05/03/2019 UPDATE: This story has been updated to include statements from US-CERT and SAP.
Exploits targeting a couple of long-known misconfiguration issues in SAP environments have become publicly available, putting close to 1 million systems running the company's software at risk of major compromise.
Risks include attackers being able to view, modify, or permanently delete business-critical data or taking SAP systems offline, according to application security vendor Onapsis.
The exploits, which Onapsis has collectively labeled 10KBLAZE, were publicly released April 23. They affect a wide range of SAP products, including SAP Business Suite, SAP S/4 HANA, SAP ERP, SAP CRM, and SAP Process Integration/Exchange Infrastructure.
The exploits are not targeting any inherent security vulnerabilities in SAP's code, Onapsis says. Rather, they target improperly configured access control lists (ACLs) in SAP Gateway and SAP Message Server. SAP Gateway handles communications between SAP and non-SAP systems, and Message Server does communication and load balancing between SAP app servers. The two components are present in many SAP environments.
SAP Gateway ACL files are currently delivered in secure mode by default. But on older versions, the default configuration was insecure and allowed attackers a way to bypass security mechanisms and take full remote control of a SAP system to steal or manipulate data. Improperly configured ACLs on SAP Message Server, meanwhile, allow any host with network access to the server to register a fake app server in the SAP system, Onapsis said. This could enable man-in-the-middle attacks and allow attackers to gain full control of the SAP environment.
SAP has long ago highlighted these issues to customers and has provided instructions on how to properly configure the ACL files. Even so, these ACL files remain open to exploitation at a very high percentage of SAP environments. According to Onapsis, publicly available data and its own research over the past 10 years suggest that as many as 900,000 systems across 50,000 companies worldwide may have the misconfigurations for which exploits are now newly available.
SAP Environments a Black Box for IT
Juan Perez-Etchegoyen, CTO at Onapsis, says the root cause for the high prevalence of misconfigured systems — despite all the warnings about the risks — is the tendency by SAP teams to operate on their own without proper oversight from the IT security team.
"SAP implementations have their own IT, their own security teams, and their own admins," Perez-Etchegoyen says. "Everyone is focusing on operational availability. We always find they are not properly addressing cybersecurity risk."
Historically, the SAP environment has been something of a black box for enterprise IT teams. They haven't had much of an opportunity to implement controls and have defined policies for SAP environments. So it is not unusual at all to see these misconfigurations present in a high proportion of SAP customer sites, Perez-Etchegoyen notes.
SAP environments that are potentially exposed should address the issue promptly because exploits are now available. Properly maintaining and updating an ACL involves some administrative overhead, but the benefits ofdoing so far outweigh the costs considering the risks involved, he says.
Onapsis has provided signatures for the exploits to major security vendors and incident responders to enable detection and monitoring for the exploits. The company is also working with government organizations and SAP service providers to coordinate a response. Additionally Onapsis has made its intrusion detection available free to all SAP customers, the company said.
This is another example of the need for organizations to address the security of ERP platforms and to ensure proper security and governance for the environment, Perez-Etchegoyen says.
The US-CERT late Thursday warned SAP customers of the new threat. In an advisory, it urged SAP administrators to ensure secure configuration of the SAP environment, restrict access to SAP Message Server, and to scan for and remove any exposed SAP components on the Web.
"Typically, SAP systems are not intended to be exposed to the Internet," US-CERT said. "Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed '10KBLAZE'."
An SAP spokesperson reminded customers in a statement that the company had issued advisories for these issues years ago.
"Security notes 821875, 1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits," the spokesperson said. "As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."
SAP also pointed to recommendations in A Practical Guide for Securing SAP Solutions and Securing Remote Function Calls (RFC) that emphasize secure configuration of the SAP landscape. Customers can enable related security checks in the Early Watch Alert (note 863362) and the SAP Security Optimization Service (https://support.sap.com/sos), the company said.
"As the global leader in business software, SAP has based its development processes on a comprehensive security strategy ("Prevent – Detect – React") across the enterprise that relies on trainings, tools, and processes to enable the delivery of secure products and services," the spokesperson said.
- The Default SAP Configuration That Every Enterprise Needs to Fix
- SAP CSO: Security Requires Context
- ERP Attack Risks Come into Focus
- 8 Threats That Could Sink Your Company
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.