Exploits give attackers a way to create havoc in business-critical SAP ERP, CRM, SCM, and other environments, Onapsis says.
Exploits targeting a couple of long-known misconfiguration issues in SAP environments have become publicly available, putting close to 1 million systems running the company’s software at risk of major compromise.
Risks include attackers being able to view, modify, or permanently delete business-critical data or taking SAP systems offline, according to application security vendor Onapsis.
The exploits, which Onapsis has collectively labeled 10KBLAZE, were publicly released April 23. They affect a wide range of SAP products, including SAP Business Suite, SAP S/4 HANA, SAP ERP, SAP CRM, and SAP Process Integration/Exchange Infrastructure.
The exploits are not targeting any inherent security vulnerabilities in SAP’s code, Onapsis says. Rather, they target improperly configured access control lists (ACLs) in SAP Gateway and SAP Message Server. SAP Gateway handles communications between SAP and non-SAP systems, and Message Server does communication and load balancing between SAP app servers. The two components are present in many SAP environments.
SAP Gateway ACL files are currently delivered in secure mode by default. But on older versions, the default configuration was insecure and allowed attackers a way to bypass security mechanisms and take full remote control of a SAP system to steal or manipulate data. Improperly configured ACLs on SAP Message Server, meanwhile, allow any host with network access to the server to register a fake app server in the SAP system, Onapsis said. This could enable man-in-the-middle attacks and allow attackers to gain full control of the SAP environment.
SAP has long ago highlighted these issues to customers and has provided instructions on how to properly configure the ACL files. Even so, these ACL files remain open to exploitation at a very high percentage of SAP environments. According to Onapsis, publicly available data and its own research over the past 10 years suggest that as many as 900,000 systems across 50,000 companies worldwide may have the misconfigurations for which exploits are now newly available.
SAP Environments a Black Box for IT
Juan Perez-Etchegoyen, CTO at Onapsis, says the root cause for the high prevalence of misconfigured systems — despite all the warnings about the risks — is the tendency by SAP teams to operate on their own without proper oversight from the IT security team.
“SAP implementations have their own IT, their own security teams, and their own admins,” Perez-Etchegoyen says. “Everyone is focusing on operational availability. We always find they are not properly addressing cybersecurity risk.”
Historically, the SAP environment has been something of a black box for enterprise IT teams. They haven’t had much of an opportunity to implement controls and have defined policies for SAP environments. So it is not unusual at all to see these misconfigurations present in a high proportion of SAP customer sites, Perez-Etchegoyen notes.
SAP environments that are potentially exposed should address the issue promptly because exploits are now available. Properly maintaining and updating an ACL involves some administrative overhead, but the benefits of doing so far outweigh the costs considering the risks involved, he says.
Onapsis has provided signatures for the exploits to major security vendors and incident responders to enable detection and monitoring for the exploits. The company is also working with government organizations and SAP service providers to coordinate a response. Additionally, Onapsis has made its intrusion detection available free to all SAP customers, the company said.
This is another example of the need for organizations to address the security of ERP platforms and to ensure proper security and governance for the environment, Perez-Etchegoyen says.