SAP's NetWeaver: New Exploits for MisconfigurationsResearchers at Onapsis Say Attacks Could Focus on NetWeaver Platform
New exploits released online that target long-known configuration weaknesses in SAP's NetWeaver platform could pose risks to payroll, invoicing and manufacturing processes, a security company warns.
Onapsis, a Boston-based company that specializes in securing SAP, says that up to 90 percent of 1 million SAP systems used by 50,000 companies could be vulnerable. Onapsis says the estimate is based on data it has collected over the last decade.
The exploits, dubbed 10KBLAZE, could be used to view and modify employees' personal data, bank transfer and routing processes, patient health records and energy distribution schedules, Onapsis says in a report. In the worst-case scenario, attackers could use the methods to shut down SAP systems.
"In summary, all confidentiality, integrity and availability of the data stored in these systems and corresponding databases are vulnerable," Onapsis says.
Heed SAP's Security Notes
The exploits don't target vulnerabilities but rather administrative misconfigurations of the NetWeaver platform, as well as S4 and Hana, according to Onapsis. NetWeaver is central to SAP installations and is a hub for applications, so its security is critical.
"These exploits can be executed by a remote, unauthenticated (no username and password) attacker having only network connectivity to the vulnerable systems," the report says. "While the affected technical components are not typically required nor recommended to be exposed to untrusted networks, Onapsis has seen examples of numerous systems having been found to be exposed directly to the internet."
SAP warned about the misconfiguration issue at hand in 2010 in security notice #1421005. Three years ago, Onapsis warned SAP it had found a new attack vectors. SAP said the attack wouldn't work if organizations followed the 2010 security note, according to the report.
Last month, new exploits and tools were released at the Opcde cybersecurity conference in Dubai by Dmitry Chastuhin, the lead SAP security analyst at ERPScan, and Mathieu Geli, who is a senior security consultant at Sogeti, which is part of Capgemini.
Their presentation focused on new attack vectors for targeting the Gateway and Message server components of SAP application servers. Some of the exploits they developed can be found here and here.
"Our journey begins from a wild guess on potential issue to reverse of SAP network protocols and implementation of exploits that can do full takeover of SAP servers by abusing some trust issues via anonymous network access," according to a description of their talk.
Full System Compromise
SAP has long been aware of the risk of insecure configurations and taken steps to prevent problems. For example, SAP Gateway Access Control Lists ship in a secure mode. The Message server also uses an ACL to check which IP addresses can register an application, Onapsis's report says.
SAP's Application servers must be registered with a Message server in order to serve users and for load balancing, the report says.
In 2005, SAP published security note #821875 with instructions on how to securely set up an ACL for the Message server. But the parameter is set to a default configuration, which Onapsis says leaves ACL content open "allowing any host with network access to the SAP Message Server to register an application server."
"An attacker only needs to be able to 'speak' the message server protocol to register a fake Application Server," Onapsis says. "This could lead to a full system compromise through more complex attacks such as a man-in-the-middle attack, where an attacker could steal user credentials acting as an Application Server. Additionally, attackers could shut down the SAP system or even achieve full system compromise with a fake server registration."
Onapsis has included a host of tips for those running SAP systems to evaluate the risk and make changes. It has also published two open source snort rules that would be able to detect the public exploits. It's also working with firewall vendors on signatures.
In a statement provided to Information Security Media Group, SAP notes: "SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however these have been patched by SAP a few years ago. Security notes 821875, 1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."
The company also notes: "The recommendations published in the white papers A Practical Guide for Securing SAP® Solutions and Securing Remote Function Calls emphasize secure configuration of SAP landscape. Customers can enable related security checks in the Early Watch Alert (note 863362) and the SAP Security Optimization Service."