Public 10KBLAZE Exploits May Impact 90% of SAP Production Systems

Roughly 90% out of an estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked by threat actors using publicly released critical exploits targeting misconfigured SAP installations and dubbed 10KBLAZE.

Onapsis, the company which announced the public availability of the SAP exploits today, says that "hundreds of SAP implementation assessments" and "research gathered over ten years calculates that nearly 90% of these systems, approximately 900,000, may suffer from the misconfigurations for which these exploits are now publicly available."

The Onapsis’ Research Labs research team "became aware of the release of these new exploits on April 23rd. The exploits can be leveraged to abuse a critical configuration issue in SAP NetWeaver installations (including S4/HANA) that, if not corrected as recommended by SAP, could lead to a full system compromise by attackers, without even requiring a valid SAP user ID and password."

Vulnerable SAP systems could be remotely exploited by unauthenticated attackers—SAP user IDs and passwords are not a requirement—which could then fully compromise the targeted SAP platform, allowing them to extract information, delete all the data, or shut down the systems entirely.

The 10KBLAZE set of exploits do not target security vulnerabilities present in the SAP code but "administrative misconfigurations of SAP NetWeaver installations (including S4/HANA)," according to Onapsis' threat report [PDF] which also contains technical vulnerability details.

The only requirement to exploit the security flaws which impact the SAP production systems of an estimated number of 50,000 companies is for the potential attackers to have network access to the vulnerable SAP production systems.

Exploits publicly released after the April 2019 OPCDE Security Conference

SAP environments where the SAP Gateway or SAP Message Server Access Control Lists are misconfigured are all at risk from being attacked using one of the publicly available 10KBLAZE exploits, released during April 2019 following the Operation for Community Development and Empowerment (OPCDE) Security Conference.

As Onapsis further explained in their advisory:

All SAP NetWeaver Application Server (AS) and S/4HANA systems are potentially affected since both Message Server and Gateway exist in every SAP environment. Some of the products affected include the SAP Business Suite, SAP ERP, SAP CRM, SAP S/4HANA, SAP Solution Manager, SAP GRC Process and Access Control, SAP Process Integration/Exchange Infrastructure (PI/XI), SAP Solution Manager, SAP SCM, and SAP SRM, among others.

"This risk to SAP customers can represent a weakness in affected publicly-traded organizations that may result in material misstatements of the company's annual financial statements (Form 10-K)," said former Chairman of the Board of the Institute of Internal Auditors (IIA) Larry Harrington. "Further, a breach against these business-critical applications would likely result in the need for disclosure given the recent SEC's Cybersecurity Disclosure Guidance." 

Potential attackers would be capable of performing various critical business transactions, while also having the possibility to completely erase all the traces left on the compromised SAP environments:

  • Creating fake vendors
  • Creating fake employees
  • Creating/modifying purchase orders
  • Changing bank accounts
  • Paying any vendor or employee
  • Releasing shipments
  • Changing inventory data
  • Generating corrupted management reports
  • Bypassing automatic business controls

"SAP released relevant security notes and guidance to help customers secure these critical configurations several years ago. The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems. This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes," stated Mariano Nunez, CEO and Co-founder, Onapsis, Inc.

10KBLAZE mitigation measures

Organizations can mitigate the risks posed by the 10KBLAZE exploits by following the mitigation procedures detailed in the following SAP Security Notes (SAP login required):

  • SAP Security Note #821875: 'Security Settings in the Message Server' from 2005 details Message Server ACL proper configuration
  • SAP Security Note #1408081: 'Basic Settings for Reg_info and Sec_info' from 2009 explains SAP Gateway ACL proper configuration
  • SAP Security Note #1421005: Enforces SAP Security Note #821875

The Cybersecurity and Infrastructure Security Agency (CISA) also issued an activity alert on May 2 containing vulnerability mitigation measures addressing the 10KBLAZE SAP exploits—as described in the 2019 OPCDE '(SAP) Gateway to Heaven' presentation given by Dmitry Chastuhin and Mathieu Geli.

Onapsis Research Labs also "released two open source Snort signatures [ZIP] to provide all SAP customers a detection mechanism that can be used to monitor system risk while misconfigurations are being addressed:"

  • The first rule matches to the execution of these public exploits - this rule can be implemented immediately, since there is no reason to have this code running on the network.
  • The second rule, with a more generic detection, includes monitoring for the payload on the network - since this activity may not be malicious between SAP App Servers, it can only be implemented if a whitelist of IP addresses or network segments can be configured

 

Vulnerability timeline
Vulnerability timeline

In April 2018, Bleeping Computer also reported that misconfigured SAP NetWeaver access control lists (ACL) could allow attackers to gain access to a company's business data.

The issue is known from 2005 and it occurs because SAP disables the NetWeaver ACL by default to allow companies to adapt the product to each of their customers' needs.

However, in 2005, SAP issued a security alert which warned customers to set up an ACL for their SAP installations, and provided extra configuration steps in 2009 and in 2010.

Security researchers have also warned companies which use SAP solutions to manage business processes about the dangers stemming from leaving the ACL disabled, presenting their findings at various security-focused conferences in 2007 and 2010 [1, 2].

SAP said in a statement shared with Reuters that it "always strongly recommends to install security fixes as they are released. Security is a collaborative process, so our customers and partners need to safeguard their systems as well."

Related Articles:

Hackers targeting WhatsUp Gold with public exploit since August

Leaked info of 122 million linked to B2B data aggregator breach

Critical bug in EoL D-Link NAS devices now exploited in attacks

FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws