New Exploits for Unsecure SAP Systems

September 24, 2019 News, US-Cert Leave a comment

A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet, as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation detailed the new exploit tools and reports on systems exposed to the internet. New Exploits for Unsecure SAP Systems - blackMORE Ops

SAP Gateway ACL

The SAP Gateway allows non-SAP applications to communicate with SAP applications using the Open Data Protocol (OData). If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[2] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.

SAP Router secinfo

The SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access an SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution.

According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.

SAP Message Server

SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States.

Signature

CISA worked with security researchers from Onapsis Inc.[3] to develop the following Snort signature that can be used to detect the exploits:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”10KBLAZE SAP Exploit execute attempt”; flow:established,to_server; content:”|06 cb 03|”; offset:4; depth:3; content:”SAPXPG_START_XPG”; nocase; distance:0; fast_pattern; content:”37D581E3889AF16DA00A000C290099D0001″; nocase; distance:0; content:”extprog”; nocase; distance:0; sid:1; rev:1;)

Check Also

SamSam Ransomware

SamSam Ransomware

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the …

Unicornscan

Microsoft Operating Systems BlueKeep Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions:

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed). Leave your solution to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Designed by blackMORE Ops
© Copyright 2023, All Rights Reserved

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.

Facebook