Vulnerabilities Affecting SAP AI Services
The Importance of Protecting the Building Blocks of Your Organization
On July 17th, 2024, Hillai Ben-Sasson, a security researcher from the cloud company WIZ released the results of a research focused on SAP Cloud AI services, which was part of a broader research around mainstream AI cloud providers also including Hugging Face and Replicate. The researcher identified a set of weaknesses in the cloud infrastructure of the SAP Core AI service. More specifically, the ability to change the user id to arbitrary values (other than root) and to inherit the network rules that were bound to a specific user IDs (in this case, the reserved user id configured for the istio sidecar proxy, which is 1337.)
This allowed the researcher to move from a Kubernetes pod to ultimately access the internal network of that cloud service, including many applications which were not properly secured and also had vulnerabilities of their own. As mentioned in the blog, an attacker posing as a legitimate SAP customer could have had access to other customer’s training data and even to internal cloud environments of SAP customers using the SAP Core AI service.
This research further demonstrates the need for holistic security in today’s hybrid SAP environments, including cloud services as well as SAP Applications. The complexity and criticality of these environments demands no less than a holistic security approach.
Avoiding Vulnerabilities Is Only Part of It: The Need for Continuous Monitoring
Even though the threat represented by this research is ephemeral, since all vulnerabilities have been addressed by SAP in the cloud and customers do not need to apply any change in their environments, the issues are very representative to all SAP technology stack, since they highlight the need for security in cloud environments, beyond the premises of the customer.
Despite the fact these vulnerabilities were patched by SAP and no SAP Security Note was required, it is important to mention that over the past, there’s been SAP Security Notes known to affect cloud services in similar ways.
- SAP Security Note 3413475 (CVSS v3.1 : 9.1), fixing CVE(s) 2023-49583 and CVE-2023-50422.
- SAP Security Note 3411067 (CVSS v3.1 : 9.1), fixing the following CVE(s): CVE-2023-49583, CVE-2023-50422, CVE-2023-50423 and CVE-2023-50424
- SAP Security Notes 3132162, 3132744 and 3130578 (CVSS v3.1 : 10.0) fixing CVE-2021-44228
These are just some examples of patched vulnerabilities that are specific to SAP Applications and services in the cloud.
Nowadays, very few large SAP customers maintain their SAP environments strictly on-premises. The vast majority of them are in some form of a hybrid environment, where they have a mix of the following:
- On-Premises Applications: This could be the traditional ABAP-based or Java-based applications such as the SAP ERP, S/4HANA, SAP Solution Manager, SAP Portal or SAP PI/PO
- Applications in the Cloud (IaaS): More and more organizations are migrating their traditional SAP Applications, including SAP S/4HANA to public cloud providers such as GCP, Azure or AWS. This also includes initiatives such as RISE with SAP.
- Pure Cloud Applications (SaaS): Through acquisitions and the implementation of new technologies, SAP offers applications as SaaS Applications. Examples of these applications are SAP Ariba, Concur or SuccessFactors.
- Platform as a Service in the Cloud (PaaS): This is mostly driven by the growing adoption of SAP BTP and all of its cloud services, including AI services, for application development in the cloud as well as integration with on-premise applications.
This means that when we talk about the security of SAP environments, we no longer talk about the security of on-premise applications, but of a combination of many environments, or building blocks, and where all of these building blocks may be subject to different types of security vulnerabilities and risks.
If we consider the latest Threat Intelligence released by Onapsis and Flashpoint, highlighting the threat landscape for SAP applications, including: exploits, vulnerabilities and Ransomware, it is important to reinforce that organizations running and consuming SAP Applications or services should integrate them into their existing security processes, including but not limited to:
- Vulnerability Management / Configuration Management
- Threat Detection / Continuous Monitoring
- Secure Development Lifecycle / DevSecOps
By integrating SAP Applications and services into your existing IT security processes, organizations might prevent the introduction of new vulnerabilities into the organization, and manage existing risks in the process in a holistic way, from the on-premise applications all the way to the cloud environments and services.