New Critical Public Exploits Put SAP Applications at Risk
Onapsis issues threat report and steps to stay protected
When we became aware that several new exploits targeting SAP applications were now available on a public forum, we instantly began to act. We have already notified all our customers about this serious threat and how we can ensure you are protected with our Onapsis Security Platform. For all other SAP users, we are here to help you too. This is our mission and we are sharing the details of what you can do today, including the release of two open source Snort signatures for your firewalls and IPS/IDS.
These exploits, known as ‘10KBLAZE’, are not targeting vulnerabilities inherent in SAP code, but administrative misconfigurations of SAP NetWeaver installations, including S4/HANA. The misconfigurations are properly addressed by SAP Security Notes that have been available for more than 10 years.
Why are you at risk?
Our research team believes that approximately 900,000 systems suffer from these misconfigurations. The exploits can lead to full compromise of the platform and deletion of all business application data, including the modification or extraction of highly-sensitive and regulated information from applications such as SAP Business Suite, SAP ERP, SAP CRM, SAP HCM, SAP PLM and others. ‘10KBLAZE’ can be executed by a remote, unauthenticated attacker having only network access to the system.
Why is this critical?
The impact and risk to your business created by these exploits can be material. Risks include attackers creating new users in the SAP system with arbitrary privileges, allowing them to view and modify critical and sensitive business data (e.g., employees’ personal information, financial statements, banking transfer and routing processes, patient health records, critical infrastructure and energy distribution schedules, medication dosage amounts). Attackers can also leverage ‘10KBLAZE’ to gain full access to databases, take SAP systems offline and permanently delete business-critical and regulated information.
ALL confidentiality, integrity, and availability of the data stored in these systems and corresponding databases are vulnerable to this exploit.
How to Stay Protected
Whether you’re an Onapsis customer or not, our mission is to keep your SAP systems protected. Our Onapsis Research Labs and our industry leading Onapsis Security Platform deliver upon the mission. Additionally, when we find or are alerted to critical vulnerabilities and exploits, we take the proper action to keep you protected. Here’s how to stay protected from the ‘10KBLAZE’ exploits:
- Download and read our Onapsis Threat Advisory – 10KBLAZE: Protection from a Cyber Exploit With the Power to Burn Financial Statements
- Apply the SAP Security Notes: #821875 (2005), #1408081 (2009) and #1421005 (2010). SAP customers can access notes content through SAP Launchpad (authentication needed)
- If you do not have the Onapsis Security Platform, implement detection capabilities in your firewalls and IPS/IDS devices with the Snort signature rules. We are providing the signatures to recognized firewall vendors such as Cisco, FireEye and Palo Alto
- Contact and consult with Onapsis to perform a discovery service to see if you are these misconfigurations are vulnerable on your systems
For Onapsis customers, you can do the following in the Onapsis Security Platform:
- Discover whether you’re susceptible to this misconfiguration
- Review incident reports that monitor SAP instances for signs of the exploit to prevent configurations from reverting to an insecure state
We are here to help you and welcome you to contact us. You do not need to be an existing Onapsis customer to engage with us. Please read the Onapsis Threat Advisory, download and implement the Snort Signatures and ask us to perform a discovery service today.