10kBlaze Exploit can potentially impact most SAP customers
I would like to bring it to the notice of this SAP community, a HUGE news broke this morning about SAP Vulnerability that can potentially impact below SAP applications.
SAP S/4HANA , Enterprise Resource Planning (ERP) , Product Lifecycle Management (PLM), Customer Relationship Management (CRM), Human Capital Management (HCM), Supply Chain Management (SCM), Supplier Relationship Management (SRM), NetWeaver Business Warehouse (BW), Business Intelligence (BI), Process Integration (PI), Solution Manager (SolMan), Governance, Risk & Compliance 10.x (GRC), NetWeaver ABAP Application Server 7.0 – 7.52
According to the researchers the impact if breached will catastrophic for organizations — “Basically, a company can be brought to a halt in a matter of seconds,” .
50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers
The voulnerability is an missocnfiguration rather than exploit. SAP introduced ACLs already in 2005…
Bartosz Jarkowski you are right ON, it is a misconfiguration if it is not secured attackers can take advantage of the flaw.
Now that this exploit is in the public domain I would want every organization to take a second look at their security configurations. Not just productions systems, but their entire landscape.
But do you really have an exploit that can connect to message server and in fact steal user passwords?
Sorry, but for me it smells a bit like a fake news. You could also write similar report stating that SAP users doesn't use a strong passwords... Or many environments did not change the default passwords (which in my opinion could be even more dangerous)
Short answer -YES!
Bartosz Jarkowski The issue is not about if an organizations has a strong password policy or not, These exploits are about administrative misconfigurations of SAP NetWeaver installations (Gateway & Message Server). If miss configured an attacker can take full control of your SAP server. Details of how to exploit was published in a public forum on April 2019.
Security notes that apply to secure gateway and message server – #821875 (2005), #1408081 (2009) and #1421005 (2010) as referred by Marco Hammel
> Sorry, but for me it smells a bit like a fake news
Yes news coverage is FUDy as hell.
The issues highlighted in our research are two sided:
> But do you really have an exploit that can connect to message server and in fact steal user passwords?
No, the code published here connects to internal port of Message Server (that should not be exposed to clients) and trick him to force the Gateway to trust us. Thus we can come back with the GW PoC and get remote code execution at OS level from anonymous network access.
Dumping users hashes (I did not say passwords) is some steps ahead and will be possible for a skilled attacker if the previous attack was successful. Getting clear-text password require bruteforcing and success will be bound to user’s password strength.
> Or many environments did not change the default passwords (which in my opinion could be even more dangerous)
That is indeed another very powerful vector to fully compromise a SAP server that is well known.
We compiled some defensive notes in the README.md file in our repository that SAP security staff may be interested in: https://github.com/gelim/sap_ms/blob/master/README.md
Hand over our github link to your security team/BASIS admins for assessment and for building up a remediation plan. Now your teams have a way to independently assess the security of your systems and fill the gap. There are simple measures that will remediate with quick wins those issues.
US CERT alert has been issued https://www.us-cert.gov/ncas/alerts/AA19-122A
Please take into account that the notes to recognize are #821875 (2005), #1408081 (2009) and #1421005 (2010). As well this vulnerability demonstrate once again how crucial it is to implement a proper network separation (with firewalls) to reduce the likelihood of an attackers success.
In case no network separation between your SAP server environment and other network clients is in place the remediation is much more complex. Especially if you are running the NetWeaver system with multiple application servers (like most customers) with possibly changing IP's for example in a flex frame environment.
So where is the link to this so called exploit?
Research presentation with all links is hosted here https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/(SAP)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli
All these warnings you will get it with a simple EWA Report.
EWA Report already shows what configuration is not ok for your SAP Systems and recommends the correct configuration.
Maikel Calgaroto can you point me to EWA reports /alerts and how to set them up ? I don't believe SAP has full coverage.
I would appreciate your detailed response.
ewa shows u up these misconfigurations since months or years. the mentioned behaviour is known since 14 years....
I Just checked EWA report for java system it will not cover Gateway and message server settings.
In ABAP systems EWA I can see it tracks only Gateway related parameters (GW/ACL_MODE GW/SEC_INFO GW/REG_INFO) but not Message server parameters. Correct me if am wrong.
I am posting this after checking EWA reports for both Java and ABAP systems.
just have a look in Transaction DSA and open your EWA Report id. EWA documents will not Show you detailed Infos if the check was successful.
You need to use SAP Solution Manager 7.2.
At transaction SOLMAN_SETUP, you can configure all connections between SOLMAN and you SAP System Landscape. In Section Applications, Monitoring has one option to configure EWA Reports.
It's very important that your SOLMAN has been updated to lastest stack including ST-PI and ST/A-PI packages in both systems, SOLMAN and ERP. Because with updated EWA Report more security items can be checked.
Thanks for your reply, now I can see other parameters of message server (MS/MONITOR, MS/ADMIN_PORT, MS/ACL_INFO) as well in transaction DSA as they are green they are not called out in EWA report. This makes sense for ABAP.
But this will not work for Java systems any idea on how to check these for Java systems in EWA?
Appreciate your reply... Thanks.
gateway component is an abap part, there are no acl's for java systems because there is no gateway on java side.
On the other side the message server is not mentioned in java systems, therefor i guess you can restrict the access in the ms_acl file like abap.
I think we need to stress the word potentially in your introduction.
The original talk by Dmitry Chastuhin und Mathieu Geli was a down-to-earth technical discussion on the issue. With the nice title "(SAP) Gateway to Heaven".
onapsis rebranded the material and turned it into some exaggarated hype (my opinion).
And it's embarassing how the press rides the onapsis FUD train.
Some more technical posts on the matter can be found here:
The Researchers gave some notes to the exploits here, a must read to understand the real issue. https://github.com/gelim/sap_ms/blob/master/10KBLAZE.md
SAP has updated security note #1408081 from (2009) TODAY 2019.
This note relates to SAP Gateway access list security.
SAP "UPDATE 2: May 14, 2019: All sections of text in this SAP Note and its validity have been revised. In addition, the CVSS information has been provided."