of NI protocol

SAProuter's Operating System flavor (Windows/Unix)



Image 4. Information retrieved from a remote SAProuter.

Note: Onapsis Bizploit's getSAPRouterInfo module [5], available in version 1.5, can help you perform this type of assessment to evaluate whether your SAProuter is properly protected.

3.2. Internal Network Port-scanning through SAProuterAnother interesting attack vector that takes advantage of misconfigured Route Permission Tables is the possibility of discovering systems in the organization's Internal Network proxying portscans through a SAProuter.Using the error messages produced by the SAProuter if a connection cannot be established, an attacker can determine if a port in a remote host is open or closed.Therefore, by sending simple connection requests (NI_ROUTE_IO packets) to specific IP addresses and ports, it is feasible to discover live (and reachable) systems behind the SAProuter.


Do not allow connections from unauthorized systems to the SAProuter's IP address and service (or any superset that would imply so).

Please check Protection measures outlined in section 2.2.



For example, take the following diagram:

Image 7. Attacker guessing open ports in Server A

The SAProuter's Route Permission Table is configured as following:

In this scenario, the attacker can identify all the open ports in Server A or any other servers reachable by the SAProuter.

Note: Onapsis Bizploit's saprouterSpy module [5], available in version 1.00, can help you perform this type of assessment to evaluate whether your SAProuter is properly protected.

3.3. SAProuter Native Protocol RoutingSomewhat an obscure feature, the SAProuter has the ability to proxy non-SAP protocols such as SSH, TELNET, FTP and HTTP. SAP refers to them as native protocols. This feature can be spotted in the existence of both the P and S commands to allow connections in the Route Permission Table. If an S command is used, then native protocols cannot be used for that connection.


P * * * *

Only allow the necessary connections through the SAProuter. The Route Permission Table entries should be as restrictive as possible.

Please check Protection measures outlined in section 2.2.



This feature uses the NI_RAW_IO communication mode, described in the SAP Network Interface section. For more detailed information, refer to the appropriate link in the references section. [3]The P (Permit) option allows users to establish connections with any protocol (depending on the entries configured for the specified host and system in the Route Permission Table file, as wildcards are only valid for SAP protocols in newer versions).Therefore, if the Route Permission Table is not properly configured, an attacker would be able to connect to ANY internal system and service in the organization's internal network, such as File Servers, Web Intranets, SSH servers, etc. In the following image it is possible see a common network topology using SAProuter:

Image 5. Common network topology in Company's LAN

For illustration purposes, analyze the following Route Permission Table:


P * sapserverA 3389P * * 22


In this scenario, the attacker would be able to access the Remote Desktop service of the system sapserverA, tunneling the connection through a SAProuter.

Image 6. Attacker connected to SSH server through SAProuter.

Furthermore, abusing the presented Route Permission Table, the attacker would be also capable of accessing an internal SSH server hosted in a different, non-SAP system in the internal network.

Note: Onapsis Bizploit's saprouterNative module [5], available in version 1.5, can help you perform this type of assessment to evaluate whether your SAProuter is properly protected.


The routing of native protocols is mainly used by SAP AG in order to access non-SAP services during remote support services. Therefore, there should not be many cases where user/partner connections of this type are required.

If this type of connections is not necessary, it is recommended to use S instead of P for all the entries defining allowed connections.

Additionally, please check Protection measures outlined in section 2.2.



4. CONCLUSIONSThe SAProuter is a critical component of any SAP platform. Since it is usually connected to untrusted networks such as the Internet or external providers, the probability of attacks by malicious parties is increased.As presented in this document, successful attacks on this component could lead to a full compromise of the SAP platform and others systems in the organization's internal network. Following the recommendations outlined, network administrators and security officers can protect and secure their SAProuter implementations, effectively increasing the security level of the entire platform. Lastly, it is strongly recommended to perform periodic technical security assessments of SAProuters, reducing information security risks and effectively protecting the business.

For further information into this subject or to request specialized assistance, feel free to contact Onapsis at [email protected]



5. REFERENCES[1] SAP Library SAProuter

http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d65446d11d189700000e8322d00/frameset.htm

[2] SAProuter (BC-CST-NI)

http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCCSTROUT/BCCSTROUT.pdf

[3] SAP Library NI Protocol Communication modes

http://help.sap.com/saphelp_nw70/helpdata/en/f8/bb960899d743378ccb8372215bb767/content.htm

[4] SAP Library SNC Connections

http://help.sap.com/saphelp_nw70/helpdata/en/4f/992d65446d11d189700000e8322d00/content.htm

[5] Onapsis Bizploit

http://www.onapsis.com/bizploit



About Onapsis X1

Onapsis X1TM is the industry's first comprehensive solution for the security assessment of ERP systems, currently supporting SAP NetWeaverTM and R/3 business solutions. Perform continuous and automated IT Security & Compliance Audits, Vulnerability Assessments and Penetration Tests over your SAP platform. Using Onapsis X1 you can decrease financial fraud risks, enforce compliance requirements and reduce audit costs significantly.Being the first-and-only SAP-certified solution of its kind, Onapsis X1 allows you to automatically and continuously detect:

Insecure ABAP and Java instance configurations

Missing SAP Security Notes and patches

Dangerous user authorizations Insecure interfaces between your

systems

Following the product's detailed mitigation procedures, you can increase the security level of your platform to stay protected against cyber-attacks.

Get more information at www.onapsis.com/x1.


Onapsis X1 Enterprise 2 is

About Onapsis, Inc.

Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats.

Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform.

Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security experts who are continuously invited to lecture at the leading IT security conferences, such as RSA and BlackHat, and featured by mainstream media such as CNN, Reuters, IDG and New York Times.

For further information about our solutions, please contact us at [email protected] and visit our website at www.onapsis.com.

www.onapsis.com

2012 Onapsis, Inc. All Rights Reserved.

Subject to Terms of Use available at http://www.onapsis.com/legal/terms-of-use.html

The Onapsis and Onapsis Securing Business Essentials names and logos and all other names, logos, and slogans identifying Onapsis's products and services are trademarks and service marks or registered trademarks and service marks of Onapsis, Inc. All other trademarks and service marks are the property of their respective owners.

Saprouter-sap Security in-Depth Vol 06

Documents

Transcript of Saprouter-sap Security in-Depth Vol 06