Many SAP installations are vulnerable to critical security holes. The Cyber Security and Digital Infrastructure Bureau is now warning of increased threats from attacks on known vulnerabilities and misconfigurations in SAP systems. With the release of an exploit kit called 10KBLAZE, it is now very easy to compromise such systems. Onapsis estimates that 9 of 10 SAP installations worldwide with more than 50,000 customers are affected.
10KBLAZE Abuses A Number Of Security Gaps
In its security report, the CISA lists three main points of attack. Access control lists of a SAP gateway are often configured incorrectly, which means that users who are not logged in can execute commands on the operating system. The factory setting of the gateway’s secinfo configuration can also be misused, execute commands remotely. In certain situations, an attacker could abuse a SAP router to gain access to an external network, which could lead to the execution of malicious code from the public network. At the security conference, at which 10KBLAZE tools were published, just under a thousand SAP routers vulnerable to such attacks can be found on the internet.
The standard settings of the SAP Message Server are also susceptible to misuse. An attacker in the SAP network can carry out the attacks with such a server and thus obtain legitimate login data. Some of these servers can also be reached from the public internet through incorrect network configuration. Further information on the attacks and how to detect them can be found in the CISA security message. In principle, the Cyber Security And Digital Infrastructure Bureau recommends to securing it through better configuration of the SAP components, also restricting access options from external networks. SAP systems are not designed to be exposed to the internet because it is an untrustworthy network.
Onapsis experts estimate that around 90% of all SAP systems are affected by the security vulnerabilities. 10KBLAZE misuses incorrect configurations within the SAP systems, so that an unauthorized user can execute commands for which he is not authorized. This can happen if the SAP gateways are configured incorrectly. This attack is one of the three main types of attack reported by the CISA. Even the factory setting of the gateway’s secinfo configuration allows it to execute commands remotely.