"10KBlaze" Vulnerability Threatens SAP Systems

May 21, 2019 Posted by: Mark Mergaerts
vulnerability-1-1

EXPERTUM TECH ALERT - Following a blog from SAP security experts Onapsis https://www.onapsis.com/blog/10kblaze, a lot of attention is now being paid to a serious vulnerability known as "10KBlaze", which potentially allows compromising the integrity of an SAP system by abusing a misconfiguration of network access to that system. A potential attacker could do this even without the need for authenticating with a valid user ID and password.

10KBlaze affects all systems based on the SAP NetWeaver Application Server (ABAP and Java) and also S/4 HANA.

The vulnerability is not in the SAP code but is the result of missing network configuration. The possibility to properly protect network access to SAP has been around for more than 10 years and SAP has published several notes describing this, but a majority of customers have never implemented such protections. The issue has now become critical because the exploit was made public at the OPCDE Cybersecurity Conference in Dubai in April 2019.

An SAP system has several entry points for an external connection:

  • Message server
  • Gateway
  • Dispatcher

All three can be protected against unauthorized access through Access Control Lists (ACL), which specify the addresses or address ranges for which connections are explicitly allowed (or explicitly denied). If no ACL is in place, however, then no restrictions apply. This could make it possible, for example, for an attacker to register an application server by connecting to and manipulating the system's message server.

One mitigating element is that in many circumstances firewalls will prevent hostile external connections to reach the SAP servers. However, if the internal network is breached in any way, the SAP landscape is left fully vulnerable if no ACLs are configured. Now that a public exploit is known, it is therefore essential to set up proper protection for your critical business data.

Here are the key SAP notes to help with this:

821875

Security settings in the message server

1408081

Basic settings for reg_info and sec_info

1421005

Secure configuration of the message server

1459075

Access control lists (ACL)

2423054

Message Server ACL file (incorrect use of wildcards in IP address)

2605523

[WEBINAR] Gateway Security Features

Contains video of a 60-minute expert session

 

Our securing SAP S/4HANA guide has a chapter dedicated to securing message, gateway and dispatcher. You can order the guide here. Or even better, join us at the SAP festival on June 6 at Tour & Taxis. The guide will be presented at our speakers corner in the Data & Technology area.

Any questions on this topic?

Contact us
 

Mark Mergaerts

Development Manager within Expertum Belgium