SAP Flaw Leaves 50,000 Companies Vulnerable

security vulnerability Shutterstock - © Andy Dean Photography

New exploits targeting SAP business applications released in a public forum, warn security researchers

Companies using SAP software are at great risk of being hacked after new exploits were published online to tackle vulnerabilities.

The warning came from security researchers Onapsis, and concern SAP implementations that have not had the correct configuration of security settings. It is calling the exploit 10KBLAZE.

Onapsis believes that up to 50,000 companies using SAP haven’t correctly configured their security settings.

SAP

SAP exploit

And the security researchers have warned that these companies are often running critical business applications.

“Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyber attacks against SAP implementations globally,” said Onapsis.

“Based on hundreds of SAP implementation assessments and the proprietary threat intelligence of Onapsis, we estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers world-wide,” it added. “We recommended you review and apply all relevant SAP security notes immediately.

The good news is that Onapsis has decided to make tools immediately available for SAP customers free of charge to help them secure their systems.

“Given the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis has decided to open-source components of the Onapsis Security Platform and make intrusion detection signatures immediately and freely available to all SAP customers,” the researcher said.

“Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring, and remediation of affected organisations globally,” it added.

According to Reuters, SAP had actually issued guidance on how to correctly configure the security settings in 2009 and 2013, but data compiled by Onapsis shows that 90 percent of affected SAP systems have not been properly protected.

“Basically, a company can be brought to a halt in a matter of seconds,” Onapsis Chief Executive Mariano Nunez, is quoted as saying.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems,” he is quoted as saying.

SAP was clear that customers should follow its security advice and patch their systems.

“SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however these have been patched by SAP a few years ago,” the firm said in an emailed statement to Silicon UK.

“Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits,” SAP said. “As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape.”

The German software giant said that it takes the security of its customer data seriously, and urged customers to follow its recommendations and implement patches.

Security scare

This is not the first time that there has been a security scare surrounding SAP systems.

In 2016 the US government warned that hackers had been exploiting a flaw in SAP’s enterprise software, despite a patch being issued in 2010.

The Department of Homeland Security’s United States Computer Emergency Readiness Team had warned the vulnerability could give outside attackers remote control over older SAP systems if the patch had not been installed.

SAP had left it up to system administrators to apply the patch to their systems when it issued the update.

Do you know all about security? Try our quiz!