Roughly 90% out of an estimated total of 1,000,000 SAP production systems could currently be at risk of being hacked by 10KBLAZE. Can you mitigate its risks?
During late April and early May 2019, there was tremendous media coverage of the vulnerabilities of several SAP installations that may be affected by an exploit known as 10KBLAZE. While it is technically not a vulnerability of the SAP applications itself but rather a misconfiguration, it may affect a whole range of SAP applications, like SAP S/4HANA and basically, every other SAP application based on the SAP NetWeaver stacks 7.0 to 7.52.
There are recommendations available for more than 10 years how to secure these SAP applications properly, however, only during recent SAP S/4HANA and SAP NetWeaver releases these security measures have been enabled by default. As a result, some researchers warn that nine out of ten SAP applications may be affected.
The attack surface consists of remote, unauthorized access to vulnerable systems by having network connectivity only. While there is usually no need to expose these kinds of SAP applications to unprotected networks, several hundreds of them apparently are accessible from the Internet in the US only. So, the usage of the exploits may compromise SAP applications, including the extraction, modification, or even deletion of business data.
There are basically three components that are exposed to the 10KBLAZE exploit if not configured properly:
There is a very clear set of instructions published in Alert AA19-122A - New Exploits for Unsecure SAP Systems by the Cybersecurity and Infrastructure Security Agency (CISA) how to mitigate the risks:
There are basically two challenges. While the fix of the security issue may be relatively simple, it can be hard to figure out which systems are affected if you run a large SAP landscape. Furthermore, as easy it is to apply the changes outlined above, is it as much simple to reverse them, either by mistake or by intention. Interestingly, the first entry of the Gateway FAQ in the SAP wiki reads Disabling Gateway Security.
For a lasting effect of security measures, Compliance Monitoring is vital. Syslink Xandria provides several monitoring functions that make sure you are not exposed to the risks of 10KBLAZE not only today, but also in the future.
Syslink Xandria provides several monitoring functions that make sure you are not exposed to the risks of 10KBLAZE not only today, but also in the future.
Every day, Syslink Xandria verifies every single SAP Gateway and every SAP Message Server configuration alerting you if either of those has an unrestricted ACL setting, or an insecure secinfo setting. All this is done completely automatically and does not require any configuration work. The pictures below show two examples, the first of which exposes a potential security threat:
In the second case there is a proper configuration in place:
When it comes to SAP Routers, secure configurations are not as easy to detect out-of-the-box. But if your organization has a policy in place that prohibits the use of wildcards in the SAP Router Table, you can set up a custom monitoring within minutes to expose these tables.
But there is even more to it: Syslink Xandria provides a whole lot of additional functions when it comes to Compliance, Governance, Auditing; and Security:
It is crucial to react to security threats like 10KBLAZE in a timely manner, in particular, if the potential impact is as high as this time. But it is equally vital to make sure the applied measures remain in place. Syslink Xandria simplifies your life by automating this kind of Compliance and Security Monitoring to the largest possible extent.