4 min read
How you can mitigate the risks imposed by 10KBLAZE and other SAP threats
By: Heiko Mannherz on May 7, 2019 8:14:00 AM
Roughly 90% out of an estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked by 10KBLAZE. Can you mitigate its risks?
During late April and early May 2019, there was tremendous media coverage of the vulnerabilities of several SAP installations that may be affected by an exploit known as 10KBLAZE. While it is technically not a vulnerability of the SAP applications itself but rather a misconfiguration, it may affect a whole range of SAP applications, like SAP S/4HANA and basically, every other SAP application based on the SAP NetWeaver stacks 7.0 to 7.52.
There are recommendations available for more than 10 years how to secure these SAP applications properly, however, only during recent SAP S/4HANA and SAP NetWeaver releases these security measures have been enabled by default. As a result, some researchers warn that nine out of ten SAP applications may be affected.
The attack surface consists of remote, unauthorized access to vulnerable systems by having network connectivity only. While there is usually no need to expose these kinds of SAP applications to unprotected networks,several hundreds of them apparently are accessible from the Internet in the US only. So, the usage of the exploits may compromise SAP applications, including the extraction, modification, or even deletion of business data.
Which SAP components you need to protect
There are basically three components that are exposed to the 10KBLAZE exploit if not configured properly:
- SAP Gateway: The SAP Gateway allows non-SAP applications to communicate with SAP applications. The SAP Gateway is protected by an Access Control List (ACL), however, in case it is not configured properly, it allows anonymous users to run operating system commands.
- SAP Router: The SAP Router helps to connect SAP systems with external networks. A misconfigured SAP Router in conjunction with an improper SAP Gateway configuration (in particular the default secinfo configuration) allows the remote code execution, using said router as a proxy.
- SAP Message Server: In contrast to the SAP Gateway, the SAP Message Server brokers communication between SAP applications, in particular, SAP Application Servers (AS). But like the SAP Gateway it features an Access Control List which should restrict communication to permitted participants only. If an attacker can reach the Message Server it may facilitate Man-In-The-Middle attacks and execute arbitrary code or operations in SAP Application Servers.
How you can protect SAP Message Server and SAP Gateway
There is a very clear set of instructions published in Alert AA19-122A - New Exploits for Unsecure SAP Systems by the Cybersecurity and Infrastructure Security Agency (CISA)how to mitigate the risks:
- Restrict authorized hosts via ACL files on Gateways (gw/acl_mode and secinfo) and Message Servers (ms/acl_info), as described in SAP Notes 1408081 and 821875
- Split internal and external access to Message Servers as described in SAP Note 1421005.
- Make sure you expose Message Server ports (TCP ports 39xx) only to allowed clients and use Secure Network Communications (SNC) wherever possible. Check your Threat Prevention system for the latest updates to see if they cover 10KBLAZE.
Why you are not done yet
There are basically two challenges. While the fix of the security issue may be relatively simple, it can be hard to figure out which systems are affected if you run a large SAP landscape. Furthermore, as easy it is to apply the changes outlined above, is it as much simple to reverse them, either by mistake or by intention. Interestingly, the first entry of the Gateway FAQ in the SAP wiki reads Disabling Gateway Security.
For a lasting effect of security measures, Compliance Monitoring is vital. Syslink Xandria provides several monitoring functions that make sure you are not exposed to the risks of 10KBLAZE not only today, but also in the future.
Syslink Xandria provides several monitoring functions that make sure you are not exposed to the risks of 10KBLAZE not only today, but also in the future.
Every day, Syslink Xandria verifies every single SAP Gateway and every SAP Message Server configuration alerting you if either of those has an unrestricted ACL setting, or an insecure secinfo setting. All this is done completely automatically and does not require any configuration work. The pictures below show two examples, the first of which exposes a potential security threat:
In the second case there is a proper configuration in place:
When it comes to SAP Routers, secure configurations are not as easy to detect out-of-the-box. But if your organization has a policy in place that prohibits the use of wildcards in the SAP Router Table, you can set up a custom monitoring within minutes to expose these tables.
But there is even more to it: Syslink Xandria provides a whole lot of additional functions when it comes to Compliance, Governance, Auditing; and Security:
- You can automatically evaluate every SAP profile parameter and every database configuration against a given policy, and you get an alert for every deviation from this policy.
- All administrative users in an SAP system are verified to be locked down, and every use of a standard password is alerted.
- Audit Logs, user authorizations, and user profiles are continuously traced and compared to your organization’s policy. The same is available for SAP system change options and SAP client settings.
- Every important change in your SAP system is tracked and recorded automatically.
- If you need to have a closer look, you can compare all profiles within and across SAP system landscapes.
Bottom Line
It is crucial to react to security threats like 10KBLAZE in a timely manner, in particular, if the potential impact is as high as this time. But it is equally vital to make sure the applied measures remain in place. Syslink Xandria simplifies your life by automating this kind of Compliance and Security Monitoring to the largest possible extent.
Want to learn more?
Watch a 15-minute demo or schedule your private demo
Related Posts
50,000 companies exposed to SAP systems hacks - what can you do?
In the last 20 years, the software ecosystem has invested billions of dollars increasing software...
City of Zurich improves system availability by proactive SAP monitoring
Zurich, Switzerland’s largest city, is known as a cosmopolitan financial center with a very diverse...
The Most Severe SAP Security Risk is Out, Are You Protected?
SAP has just released the highest severity security notice of 2019. What can you do to protect your...