Skip to Content
Personal Insights

Separating FUDs from Facts

If you’re active in the SAP eco-space, or you have an interest in cybersecurity in general, you’ll probably have noticed “10KBlaze” that is currently blazing through the internet. An SAP security provider posted about how known but unpatched SAP vulnerabilities are still putting 90% of the SAP customers at risk. This is well-trodden, old news. However, just recently new exploits have been made publicly available; exploits which enable a far larger community to target SAP instances.

A high level summary of the vulnerability description and mitigation actions can be found on the website of The Department of Homeland Security Computer Emergency Readiness Team (DHS-CERT). Also, global media such as The New York Times, Reuters and many others… reported the exact same storyline about a new and imminent security risk.

The attack surface has existed for many years. However, due to all the media attention attempts to compromise SAP systems may grow significantly, for example, I have seen quite a few posts asking for a download link for the bespoken exploits. The scripts, a result of many hours of investigation, can be found on GitHub. Without going into too many technicalities the core of the issue remains a system misconfiguration. SAP standard offers a way to validate your gateway and message server configuration (WIKI). Kudos to the authors for their research, also listing remediation and detection options.

Working in the SAP security arena myself,  I can only confirm, the number of live SAP environments still suffering from the described vulnerabilities are shockingly high. The 10KBlaze vulnerability is by far not the only weak spot, there are few more well-documented security flaws that remain unpatched, unmitigated and unmonitored.

Just recently we experienced the uncomfortable truth ourselves while preparing a conference presentation deck, our team ran a test by randomly listing 20 publicly accessible SAP instances, all production instances (mostly recognizable by their system ID) of large to midsized organizations. 12 of the listed systems had stone-age security configuration flaws. It wouldn’t need rocket science to halt or compromise the environment. All firms and organizations involved have been contacted, pointing them to the vulnerability.  We’re not in the market for SAP security mitigation. so the information shared was absolutely not commercially motivated. Anyway, should vulnerability details really be disclosed with a media campaign? In my humble opinion the answer is very short, NO!  In some forum threads, the news around 10KBlaze gets labeled as FUD, aka, clumsy sales tactics.  OK, back on topic, our experience in sharing vulnerability details with affected SAP customers: Only 4 out of 12 contacts gave a positive and immediate response in resolving a glaring security flaw!  The number of contacted SAP customers was rather low so the statistical accuracy is debatable. Nonetheless, the experience of “disinterest” is just mind-blowing.

These are probably examples of just cutting corners, though it does put the 10KBlaze topic into perspective. The reality is that hype probably doesn’t help, not just because it hands over ammunition to the bad guys, because also because the message gets lost and looks like crying wolf each time. Yes, there are vulnerabilities, YES SAP knows about them, YES they have issued patches and recommendations, NO, patches haven’t been applied with complete accuracy at any point in time because that is probably impossible to do.  Hopefully some good will come out of a raised awareness into the challenges facing any SOC team and corporate budgets will be aligned to help resolve them.

3 Comments
You must be Logged on to comment or reply to a post.
  • Hi Mans,

    I totally agree with your general position. The actual news is that there is now a known exploit for the mis/non-configuration of the message server in the wild. Besides of the relevant notes #821875 (2005), #1408081 (2009) and #1421005 (2010) in addition to the fact the free early watch report reports the configuration issues since quite a while organization are to often incapable to follow fundamental security basics like patching, or placing a firewall around a server system.

    However, I find this more frequently applies to SAP technology. It seems to me many security experts have no or few SAP technology understanding and as a result they ignore the topic. Of course, it should be vice versa.

    There is still need for education in the ecosystem.

    Cheers

    Marco

    • Hi Marco,

      I cannot agree more. The unawareness, missing domain experience, ignorance, resource shortage, stressing budgets, a false sense of security, … has been nurtured by the fact SAP application have a legacy and perception of being isolated backend systems.

      Cheers, Ivan