One million SAP systems vulnerable to '10KBLAZE' critical security flaw

Flaw affects up to one million SAP NetWeaver installations, warns Onapsis - but SAP claims it was patched years ago

Around 50,000 SAP customers have been left vulnerable to cyber attacks due to a recently discovered software misconfiguration flaw.

The vulnerability, labelled 10KBLAZE and found by security firm Onapsis Research on April 23, affects SAP NetWeaver installations, including organisations running S4/HANA.

According to the company, the exploits can be leveraged to abuse a critical configuration issue in the software and can lead to a full system compromise.

What's even more concerning is that cyber criminals can carry out these attacks without the need for a valid system user ID and password.

Vulnerable SAP applications can be compromised by a remote unauthenticated attacker having only network access to the system

Onapsis explained in a report: "Vulnerable SAP applications can be compromised by a remote unauthenticated attacker having only network access to the system (without the need for a valid SAP user ID and password).

"Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down.

"Order-to-Cash, Procure-to-Pay, Inventory Management, Treasury, Tax, HR & Payroll, and any other business process handled by SAP, can be controlled, affecting the integrity of business information used to build the financial statements."

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

Based on public information, Onapsis claimed that "a collective 1,000,000 SAP systems are currently running the potentially-affected components".

It added that "nearly 90 per cent of these systems suffer from the misconfigurations for which these exploits are now publicly available".

Mariano Nunez, CEO and co-founder of Onapsis, said: "SAP released relevant security notes and guidance to help customers secure these critical configurations several years ago. The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems.

Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information

"This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes."

Furthermore, the risks entailed by the flaw may also be an issue for an organisation's auditors.

Larry Harrington, former chairman of the Board of the Institute of Internal Auditors (IIA), said: "This risk to SAP customers can represent a weakness in affected publicly-traded organisations that may result in material mis-statements of the company's annual financial statements.

"Further, a breach against these business-critical applications would likely result in the need for disclosure given the recent SEC's Cybersecurity Disclosure Guidance."

1,000,000 SAP systems are currently running the potentially-affected components

A spokesperson for SAP said that the company is aware of recent reports about vulnerabilities in SAP Gateway and Message Server.

The company added: "However, these have been patched by SAP a few years ago. Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits.

"As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast