Security – Page 2 – Saptechnicalguru.com

CVA: Code vulnerability analysis

CVA is a licensed SAP tool to scan custom code for potential security issues.

CVA is built in code inspector and analysis is run via the ATC tool.

Questions that will be answered in this blog are:

What checks does CVA perform?
How to activate CVA?
Is CVA licensed?
Where to find more information on CVA?

Activating CVA

SAP CVA Code Vulnerability Analysis is a licensed tool. You need to activate it before you can use it. To activate run program RSLIN_SEC_LICENSE_SETUP:

The activation refers to OSS note 1855773 – Security checks for customer-specific ABAP programs which explains the license, restrictions, etc.

Call to SAP: if you really think security is important for your customers and their custom programs, don't ask money for CVA tool, but allow free usage!

Check the bug fix OSS notes below. Apply them before your first run.

Checks in detail

The SAP CVA checks can be seen in SCI variant SLIN_SEC:

And then open the variant and click the information button for details:

A full list of checks can also be found on this SAP blog.

And per netweaver version the checks are listed in OSS note 1921820 – SAP Code Vulnerability Analyzer – support package planning.

Setting up ATC variant and run

Start transaction ATC and press Schedule Run:

First create a new variant and refer to SCI variant SLIN_SEC:

Now schedule the run for your Z code:

The run can take a few hours.

More on ATC set up and running can be found in this blog.

Run results

Start transaction ATC and go to the results part:

Select your run:

The ATC result screen will show, but list can be very long:

Both Z programs and user exits will be shown (starting with S or X).

Press the Statistics View button top right to get a better overview:

The result list is now sorted per security item:

Don't let yourself be impressed by high numbers of the first run. Most issues are in old code: consider clean up. Focus on the priority 1 and priority 2 first. Finetune result set for priority 3 to lower the numbers.

Now you can zoom in to the issue per item by clicking on the line:

The details show the issue: hard coded user name. Clicking on the underlined code name in column Object Name will zoom into the code point to fix:

In this case hard coded break for a user. Fix is easy: delete the line of code.

Remote analysis

It is possible to use ATC remote analysis (see blog) for CVA. The full setup is explained in this SAP online help link. See also OSS note 2232083 – ATC/CI: SAP NetWeaver Application Server add-on for code vulnerability analysis – remote check runs – installation.

Checking license usage

Run program RSLIN_SEC_LICENSE_SETUP to check license usage:

Or run this from transaction SLIN_ADMIN.

SAP reference material

Generic presentation on SAP CVA can be found on this link.

CVA FAQ: follow this link.

CVA full list of checks: follow this link.

CVA as part of CI/CD development pipeline: follow this link.

ABAP code security issues explained: follow this link.

Bug fix and improvement notes

Bug fix and improvement OSS notes:

SQL commands via ST04

Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.

Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.

Firing SQL command via ST04

Start transaction ST04 and open the SQL editor in the Diagnostics section:

Now enter your SQL statement and press execute.

Result is shown:

How to avoid this?

If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.

Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.

SAP password hash strengthening

The SAP password hash can be deciphered. See for example this blog. By increasing the complexity of the hash, you can slow down this process.

Questions that will be answered in this blog are:

How can I strengthen my SAP password hash?
Does it also work when I use CUA?

Password hash algorithm strength

Main blog for SAP password hash algorithm is 1458262 – ABAP: recommended settings for password hash algorithms. Note 2140269 – ABAP password hash: supporting salt sizes up to 256 bits describes the actual parameter value.

In RZ11 you need to set parameter login/password_hash_algorithm to exactly this value: encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256.

Make sure you follow the correct syntax. The syntax is listed in OSS note 991968 - List of values for "login/password_hash_algorithm". If you don't do it properly, you might get the issue reported in OSS note 3043774 - Iterated salted hash is empty after having assigned or changed a password.

End result

Example for a test user. Before the setting the PWDSALTEDHASH field has this value:

After change of the parameter we reset the password of the user and the hash now looks like this:

Really more complex, hence more complex to decipher: the hashes are far stronger now. It can still be cracked, but it takes far more time on either single password or large group of passwords.

The parameter only effects new passwords. Not the existing ones.

CUA

If you use CUA, the password can be distributed from CUA. If you CUA system and connected systems are modern enough there is no issue at all. See the CUA section of OSS note 1458262 – ABAP: recommended settings for password hash algorithms.

Role user assignment compression

When you run a system for longer time, you might see that users have roles assigned that are obsolete (end validity date in the past), or having a role assigned multiple times.

With the role user assignment compression program you can clean up.

Role user assignment compression program

Start program PRGN_COMPRESS_TIMES:

Select the Delete Expired Assignments to delete role assignments with validity date in the past as well.

If you want you can first run with the simulation option to see what the program will do, and run without the simulation option to perform the actual clean up.

For issues, do check notes:

Clean up on a CUA managed landscape

If you run a CUA system, the compression program needs to run on the CUA system and not on the local system. See OSS note 1692243 – Report PRGN_COMPRESS_TIMES cannot be used in CUA.

SAP support portal security: mail filtering

SAP support portal is used in your company for many items: EWA’s, reporting issues, downloading software.

Protection of the accounts on SAP support portal for your company is required.

This blog will explain the setup of the security feature for mail filtering.

If you don’t set this up, your user overview will continuously show this warning:

Setting up mail filtering

Go to the support page for mail filtering:

Use the Add Domain button to add a new domain.

Domains to add:

Your company mail domain(s)
sap.com domain (for support from SAP)
Domain of your supplier maintaining your SAP system, in case they use their own mail ID

Background

Background of this feature can be found in OSS note 3025172 – How to add or remove email domains for my customer number – SAP ONE Support Launchpad.

S4HANA security parameter baseline changes

If you convert your ECC system to S4HANA or upgrade a S4HANA system to a higher version, you should check the security parameters. A lot of parameters have a different recommendation in S4HANA.

Questions that are answered in this blog are:

Where can I find information on security parameter changes after S4HANA conversion or upgrade?
How can I check if the changed security parameter are properly implemented in my S4HANA system?

Security parameter changes S4HANA

OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM is the master note. This note contains an important excel attachment that is listing all the changes and recommendations per S4HANA target version.

This note is also referring to OSS note 2926224 – Collection Note: New security settings for SAP S/4HANA and SAP BW/4HANA using SL Toolset and SUM, in which more details are explained on the background.

Checking implementation of security parameter changes in the system itself

After your upgrade to S4HANA, you can run program RSPFRECOMMENDED to check how well the security parameters are implemented:

SAP trust center

As company you are relying on SAP to provide support and services. But how do you know if SAP is doing a good job on this part?

If an internal auditor or external auditor asks you to show or explain the elements of SAP delivered support, where do you get the information?

SAP trust center

SAP has a good site to start with this information: the SAP trust center.

Here you can find:

Security policies
Security frameworks
List of sub-processors employed by SAP to provide services (sub-processor can be on infrastructure level like AWS, Azure, etc, but also manpower like Accenture, TCS, etc.)
Compliance documents like SOC1, SOC2, ISO 27001, ISO 9001, etc reports (or go directly to the compliance finder)

Not all reports are public. For some you must be customer of the product or service. Some parts require acknowledgement of non-disclosure agreement before you can get the report.

Security white paper

Another good document is the SAP security white paper.

STDDAT: consistency check for generic table access authorization group

Tables are protected for data access by the S_TABU_DIS object. An important input here is the authorization group. The relationship between tables and authorization group is stored in table TDDAT. STDDAT has functions to mass maintain and check the authorization group to table relationships.

Questions that will be answered in this blog are:

How do I find and remove inconsistent entries in TDDAT table?
How do I find dangerous items in TDDAT table?

Consistency check

When you start transaction STDDAT, hit the button Consistency in the first screen:

Wait for the results:

Select the entries and delete with or without transport.

Finding dangerous entries in TDDAT

In the Authorisation group there are two types of entries to check:

Space: what will happen?? Vague!
&NC&: everybody can access

Select these on the first screen as input for field Authorization Group and press execute:

Select the entries you want to change and press the Assign button:

Save the result in transport.

OSS notes

For versions 7.40 and 7.50 you need to apply OSS note 2577419 – STDDAT | consistency check for table TDDAT to get the consistency check button.

Generic FAQ on table access: 1434284 – FAQ | Authorization concept for generic table access.

SE16N emergency edit mode

For emergency cases you might need to edit table data directly. This blog will describe the emergency edit mode of SE16N.

Questions that will be answered are:

How to get the SE16N emergency edit mode?
How to enable the SE16N emergency edit mode?
How to use the SE16N emergency edit mode?

Getting the SE16N emergency edit mode

The SE16N emergency edit mode is standard installed as of S4HANA 2020. For older versions, you need to apply OSS note 2911103 – SE16N: Alternative edit mode.

Enabling SE16N emergency mode

The SE16N emergency mode is started via transaction SE16N_EMERGENCY. This transaction is locked by default:

Please consult your security team before unlocking this powerful transaction.

Use transaction SM01_CUS to unlock the SE16N_EMERGENCY transaction. Read this blog on the use of SM01_CUS.

Use of the SE16N emergency mode

Use of the emergency mode is pretty simple. Start transaction SE16N_EMERGENCY enter the table and you are launched into edit mode immediately. Example is here for table T001:

Other ways

For more different ways of direct table hacking, read this blog.

Checking usage

Checking SE16N usage is explained in this blog.

Or configure audit log after applying/checking this OSS note: 3140539 – SAL | New event definition for change access in SE16N.

Bug fix OSS notes

Bug fix note:

SAP password hash hacking Part V: optimizing the attack speed

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fifth blog we will focus on optimizing the speed of attack. The preventive measures will focus on reducing the attack speed.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

For the fourth blog on advanced topics, like the rule based attack, click here.

For more on extended word lists, click here.

Questions that will be answered in this blog are:

How to optimize the attack speed?
How to optimize getting hashes converted into real passwords?

Optimizing the attack

First check if you can get hold of PASSCODE or preferably BCODE hashes. These ones are 10 to 20 times faster to hack than PWDSALTEDHASH codes.

Assuming the administrators have done their work and only PWDSALTEDHASH remains, there are still options to speed up the attack.

Get faster graphical card(s)

Don’t do password hacking on a laptop. The graphical card in any laptop is simply too slow. Use a gaming specification graphical card or cards (cost range is about 300 to 500 dollar or Euro per card).

Preparation of the attack

First thing to do is to get the password rules. Most common is 1 letter, 1 digit, 1 special and minimum length of 8. But differences occur. If for example minimum length is 10, you can adjust your dictionaries to remove all small words that will not comply.

Check the language: use the webster dictionary for English in all cases, but based on language of the company, you must use German, French, Spanish, Italian, Dutch, etc dictionaries as well.

If possible filter out high potential targets from you list. It is best to have a high value administrator or CEO, then a warehouse person who can do simple movements and write time.

Sequence of attacks

Start first with your library of most frequently used passwords. Maybe there is already a hit.

You will be surprised that about 1% will hit.

Second run is with a list of company, product and department names. If you want to target company called TARGET with product name PRODUCT, make a special file with names like:

Target2021!

Product2021!

Use the password rulebooks to generate as many variations as possible (examples are T@rget2021, Pr0duct2021!).

You will be surprised that about another 1% will hit. Who is using these simple to guess passwords? More people than you think!

Third run should be dictionary run with rulebook. Start with English and primary language of the company. Most successful Rule is word plus digit plus special.

You will be surprised that about another 1 to 3% will hit.

Pending on the speed and sizes the rulebook is a very good one to run for a longer time (consider 1 week constantly running this).

Fourth run should be a keyboard walk rulebook. The keyboard walk contains passwords like QWERtyui1234%^&*, or 1qaz@WSX (walk on keyboard…).

You will be surprised that about another 1% will hit.

Re-using the output file to generate new attack: fingerprint attack

When your first attacks are done, there is one final surprisingly successful last attack possible. For this you take your file with all the passwords you have already cracked.

These passwords you now cut into 2. Example Target2021! is cut into:

T and arget2021!

Ta and rget2021!

….

Target2021 and !

And the word itself Target2021!

Now you have 2 files. Use these into a combinator attack mode (see hashcat wiki for the exact syntax to use).

This procedure is called a fingerprint attack.

This might give surprising results like TargetProduct2021!

This attack will bring a surprising high number of hits. The better the first passwords you have cracked, the better the result here. Save this attack till last, since it can be a very lengthy one, and a lot of duplication with the previous attacks can happen.

Strengthening password technical strength

The ABAP password can be made more strong by technical means, by increasing the hash salt size. This will take longer time to crack. OSS notes:

Read more in this dedicated blog on password hash strengthening.