10KBLAZEProtection from a Cyber Exploit With the Power to Burn Financial Statements

Critical Security Configuration Risk in Unprotected SAP Implementations

In April 2019, several new exploits targeting SAP® business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. Based on hundreds of SAP implementation assessments and the proprietary threat intelligence of Onapsis, we estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers worldwide. We recommend you review and apply all relevant SAP security notes immediately.

Given the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis has decided to open-source components of The Onapsis Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring and remediation of affected organizations globally.

We have created a full threat report with information about how to determine if you are at risk and steps to take for remediation.

Frequently Asked Questions

About the CERT warning for SAP Systems

What is 10KBLAZE? What does it mean?

10KBLAZE is the name that Onapsis uses to refer to a set of publicly-released SAP exploits. The name was chosen given the high risk that these exploits carry to potentially affect critical business information and processes. The criticality of these business risks can lead to disclosure requirements to the U.S. Securities and Exchange Commission (SEC) in the annual financial reporting: the Form 10-K.

What is a US-CERT Alert and why is it important?

According to the US-CERT, “Alerts provide timely information about current security issues, vulnerabilities, and exploits.” These alerts are issued selectively by the Department of Homeland Security detailing specific risks and threats that could affect global organizations. Only a handful of alerts are issued on a yearly basis and only the most significant risks and threats are addressed through these alerts. This is the second alert of 2019 and the third alert about ERP applications since 2016.

What is the relation between 10KBLAZE and US-CERT Alert AA19-122A?

US-CERT Alert AA19-122A was created by the Department of Homeland Security due to the critical nature of the 10KBLAZE exploits, which were made publicly available on April 19th, 2019. The Alert was created to warn organizations about these exploits and to provide additional guidance around mitigation steps that should be taken in order to reduce the risk of exploitation and compromise of SAP data.

I’m an SAP customer, how do I need to react to this Alert?

The alert is especially important for SAP customers to understand how critical SAP configurations could be to their overall security posture if not properly maintained and secured. It is important to understand what the status quo is around SAP cybersecurity in your organization and get internal stakeholders aligned towards the goal of securing SAP applications.

I’m an SAP customer, how do I know if I’m affected by the issues highlighted in the Alert AA19-122A?

The exploits referenced in Alert AA19-122A affect SAP NetWeaver systems, which is the foundational platform for the most critical business applications that organizations have. If your organization runs applications such as the SAP ERP (ECC), SAP S/4HANA, SAP Solution Manager, The SAP Business Suite or any other NetWeaver-based system, you need to make sure the proper processes are in place to ensure your organization has visibility and control around cybersecurity risks in your SAP applications.

What are the action items recommended by the US-CERT in Alert AA19-122A?

Based on the publicly available 10KBLAZE exploits, DHS provides additional details around the components that need to be further secured such as the Message Server and the SAP Gateway. In addition, recommendations to reduce the risk of exploitation of SAP applications follow:

  • Organizations must have the ability to secure the configuration of SAP applications which means visibility, monitoring and prevention capabilities on critical SAP configurations
  • Organizations must have visibility across SAP applications, especially of those that are internet facing, to detect and prevent security risks

Are there patches available for the threats highlighted by the US-CERT Alert AA19-122A?

The vulnerabilities highlighted by the Alert have been known for years and are documented by SAP through a number of SAP Security Notes, as listed in the references section of the alert. Organizations can leverage SAP Security Notes #1408081, #821875 and #1421005 for additional details about how to securely configure the SAP Message Server and the SAP Gateway.

I’m an Onapsis customer. Am I protected from the risks highlighted by the US-CERT Alert AA19-122A?

Yes, the Onapsis Security Platform offers organizations the opportunity to eliminate risks related to these exploits and misconfigurations in three ways:

  1. by determining their level of exposure
  2. by monitoring and detecting possible attacks using this exploit while misconfigurations are being addressed
  3. by adjusting their configurations and locking them in place to prevent exposure in the future

Why are so many organizations at risk of these vulnerabilities?

10KBLAZE and the accompanying US-CERT Alert AA19-122A are more evidence of the need for organizations to address cybersecurity across ERP applications in a programmatic way. Organizations need to provide governance and control of ERP risks to their IT Security departments and visibility for all internal teams. Historically the security of ERP applications has been regarded as a synonym for Segregation of Duties, roles and profiles, which led to the existence of a gap between the security policies and guidelines defined by IT Security across the organization.

My SAP system is continuously audited, why haven’t the risks highlighted in US-CERT Alert AA19-122A come up during my internal/external audits?

Traditional audits do not typically look into these types of risks. We anticipate external audit firms will extend their current controls (which are mostly related to Segregation of Duties) to address SAP cybersecurity risks in the near future. The status-quo is clearly not sustainable, as these risks can be exploited to modify financial information, steal sensitive data and disrupt business-critical processes. We highly recommend that organizations evaluate their internal audit process to ensure they are incorporating these additional types of controls and manage business risk appropriately in advance of this happening.

Why are you releasing this threat report? Why is there so much emphasis on this?

