Understand and fight potential SAP exploits

10KBLAZE exploit causes concern

Among potential SAP exploits, the 10KBLAZE exploit dominated conversation earlier this year.

SAP Gateway and SAP Message Server default configurations can encourage SAP exploits, said JP Perez-Etchegoyan, CTO of Onapsis. Publicly available exploit tools known as 10KBLAZE can compromise these unsecured systems. The concern reached a fever pitch in May, when the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, driven by the criticality, impact and sheer number of SAP systems that are not keeping up with SAP vulnerabilities, Perez-Etchegoyan said.

The 10KBLAZE exploit is a well-documented risk to SAP applications. The 10KBLAZE and other SAP exploits can be downloaded from GitHub by anyone with ill intent.

Once the SAP system is compromised, an attacker can use SAP exploits to steal all the business data accessed by SAP. That includes bank account numbers, intellectual property and employee data. A threat actor can also utilize a fraud schema and change or modify anything on the system, Perez-Etchegoyan said.

10KBLAZE isn't the only SAP vulnerability out there. And when it comes to SAP exploits, the ERP system is not the only system at risk. Most companies have a large landscape of SAP applications that are interconnected, and they need to be able to govern what the security risks are that affect each application.

"An attacker is going to go for the weakest spot, then go through the different applications," Perez-Etchegoyan said.

Counteracting potential SAP exploits

SAP publishes the known vulnerabilities every three months -- and sometimes sooner, as the company becomes aware of them.

"The important piece to remember is the vulnerabilities specific to SAP out there are generally known vulnerabilities," said Britta Simms, IBM's global lead for SAP security.

While tools to catch these vulnerabilities will help, companies need to address these risks from a process perspective, Perez-Etchegoyan said. They need accountability, risk tolerance definitions, a process for how they will react to threats, visibility into applications and a baseline for secure configurations.

One of the ways that companies can keep SAP systems secure is to have a change control process in place for how they handle the newly discovered vulnerabilities, Simms said. That means a governance process to evaluate how changes from tweaking the color of a report to handling a merger or acquisition will go forward. That includes design decisions, build and testing and deployment.

The process also needs to consider security.

Often, companies need a security software architect to review changes, and many organizations do not have a process in place to do this review, Simms said. A lot of companies are missing the security capability integrated into their processes. It can be manual or automated, but it needs to be there to catch vulnerabilities before they're exploited by threat actors, Simms said.

When in doubt, patch

The importance of patching cannot be overstated.

The most common issue most security consultants run into is a simple one: Companies use outdated SAP systems that haven't been patched, said Will Ellis, founder of Privacy Australia and an IT security consultant.

This is a mistake, because many patches contain important security updates.

"Many SAP systems are misconfigured," Ellis said. "But I would say 80% of the issues related to SAP security are just cases of companies not wanting to bring down their SAP systems to update them."

Ultimately, an SAP system is a treasure trove for threat actors, and SAP exploits are nothing new. Companies need to make sure they configure systems, particularly SAP Gateway and SAP Message Server, to keep out malfeasants, as well as have processes in place to make changes to SAP systems. And, of course, patching will help shore up vulnerabilities that present themselves as threat actors become more sophisticated in their attacks.