Skip to Content
Personal Insights
Author's profile photo Anand Nayak Rao Kotti

10kBlaze Exploit can potentially impact most SAP customers

I would like to bring it to the notice of this SAP community, a HUGE news broke this morning about SAP Vulnerability that can potentially impact below SAP applications.

SAP S/4HANA , Enterprise Resource Planning (ERP) , Product Lifecycle Management (PLM), Customer Relationship Management (CRM), Human Capital Management (HCM), Supply Chain Management (SCM), Supplier Relationship Management (SRM), NetWeaver Business Warehouse (BW), Business Intelligence (BI), Process Integration (PI), Solution Manager (SolMan), Governance, Risk & Compliance 10.x (GRC), NetWeaver ABAP Application Server 7.0 – 7.52

 

According to the researchers the impact if breached will catastrophic for organizations — “Basically, a company can be brought to a halt in a matter of seconds,” .

50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers

 

Assigned Tags

      21 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski

      The voulnerability is an missocnfiguration rather than exploit. SAP introduced ACLs already in 2005…

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      Bartosz Jarkowski you are right ON, it is a misconfiguration if it is not secured attackers can take advantage of the flaw.

      Now that this exploit is in the public domain I would want every organization to take a second look at their security configurations. Not just productions systems, but their entire landscape.

      Stay secured!

       

       

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski

      But do you really have an exploit that can connect to message server and in fact steal user passwords?

      Sorry, but for me it smells a bit like a fake news. You could also write similar report stating that SAP users doesn't use a strong passwords... Or many environments did not change the default passwords (which in my opinion could be even more dangerous)

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      Short answer -YES!

      Bartosz Jarkowski The issue is not about if an organizations has a strong password policy or not, These exploits are about administrative misconfigurations of SAP NetWeaver installations (Gateway & Message Server). If miss configured an attacker can take full control of your SAP server. Details of how to exploit was published in a public forum on April 2019.

      Security notes that apply to secure gateway and message server –  #821875 (2005), #1408081 (2009) and #1421005 (2010) as referred by  Marco Hammel 

       

       

      Author's profile photo Mathieu Geli
      Mathieu Geli

      > Sorry, but for me it smells a bit like a fake news

      Yes news coverage is FUDy as hell.

      The issues highlighted in our research are two sided:

      • Gateway misconfiguration: something from the past already, only PoC is new
      • Message Server misconfiguration: that is addressed for some time by SAP, but impact was never really shown until our release

      > But do you really have an exploit that can connect to message server and in fact steal user passwords?

      No, the code published here connects to internal port of Message Server (that should not be exposed to clients) and trick him to force the Gateway to trust us. Thus we can come back with the GW PoC and get remote code execution at OS level from anonymous network access.

      Dumping users hashes (I did not say passwords) is some steps ahead and will be possible for a skilled attacker if the previous attack was successful. Getting clear-text password require bruteforcing and success will be bound to user’s password strength.

      > Or many environments did not change the default passwords (which in my opinion could be even more dangerous)

      That is indeed another very powerful vector to fully compromise a SAP server that is well known.

      We compiled some defensive notes in the README.md file in our repository that SAP security staff may be interested in: https://github.com/gelim/sap_ms/blob/master/README.md

      Hand over our github link to your security team/BASIS admins for assessment and for building up a remediation plan. Now your teams have a way to independently assess the security of your systems and fill the gap. There are simple measures that will remediate with quick wins those issues.

      Regards,

       

      — Mathieu

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      US CERT alert has been issued https://www.us-cert.gov/ncas/alerts/AA19-122A

      Author's profile photo Marco Hammel
      Marco Hammel

      Please take into account that the notes to recognize are #821875 (2005), #1408081 (2009) and #1421005 (2010). As well this vulnerability demonstrate once again how crucial it is to implement a proper network separation (with firewalls) to reduce the likelihood of an attackers success.

      In case no network separation between your SAP server environment and other network clients is in place the remediation is much more complex. Especially if you are running the NetWeaver system with multiple application servers (like most customers) with possibly changing IP's for example in a flex frame environment.

