Separating FUDs from Facts
If you’re active in the SAP eco-space, or you have an interest in cybersecurity in general, you’ll probably have noticed “10KBlaze” that is currently blazing through the internet. An SAP security provider posted about how known but unpatched SAP vulnerabilities are still putting 90% of the SAP customers at risk. This is well-trodden, old news. However, just recently new exploits have been made publicly available; exploits which enable a far larger community to target SAP instances.
A high level summary of the vulnerability description and mitigation actions can be found on the website of The Department of Homeland Security Computer Emergency Readiness Team (DHS-CERT). Also, global media such as The New York Times, Reuters and many others… reported the exact same storyline about a new and imminent security risk.
The attack surface has existed for many years. However, due to all the media attention attempts to compromise SAP systems may grow significantly, for example, I have seen quite a few posts asking for a download link for the bespoken exploits. The scripts, a result of many hours of investigation, can be found on GitHub. Without going into too many technicalities the core of the issue remains a system misconfiguration. SAP standard offers a way to validate your gateway and message server configuration (WIKI). Kudos to the authors for their research, also listing remediation and detection options.
Working in the SAP security arena myself, I can only confirm, the number of live SAP environments still suffering from the described vulnerabilities are shockingly high. The 10KBlaze vulnerability is by far not the only weak spot, there are few more well-documented security flaws that remain unpatched, unmitigated and unmonitored.
Just recently we experienced the uncomfortable truth ourselves while preparing a conference presentation deck, our team ran a test by randomly listing 20 publicly accessible SAP instances, all production instances (mostly recognizable by their system ID) of large to midsized organizations. 12 of the listed systems had stone-age security configuration flaws. It wouldn’t need rocket science to halt or compromise the environment. All firms and organizations involved have been contacted, pointing them to the vulnerability. We’re not in the market for SAP security mitigation. so the information shared was absolutely not commercially motivated. Anyway, should vulnerability details really be disclosed with a media campaign? In my humble opinion the answer is very short, NO! In some forum threads, the news around 10KBlaze gets labeled as FUD, aka, clumsy sales tactics. OK, back on topic, our experience in sharing vulnerability details with affected SAP customers: Only 4 out of 12 contacts gave a positive and immediate response in resolving a glaring security flaw! The number of contacted SAP customers was rather low so the statistical accuracy is debatable. Nonetheless, the experience of “disinterest” is just mind-blowing.
These are probably examples of just cutting corners, though it does put the 10KBlaze topic into perspective. The reality is that hype probably doesn’t help, not just because it hands over ammunition to the bad guys, because also because the message gets lost and looks like crying wolf each time. Yes, there are vulnerabilities, YES SAP knows about them, YES they have issued patches and recommendations, NO, patches haven’t been applied with complete accuracy at any point in time because that is probably impossible to do. Hopefully some good will come out of a raised awareness into the challenges facing any SOC team and corporate budgets will be aligned to help resolve them.