Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

New Exploits For Old Configuration Issues Heighten Risk for SAP Customers

Exploits give attackers a way to create havoc in business-critical SAP ERP, CRM, SCM, and other environments, Onapsis says.

05/03/2019 UPDATE: This story has been updated to include statements from US-CERT and SAP.

Exploits targeting a couple of long-known misconfiguration issues in SAP environments have become publicly available, putting close to 1 million systems running the company's software at risk of major compromise.

Risks include attackers being able to view, modify, or permanently delete business-critical data or taking SAP systems offline, according to application security vendor Onapsis.

The exploits, which Onapsis has collectively labeled 10KBLAZE, were publicly released April 23. They affect a wide range of SAP products, including SAP Business Suite, SAP S/4 HANA, SAP ERP, SAP CRM, and SAP Process Integration/Exchange Infrastructure.

The exploits are not targeting any inherent security vulnerabilities in SAP's code, Onapsis says. Rather, they target improperly configured access control lists (ACLs) in SAP Gateway and SAP Message Server. SAP Gateway handles communications between SAP and non-SAP systems, and Message Server does communication and load balancing between SAP app servers. The two components are present in many SAP environments.

SAP Gateway ACL files are currently delivered in secure mode by default. But on older versions, the default configuration was insecure and allowed attackers a way to bypass security mechanisms and take full remote control of a SAP system to steal or manipulate data. Improperly configured ACLs on SAP Message Server, meanwhile, allow any host with network access to the server to register a fake app server in the SAP system, Onapsis said. This could enable man-in-the-middle attacks and allow attackers to gain full control of the SAP environment.

SAP has long ago highlighted these issues to customers and has provided instructions on how to properly configure the ACL files. Even so, these ACL files remain open to exploitation at a very high percentage of SAP environments. According to Onapsis, publicly available data and its own research over the past 10 years suggest that as many as 900,000 systems across 50,000 companies worldwide may have the misconfigurations for which exploits are now newly available.

SAP Environments a Black Box for IT
Juan Perez-Etchegoyen, CTO at Onapsis, says the root cause for the high prevalence of misconfigured systems — despite all the warnings about the risks — is the tendency by SAP teams to operate on their own without proper oversight from the IT security team.

"SAP implementations have their own IT, their own security teams, and their own admins," Perez-Etchegoyen says. "Everyone is focusing on operational availability. We always find they are not properly addressing cybersecurity risk."

Historically, the SAP environment has been something of a black box for enterprise IT teams. They haven't had much of an opportunity to implement controls and have defined policies for SAP environments. So it is not unusual at all to see these misconfigurations present in a high proportion of SAP customer sites, Perez-Etchegoyen notes.

SAP environments that are potentially exposed should address the issue promptly because exploits are now available. Properly maintaining and updating an ACL involves some administrative overhead, but the benefits ofdoing so far outweigh the costs considering the risks involved, he says.

Onapsis has provided signatures for the exploits to major security vendors and incident responders to enable detection and monitoring for the exploits. The company is also working with government organizations and SAP service providers to coordinate a response. Additionally Onapsis has made its intrusion detection available free to all SAP customers, the company said.

This is another example of the need for organizations to address the security of ERP platforms and to ensure proper security and governance for the environment, Perez-Etchegoyen says.


The US-CERT late Thursday warned SAP customers of the new threat. In an advisory, it urged SAP administrators to ensure secure configuration of the SAP environment, restrict access to SAP Message Server, and to scan for and remove any exposed SAP components on the Web.

"Typically, SAP systems are not intended to be exposed to the Internet," US-CERT said. "Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed '10KBLAZE'."

An SAP spokesperson reminded customers in a statement that the company had issued advisories for these issues years ago.

"Security notes 8218751408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits," the spokesperson said. "As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."

SAP also pointed to recommendations in A Practical Guide for Securing SAP Solutions and Securing Remote Function Calls (RFC) that emphasize secure configuration of the SAP landscape. Customers can enable related security checks in the Early Watch Alert (note 863362) and the SAP Security Optimization Service (https://support.sap.com/sos), the company said.

"As the global leader in business software, SAP has based its development processes on a comprehensive security strategy ("Prevent – Detect – React") across the enterprise that relies on trainings, tools, and processes to enable the delivery of secure products and services," the spokesperson said.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/8/2019 | 3:01:22 AM
Re: Pending Review
thank you for sharing
User Rank: Apprentice
5/7/2019 | 5:59:30 AM
10KBLAZE demonstrates that the greatest threat to SAP systems is not zero-day vulnerabilities but the failure to apply SAP patches and implement SAP recommendations for secure system configurations. Security settings for the gateway server, messages server and SAProuter should be monitored with SAP Solution Manager. Solution Manager automatically identifies and alerts for misconfigurations in these areas including insecure entries in access control lists. Check out the Cybersecurity Extension for SAP Solution Manager from Layer Seven Security
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...