      Author's profile photo Gerd Kirchner
      Gerd Kirchner

      So where is the link to this so called exploit?

      Author's profile photo Mathieu Geli
      Mathieu Geli

      Research presentation with all links is hosted here https://github.com/comaeio/OPCDE/tree/master/2019/Emirates/(SAP)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli

      Author's profile photo Gerd Kirchner
      Gerd Kirchner

      Thx 🙂

      Author's profile photo Maikel Calgaroto
      Maikel Calgaroto

      All these warnings you will get it with a simple EWA Report.

      EWA Report already shows what configuration is not ok for your SAP Systems and recommends the correct configuration.

       

       

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      Maikel Calgaroto can you point me to EWA reports /alerts and how to set them up ? I don't believe SAP has full coverage.

      I would appreciate your detailed response.

      Author's profile photo Former Member
      Former Member

      ewa shows u up these misconfigurations since months or years. the mentioned behaviour is known since 14 years....

      Author's profile photo Rayapudi Praveen
      Rayapudi Praveen

      Hi,

      I Just checked EWA report for java system it will not cover Gateway and message server settings.

      In ABAP systems EWA I can see it tracks only Gateway related parameters (GW/ACL_MODE GW/SEC_INFO GW/REG_INFO) but not Message server parameters. Correct me if am wrong.

      I am posting this after checking EWA reports for both Java and ABAP systems.

       

      Author's profile photo Former Member
      Former Member

      Hi Rayapudi,

      just have a look in Transaction DSA and open your EWA Report id. EWA documents will not Show you detailed Infos if the check was successful.

      br

      Author's profile photo Maikel Calgaroto
      Maikel Calgaroto

      You need to use SAP Solution Manager 7.2.

      At transaction SOLMAN_SETUP, you can configure all connections between SOLMAN and you SAP System Landscape. In Section Applications, Monitoring has one option to configure EWA Reports.

      It's very important that your SOLMAN has been updated to lastest stack including ST-PI and ST/A-PI packages in both systems, SOLMAN and ERP. Because with updated EWA Report more security items can be checked.

       

      Good Luck.

       

      Author's profile photo Rayapudi Praveen
      Rayapudi Praveen

      Hi Robert,

      Thanks for your reply, now I can see other parameters of message server (MS/MONITOR, MS/ADMIN_PORT, MS/ACL_INFO) as well in transaction DSA as they are green they are not called out in EWA report. This makes sense for ABAP.

      But this will not work for Java systems any idea on how to check these for Java systems in EWA?

      Appreciate your reply... Thanks.

       

       

      Author's profile photo Former Member
      Former Member

      Hi Rayapudi,

      gateway component is an abap part, there are no acl's for java systems because there is no gateway on java side.

       

      On the other side the message server is not mentioned in java systems, therefor i guess you can restrict the access in the ms_acl file like abap.

       

      best regards

      rob

      Author's profile photo Rolo Tomassi
      Rolo Tomassi

      I think we need to stress the word potentially in your introduction.

      The original talk by Dmitry Chastuhin und Mathieu Geli was a down-to-earth technical discussion on the issue. With the nice title "(SAP) Gateway to Heaven".

      onapsis rebranded the material and turned it into some exaggarated hype (my opinion).

      And it's embarassing how the press rides the onapsis FUD train.

       

      Some more technical posts on the matter can be found here:

      https://www.morethansap.com/2019/05/03/10kblaze-welcome-to-the-sapocalyse/

      https://www.serpenteq.com/en/blog/10KBlaze.html

      Author's profile photo Stefan Schuemann
      Stefan Schuemann

      The Researchers gave some notes to the exploits here, a must read to understand the real issue. https://github.com/gelim/sap_ms/blob/master/10KBLAZE.md

      Author's profile photo Anand Nayak Rao Kotti
      Anand Nayak Rao Kotti
      Blog Post Author

      SAP has updated security note #1408081 from (2009) TODAY 2019. 

      This note relates to SAP Gateway access list security.

      SAP "UPDATE 2: May 14, 2019: All sections of text in this SAP Note and its validity have been revised. In addition, the CVSS information has been provided."

      https://launchpad.support.sap.com/#/notes/1408081