New exploits have been targeting SAP systems, allowing attackers to fully compromise the platform and delete all business application data, according to new research from Onapsis Inc.
The exploits, dubbed 10KBLAZE, can potentially compromise all NetWeaver Application Server (AS) and S/4HANA systems. “In exposed systems, the exploits can be executed by a remote, unauthenticated attacker having only network connectivity to the vulnerable systems. These exploits are not targeting vulnerabilities inherent in SAP code, but administrative misconfiguration of SAP NetWeaver installations,” the report said.
Attackers could also modify or extract highly sensitive and regulated information in what Onapsis called a serious threat, given that an estimated 50,000 companies and one million systems are configured using SAP NetWeaver and S/4HANA.
Misconfigurations in access control lists (ACLs) could leave systems vulnerable. Based on research collected over the past decade, the report estimated that nearly 90% of these systems suffer from the misconfigurations for which these exploits are now publicly available.“The lack of one of these ACLs being properly protected is enough for an attacker to successfully exploit it. Customers must secure both of the ACL configurations in Gateway and Message Server to stay protected,” the report said.
“This risk to SAP customers can represent a weakness in affected publicly traded organizations that may result in material misstatements of the company's annual financial statements (form 10-K). Further, a breach against these business-critical applications would likely result in the need for disclosure, given the recent SEC's Cybersecurity Disclosure Guidance,” said Larry Harrington, former chairman of the board of the Institute of Internal Auditors (IIA), in a press release.
“SAP released relevant security notes and guidance to help customers secure these critical configurations several years ago. The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems. This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes,” said Mariano Nunez, CEO and co-founder, Onapsis, in the press release.