Skip to Content
Personal Insights

10kBlaze Exploit can potentially impact most SAP customers

I would like to bring it to the notice of this SAP community, a HUGE news broke this morning about SAP Vulnerability that can potentially impact below SAP applications.

SAP S/4HANA , Enterprise Resource Planning (ERP) , Product Lifecycle Management (PLM), Customer Relationship Management (CRM), Human Capital Management (HCM), Supply Chain Management (SCM), Supplier Relationship Management (SRM), NetWeaver Business Warehouse (BW), Business Intelligence (BI), Process Integration (PI), Solution Manager (SolMan), Governance, Risk & Compliance 10.x (GRC), NetWeaver ABAP Application Server 7.0 – 7.52

 

According to the researchers the impact if breached will catastrophic for organizations — “Basically, a company can be brought to a halt in a matter of seconds,” .

50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers

 

20 Comments
You must be Logged on to comment or reply to a post.
  • Bartosz Jarkowski you are right ON, it is a misconfiguration if it is not secured attackers can take advantage of the flaw.

    Now that this exploit is in the public domain I would want every organization to take a second look at their security configurations. Not just productions systems, but their entire landscape.

    Stay secured!

     

     

    • But do you really have an exploit that can connect to message server and in fact steal user passwords?

      Sorry, but for me it smells a bit like a fake news. You could also write similar report stating that SAP users doesn’t use a strong passwords… Or many environments did not change the default passwords (which in my opinion could be even more dangerous)

      • Short answer -YES!

        Bartosz Jarkowski The issue is not about if an organizations has a strong password policy or not, These exploits are about administrative misconfigurations of SAP NetWeaver installations (Gateway & Message Server). If miss configured an attacker can take full control of your SAP server. Details of how to exploit was published in a public forum on April 2019.

        Security notes that apply to secure gateway and message server –  #821875 (2005), #1408081 (2009) and #1421005 (2010) as referred by  Marco Hammel 

         

         

    • > Sorry, but for me it smells a bit like a fake news

      Yes news coverage is FUDy as hell.

      The issues highlighted in our research are two sided:

      • Gateway misconfiguration: something from the past already, only PoC is new
      • Message Server misconfiguration: that is addressed for some time by SAP, but impact was never really shown until our release

      > But do you really have an exploit that can connect to message server and in fact steal user passwords?

      No, the code published here connects to internal port of Message Server (that should not be exposed to clients) and trick him to force the Gateway to trust us. Thus we can come back with the GW PoC and get remote code execution at OS level from anonymous network access.

      Dumping users hashes (I did not say passwords) is some steps ahead and will be possible for a skilled attacker if the previous attack was successful. Getting clear-text password require bruteforcing and success will be bound to user’s password strength.

      > Or many environments did not change the default passwords (which in my opinion could be even more dangerous)

      That is indeed another very powerful vector to fully compromise a SAP server that is well known.

      We compiled some defensive notes in the README.md file in our repository that SAP security staff may be interested in: https://github.com/gelim/sap_ms/blob/master/README.md

      Hand over our github link to your security team/BASIS admins for assessment and for building up a remediation plan. Now your teams have a way to independently assess the security of your systems and fill the gap. There are simple measures that will remediate with quick wins those issues.

      Regards,

       

      — Mathieu

  • Please take into account that the notes to recognize are #821875 (2005), #1408081 (2009) and #1421005 (2010). As well this vulnerability demonstrate once again how crucial it is to implement a proper network separation (with firewalls) to reduce the likelihood of an attackers success.

    In case no network separation between your SAP server environment and other network clients is in place the remediation is much more complex. Especially if you are running the NetWeaver system with multiple application servers (like most customers) with possibly changing IP’s for example in a flex frame environment.

  • All these warnings you will get it with a simple EWA Report.

    EWA Report already shows what configuration is not ok for your SAP Systems and recommends the correct configuration.

     

     

        • Hi,

          I Just checked EWA report for java system it will not cover Gateway and message server settings.

          In ABAP systems EWA I can see it tracks only Gateway related parameters (GW/ACL_MODE GW/SEC_INFO GW/REG_INFO) but not Message server parameters. Correct me if am wrong.

          I am posting this after checking EWA reports for both Java and ABAP systems.

           

          • Hi Rayapudi,

            just have a look in Transaction DSA and open your EWA Report id. EWA documents will not Show you detailed Infos if the check was successful.

            br

  • Hi Robert,

    Thanks for your reply, now I can see other parameters of message server (MS/MONITOR, MS/ADMIN_PORT, MS/ACL_INFO) as well in transaction DSA as they are green they are not called out in EWA report. This makes sense for ABAP.

    But this will not work for Java systems any idea on how to check these for Java systems in EWA?

    Appreciate your reply… Thanks.

     

     

    • Hi Rayapudi,

      gateway component is an abap part, there are no acl’s for java systems because there is no gateway on java side.

       

      On the other side the message server is not mentioned in java systems, therefor i guess you can restrict the access in the ms_acl file like abap.

       

      best regards

      rob

  • I think we need to stress the word potentially in your introduction.

    The original talk by Dmitry Chastuhin und Mathieu Geli was a down-to-earth technical discussion on the issue. With the nice title “(SAP) Gateway to Heaven”.

    onapsis rebranded the material and turned it into some exaggarated hype (my opinion).

    And it’s embarassing how the press rides the onapsis FUD train.

     

    Some more technical posts on the matter can be found here:

    https://www.morethansap.com/2019/05/03/10kblaze-welcome-to-the-sapocalyse/

    https://www.serpenteq.com/en/blog/10KBlaze.html