The risk of cyber attacks against SAP systems is increased after security researchers released PoC exploits for old SAP configuration flaws.
SAP Message Server and SAP Gateway implements an access control list (ACL) mechanism to determine IP addresses that are allowed to register application servers. ACL wrong configurations could allow any host with network access to the Message Server to register an application server.
In this scenario, an attacker can access a network hosting the vulnerable systems and take full control.
Experts pointed out that the problem could impact many SAP products, including S/4HANA and NetWeaver Application Server (AS).
The good news is that most recent versions of SAP software are configured by default to drop unauthorized connections,
Since 2005, SAP is providing instructions on how to configure an ACL for the Message Server. In 2005 the company released the security note 8218752 and in 2009 released the security note 14080813 containing instructions on how to properly configure the access list for Gateway. In 2010 SAP released another note, 14210054, that provides instructions on the correct configuration of Message Server ACL.
Despite the numerous notes, many organizations still fail to properly configure their SAP solutions. According to a report published in April 2018 by security firm Onapsis, 90 percent SAP systems were impacted by 13 Year-Old configuration vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system.
In April, the two researchers Dmitry Chastuhin and Mathieu Geli presented at the OPCDE
The security duo also released exploits designed to target improperly configured systems.
Experts at Onapsis dubbed the exploits 10KBLAZE, they estimate that the availability of the hacking codes could significantly increase the number of attacks against SAP installs. Onapsis estimate that 10KBLAZE exploits could affect 9 out of 10 SAP systems of more than 50,000 customers worldwide.
“In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyber attacks against SAP implementations globally.” reads the analysis published by Onapsis. “we estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers world-wide.”
The name 10KBLAZE comes by the fact that organizations hit by attacks would need to disclose their impact to the U.S. Securities and Exchange Commission (SEC) in their annual 10-K filing.
“Based on publicly available data provided by SAP, Onapsis estimates that approximately 50,000 companies and a collective 1,000,000 systems are currently using SAP NetWeaver and S/4HANA.” reads the report published by the experts. “Onapsis research gathered over ten years calculates that nearly 90% of these systems, approximately 900,000, may suffer from the misconfigurations for which these exploits are now publicly available,”
Researchers also found many SAP systems exposed on the internet that could be hit by remote, unauthenticated attackers.
Organizations have to check their configurations to prevent such kind of attacks.