10KBLAZE and SAP Security I: All Quiet on the Western Front

10KBLAZE and SAP SecuritySince May 2, 2019, the market for SAP security has known only one topic: the 10KBLAZE exploit toolkit, which has even prompted a warning from the U.S. Department of Homeland Security. Upon closer examination, however, it quickly becomes apparent that there’s not much news to report.

It starts with the security flaws that form part of the toolkit – SAP Gateway, for example, and the reginfo and secinfo files. The default setting of this file can actually be exploited by the 10KBLAZE toolkit and would then allow access to the operating system of the server on which SAP is running. What’s more, the host gets (almost) unlimited admin rights. This is highly dangerous, as failing to modify the files in question presents more than just a tiny back door; it’s practically a huge swinging gate that rolls out the red carpet for would-be hackers.

10KBLAZE: Focusing on SAP security

Meanwhile, this flaw has already been a known quantity for years. In 2012, SAP itself held a public demonstration of this potential exploit to show how important it was to address it as quickly as possible.

The fact that the researchers who discovered 10KBLAZE still managed to find more than a thousand vulnerable SAP routers in the United States (and over 700 in Germany) is definitely alarming, considered that this flaw has been well-known for more than seven years. That said, it’s important to keep these figures in perspective: SAP claims to have over 380,000 customers, after all. Even if you subtract its cloud and hosting customers, the number of exposed SAP installations likely corresponds to a single-digit percentage at most.

Still, there’s a very good reason to take the 10KBLAZE exploit seriously. Since it’s described as a toolkit system, the threat it presents is, of course, of an entirely different nature.

Fix the security flaws in SAP systems now and implement real-time monitoring

SAP customers should be sure to check whether their systems exhibit one of the security vulnerabilities in question (further information is available on the website of the U.S. Department of Homeland Security). If they do, simply modifying some parameters will unfortunately not always do the trick. The aforementioned secinfo file in particular (and the corresponding reginfo file) should be filled with host addresses that actually can access the SAP system in question. Finding out what these are, however, is often a complex affair.

This is where our SAST SUITE comes in, offering a series of modules that automatically test and assess your security status – and can also perform a general analysis of your SAP system’s security settings. You can also monitor your SAP system for security risks in real time. In other words, if someone tries to let 10KBLAZE loose in your system, SAST will make sure you’re the first to know.

Do you think these vulnerabilities might apply to you? Would you like to find out more about comprehensive protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail at sast@akquinet.de.

Patrick Boch (Product Manager SAST SOLUTIONS)

Related articles in the SAST BLOG:

Study shows SAP systems especially prone to insider attacks

One step at a time: How to secure and harden your SAP Gateway