Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

New Exploits For Old Configuration Issues Heighten Risk for SAP Customers

Exploits give attackers a way to create havoc in business-critical SAP ERP, CRM, SCM, and other environments, Onapsis says.

05/03/2019 UPDATE: This story has been updated to include statements from US-CERT and SAP.

Exploits targeting a couple of long-known misconfiguration issues in SAP environments have become publicly available, putting close to 1 million systems running the company's software at risk of major compromise.

Risks include attackers being able to view, modify, or permanently delete business-critical data or taking SAP systems offline, according to application security vendor Onapsis.

The exploits, which Onapsis has collectively labeled 10KBLAZE, were publicly released April 23. They affect a wide range of SAP products, including SAP Business Suite, SAP S/4 HANA, SAP ERP, SAP CRM, and SAP Process Integration/Exchange Infrastructure.

The exploits are not targeting any inherent security vulnerabilities in SAP's code, Onapsis says. Rather, they target improperly configured access control lists (ACLs) in SAP Gateway and SAP Message Server. SAP Gateway handles communications between SAP and non-SAP systems, and Message Server does communication and load balancing between SAP app servers. The two components are present in many SAP environments.

SAP Gateway ACL files are currently delivered in secure mode by default. But on older versions, the default configuration was insecure and allowed attackers a way to bypass security mechanisms and take full remote control of a SAP system to steal or manipulate data. Improperly configured ACLs on SAP Message Server, meanwhile, allow any host with network access to the server to register a fake app server in the SAP system, Onapsis said. This could enable man-in-the-middle attacks and allow attackers to gain full control of the SAP environment.

SAP has long ago highlighted these issues to customers and has provided instructions on how to properly configure the ACL files. Even so, these ACL files remain open to exploitation at a very high percentage of SAP environments. According to Onapsis, publicly available data and its own research over the past 10 years suggest that as many as 900,000 systems across 50,000 companies worldwide may have the misconfigurations for which exploits are now newly available.

SAP Environments a Black Box for IT
Juan Perez-Etchegoyen, CTO at Onapsis, says the root cause for the high prevalence of misconfigured systems — despite all the warnings about the risks — is the tendency by SAP teams to operate on their own without proper oversight from the IT security team.

"SAP implementations have their own IT, their own security teams, and their own admins," Perez-Etchegoyen says. "Everyone is focusing on operational availability. We always find they are not properly addressing cybersecurity risk."

Historically, the SAP environment has been something of a black box for enterprise IT teams. They haven't had much of an opportunity to implement controls and have defined policies for SAP environments. So it is not unusual at all to see these misconfigurations present in a high proportion of SAP customer sites, Perez-Etchegoyen notes.

SAP environments that are potentially exposed should address the issue promptly because exploits are now available. Properly maintaining and updating an ACL involves some administrative overhead, but the benefits ofdoing so far outweigh the costs considering the risks involved, he says.

Onapsis has provided signatures for the exploits to major security vendors and incident responders to enable detection and monitoring for the exploits. The company is also working with government organizations and SAP service providers to coordinate a response. Additionally Onapsis has made its intrusion detection available free to all SAP customers, the company said.

This is another example of the need for organizations to address the security of ERP platforms and to ensure proper security and governance for the environment, Perez-Etchegoyen says.


The US-CERT late Thursday warned SAP customers of the new threat. In an advisory, it urged SAP administrators to ensure secure configuration of the SAP environment, restrict access to SAP Message Server, and to scan for and remove any exposed SAP components on the Web.

"Typically, SAP systems are not intended to be exposed to the Internet," US-CERT said. "Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed '10KBLAZE'."

An SAP spokesperson reminded customers in a statement that the company had issued advisories for these issues years ago.

"Security notes 8218751408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits," the spokesperson said. "As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."

SAP also pointed to recommendations in A Practical Guide for Securing SAP Solutions and Securing Remote Function Calls (RFC) that emphasize secure configuration of the SAP landscape. Customers can enable related security checks in the Early Watch Alert (note 863362) and the SAP Security Optimization Service (https://support.sap.com/sos), the company said.

"As the global leader in business software, SAP has based its development processes on a comprehensive security strategy ("Prevent – Detect – React") across the enterprise that relies on trainings, tools, and processes to enable the delivery of secure products and services," the spokesperson said.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/8/2019 | 3:01:22 AM
Re: Pending Review
thank you for sharing
User Rank: Apprentice
5/7/2019 | 5:59:30 AM
10KBLAZE demonstrates that the greatest threat to SAP systems is not zero-day vulnerabilities but the failure to apply SAP patches and implement SAP recommendations for secure system configurations. Security settings for the gateway server, messages server and SAProuter should be monitored with SAP Solution Manager. Solution Manager automatically identifies and alerts for misconfigurations in these areas including insecure entries in access control lists. Check out the Cybersecurity Extension for SAP Solution Manager from Layer Seven Security
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.