Public SAP exploits could enable attacks against thousands of companies

Security experts warn that recently published, easy-to-use exploits for known SAP security issues can lead to wave of attacks against SAP systems that can impact tens of thousands of companies.

The exploits allow remote hackers to completely compromise affected SAP applications and the critical business data they contain.

The vulnerabilities themselves stem from insecure default configurations of SAP Gateway and SAP Message Server, two components that are used by various SAP business applications and are common in many environments.

Some of these issues have been known for over a decade, but they have continued to persist in many real-world deployments, according to security firm Onapsis.

Based on observations from security assessments performed for large organisations over the years, Onapsis estimates that the issues affect nine out of every ten SAP systems deployed by more than 50,000 SAP users worldwide -- around 900 million systems in total.

Over 400,000 organisations from around the world use SAP software products, including some of the largest multinational corporations.

The applications that use the potentially vulnerable components and could be affected by these exploits include SAP S/4HANA; SAP Enterprise Resource Planning (ERP); SAP Product Lifecycle Management (PLM); SAP Customer Relationship Management (CRM) and SAP Human Capital Management (HCM).

Others include SAP Supply Chain Management (SCM); SAP Supplier Relationship Management (SRM); SAP NetWeaver Business Warehouse (BW); SAP Business Intelligence (BI); SAP Process Integration (PI); SAP Solution Manager (SolMan) and SAP Governance, Risk & Compliance 10.x (GRC) and SAP NetWeaver ABAP Application Server 7.0 - 7.52.

The SAP exploits and their impact

The United States Cyber security and Infrastructure Security Agency (CISA) released an alert Thursday in response to the SAP exploits being released earlier this month on GitHub during a presentation by security firm Comae Technologies at a security conference. The exploits have been dubbed 10KBLAZE.

According to the alert, 900 internet-facing systems in the U,S, could be vulnerable to the SAP Gateway ACL (access control list) issue and 693 internet-exposed SAP Message Servers could be vulnerable to man-in-the-middle type attack.

There are also 1,181 SAP routers exposed to the internet, and if attackers gain access to them they could be used to proxy malicious requests to SAP Gateway systems.

These numbers don't seem high, but it's worth keeping in mind that such systems could serve as pivoting points for hackers to attack additional SAP systems located inside corporate networks.

Getting access to corporate networks can also be done in a variety of other ways, for example through phishing attacks that result in workstations being infected with malware. Hackers can then use those systems to attack others, including SAP.

Onapsis published a report and detection signatures that work with the Snort open-source intrusion detection system, because the new exploits make it significantly easier to launch attacks.

So, the threat against SAP systems is no longer from nation-state cyber espionage groups or highly sophisticated cyber criminals, but virtually anyone who can use a search engine like Shodan.

"In the wrong hands these exploits can cause a lot of damage," Onapsis CEO Mariano Nunez tells CSO. "Anyone can just download one of these exploits, point it at the IP address of an SAP system and with one command just completely wipe out the system and disrupt any business processes.

"I think it dramatically lowers the bar for who could actually attack SAP applications and therefore increases the risk because it increases the probability that this will happen. We believe we're going to see an increase in attacks leveraging these exploits and vulnerabilities."

Those attacks could take many forms -- from hacktivists trying to hurt companies they don't like by disrupting their business operations and causing significant financial losses to ransomware-type attacks like those that hit web servers and databases, where attackers delete data and leave ransom notes behind.

Of course, more sophisticated and well-planned attacks involving theft of sensitive business records and even malicious modification of data are also possible.

The challenges for SAP users

One of the reasons why many organisations are still vulnerable to these well-known issues after so many years is the complexity of their SAP environments. Companies heavily customise their SAP systems and Nunez estimates that every SAP deployment has on average 2 million lines of custom code added by their users.

These systems run business-critical processes, so if a security patch causes incompatibilities with those customisations and causes business downtime, the organisation could lose large amounts of money.

Mitigating these issues requires changing two settings, but while one change is relatively easy to make, the other could be a year-long project for a medium to large SAP implementation and would require significant resources, Nunez says.

"But the stakes are too high. Right? So, if you don't do it, it's clear what could go wrong."

Known SAP configuration vulnerability persist, even in cloud instances

However, Onapsis regularly finds these configuration issues even in new SAP implementations in the cloud that don't have the data complexity burden as older on-premise deployments.

This suggests that the problem runs deeper and that many companies are not doing these implementations with security in mind. Furthermore, since these systems are deployed in public clouds the risk of them being exposed to the internet is even higher.

"I think that also has to do with how the industry is approaching the security of SAP applications," Nunez says.

"There's a lot of focus on segregation-of-duties type of controls -- basically who can do what once they have access to the system -- but they're not really putting a lot of emphasis on making sure that the technical settings of the system are secure."

"I think what they fail to understand is that there are technical settings that can have immediate and devastating business and financial implications," Nunez says.

"That's why we named these exploits 10KBLAZE, because with this level of access an attacker can perform activities that could actually result in material misstatements in the financial filings."

Configuring access controls and roles in SAP applications to prevent employees for having access to more data than they should is a way for organisations to protect themselves against insider threats, which is important for their security posture.

However, if system-wide technical settings are left in an insecure state, both rogue employees and malicious hackers could easily bypass all those data access controls and gain complete and unrestricted access to the whole system.

"In most of the environments that we see, SAP is really not properly segmented on the internal network, so anyone connected to the local network or through a VPN, like a contractor, can use an exploit like this to take full control of the system," Nunez says.

Lack of monitoring tools

Another problem is the lack of monitoring tools that are configured to detect attacks and exploits against SAP systems. This means that in many cases if an attack does happen and there's no obvious system disruption or data modification, it could remain undiscovered.

According to Nunez, this aspect makes it very hard to estimate how much active exploitation of these SAP insecure configuration issues has occurred in the wild over the years. But SAP systems are on definitely on attackers' radar.

Last year Onapsis published a report together with another company called Digital Shadows, about increased hacker activity targeting ERP applications.

That report covered attack campaigns launched by hacktivist groups against SAP and Oracle ERP applications, attacks against ERP applications by nation-state actors and discussions about SAP hacking and ERP exploits on cyber criminal forums.

What should organisations using SAP do?

"As the CIO or the CEO of a company, I would bring my SAP service provider and cybersecurity vendor together in a room, and ask them to figure out, first of all, which systems are exposed to these exploits and then I'd trigger two work streams," Nunez says.

One would be to add monitoring capabilities in order to detect any exploitation attempts and the other would be to start the remediation process right away.

Companies should assess the exposure of their SAP environments to these threats, beginning with the systems exposed to the internet, should then deploy monitoring capabilities and should start the remediation process as soon as possible.

SAP offers guidance for fixing these issues in Security Notes #821875, #1408081 and #1421005 on their customer portal and the Onapsis report contains detailed steps on how to check if systems are vulnerable.

"Continuous monitoring can give you some level of compensating controls while you're mitigating the risk, but ultimately the only solution is to make those security settings and keep them secure," Nunez says.

"It's going to take months or years no matter where you start, but now with the exploits being public, the more you wait, the more risk and exposure you're taking on."