Up to 50,000 enterprises that have adopted SAP solutions may be susceptible to cyberattacks due to new exploits targeting configuration flaws in the software, researchers say.
According to the cybersecurity team from the Onapsis Research Labs, exploits dubbed 10KBlaze which target two technical components of SAP software have been recently released and can lead to the "full compromise" of SAP applications.
In a report detailing the exploits, Onapsis said such compromises include the deletion of business-critical application data, as well as the theft or modification of sensitive information.
The "10KBlaze" tools could also be used to create new users with arbitrary privileges, to perform business functions such as creating new vendors or purchase orders -- in other words, to commit financial fraud -- and to gain access to SAP databases or disrupt business operations.
Without any form of authentication, remote attackers only need some technical knowledge and network connectivity to the vulnerable system to perform an attack.
All SAP NetWeaver Application Server (AS) and S/4HANA systems, as they use an Access Control List in Gateway and a Message Server, may be at risk. The researchers say that the applications are impacted, among others:
- SAP S/4HANA
- SAP Enterprise Resource Planning (ERP)
- SAP Product Lifecycle Management (PLM)
- AP Customer Relationship Management (CRM)
- SAP Human Capital Management (HCM)
- SAP Supply Chain Management (SCM)
- SAP Supplier Relationship Management (SRM)
- SAP NetWeaver Business Warehouse (BW)
- SAP Business Intelligence (BI)
- SAP Process Integration (PI)
- SAP Solution Manager (SolMan)
- SAP Governance, Risk & Compliance 10.x (GRC)
- SAP NetWeaver ABAP Application Server 7.0 - 7.52
The exploits do not rely on core vulnerabilities in SAP code. Rather, errors in SAP NetWeaver installation administrative configuration and settings can be used to compromise applications.
According to Onapsis, up to 50,000 companies and a collective one million systems using SAP NetWeaver and S/4HANA are misconfigured. The team estimates that 90 percent of SAP systems in use by the enterprise may be vulnerable.
"If these configurations are not secured, as recommended by SAP (easier to do during implementation and GoLive process), [the] recently published exploits can be used against affected companies," Onapsis says.
SAP has previously released guidelines in 2005, 2009, and 2010 to customers which describe how to properly setup application configuration to prevent exploit. It is recommended that IT teams check their builds immediately to ensure they are protected.
Update 11.05 BST: A SAP spokesperson told ZDNet:
"SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however, these have been patched by SAP a few years ago. Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."
Previous and related coverage
- SAP has 50 percent more customers than 5 years ago: A look at the road ahead
- SAP marketing: The culture journey from on-premise to cloud
- SAP adds more intelligent capabilities to Analytics Cloud
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0