On April 23, 2019 the Onapsis Research Labs became aware that several new exploits targeting SAP Gateway and Message Server misconfigurations were publicly released. These configurations are known and have been reported by SAP® and Onapsis to customers via SAP Security Notes and Threat Advisories. The public release of these exploits significantly increases the likelihood of occurrence of the risk. Now both external and internal attackers (from state-sponsored groups to disgruntled employees) are able to abuse these misconfigurations with high business impact.After analyzing hundreds of real SAP customer implementations, Onapsis found that around 90% of the SAP systems were vulnerable before the Onapsis risk assessment or Onapsis Security Platform implementation. The Onapsis team believes that this risk is significant enough to bring public awareness to the issue and notify SAP customers of the hidden threat that might exist in their networks.

What systems are exposed?

All SAP NetWeaver Application Server (AS) and S/4HANA systems are potentially affected since both Message Server and Gateway exist in every SAP environment. Some of the products affected include the SAP Business Suite, SAP ERP, SAP CRM, SAP S/4HANA, SAP Solution Manager, SAP GRC Process and Access Control, SAP Process Integration/Exchange Infrastructure (PI/XI), SAP Solution Manager, SAP SCM, and SAP SRM, among others.

What is the business impact of a risk like 10KBLAZE in my organization?

Vulnerable SAP applications can be compromised by a remote unauthenticated attacker having only network access to the system (without the need for a valid SAP user ID and password). Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. Order-to-Cash, Procure-to-Pay, Inventory Management, Treasury, Tax, HR & Payroll, and any other business process handled by SAP, can be controlled, affecting the integrity of business information used to build the financial statements. A person abusing this vulnerability would be able to perform critical business transactions, including but not limited to:

  • Creating fake vendors
  • Creating fake employees
  • Creating/modifying purchase orders
  • Changing bank accounts
  • Paying any vendor or employee
  • Releasing shipments
  • Changing inventory data
  • Generating corrupted management reports
  • Bypassing automatic business controls

A person performing any kind of fraud would be able to delete any traces or records that prove his or her actions and an action of this kind may not be detected.

Should my organization include this risk in our annual financial reporting?

This is a question executive management has to discuss with the Board and the independent auditor. If the risk is present in your organization, you should assess its materiality, likelihood of occurrence, and ability of detection with them. Ultimately, it will be up to the independent auditor to include 10KBLAZE as a risk to the integrity of the financial statements. Onapsis can only provide expert advice and support to management and auditors.

Who should be aware of this risk at my organization?

Management should be aware of this risk, starting with the CISO and CIO up to the CFO and CEO. Additionally, as a source of independent assurance, your internal audit team, and the head of Compliance and Audit should assess this risk from a business perspective to become advocates and present it to the Audit Committee as well.

Where can I find the patches released by SAP?

SAP organizations can protect themselves by applying the below SAP Security Notes which contain mitigation steps for this vulnerability (requires SAP login):

Would this be detected by my GRC solution / Segregation of Duties controls?

Unfortunately these misconfigurations are not detected by SAP GRC or SoD controls. Organizations will need to manually check for this or use an automated solution.

Would this be mitigated by IT General Controls?

Unfortunately these misconfigurations are not under the general scope of IT General Controls. Even in a scenario where IT General Controls have a satisfactory state in your SAP ERP application, the presence of this risk would equal to the combination of several ITGC (IT General Controls) deficiencies. Based on our experience, the 10KBLAZE associated risks are usually not included in traditional audits. We encourage internal and external auditors to include the risk assessment of 10KBLAZE as part of your IT General Control audits for SAP systems.

Is there a way to detect if my organization has been compromised through these attacks?

The Onapsis Security Platform is able to detect active exploitation of these vulnerabilities in SAP systems. If you are concerned that these vulnerabilities may have been targeted in your environment, please contact Onapsis for more details.

Why did you release open source signatures?

Due to the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis decided to open-source components of its Onapsis Security Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring, and remediation of affected organizations globally.

Is it enough if I have the detection signature in my firewall?

Adding detection signatures to firewall solutions is important; however, your organization and systems will not be completely secure until you properly apply the related SAP Security Notes.

Have these vulnerabilities been compromised in any SAP customers?

Onapsis has no evidence of these vulnerabilities being exploited in the wild to date, but based on our field experience with customers, partners and prospects, we can confirm that 90% of misconfigured SAP implementations are vulnerable to 10KBLAZE exploits. In fact, as most organizations are not able to detect the exploitation of this misconfiguration, a system compromise may go undetected.

About Onapsis’s SAP cybersecurity expertise

How many vulnerabilities in SAP NetWeaver has the Onapsis Research Labs helped SAP fix to date?

As the leading SAP partner in cybersecurity, Onapsis has reported and helped secure over 400 security vulnerabilities to SAP for SAP NetWeaver.

How does the Onapsis Research Labs work with SAP?

When Onapsis Research Labs identifies a potential weakness, they immediately notify SAP so they can begin evaluating and preparing a patch for the reported misconfiguration and vulnerability. Onapsis Research Labs provides all necessary information to the vendor in order to confirm they have what they need to produce the patch. Onapsis never releases public information about a misconfiguration or vulnerability before it is patched by the vendor.

Are Onapsis customers protected from these vulnerabilities?

Yes, the Onapsis Security Platform offers organizations the opportunity to eliminate risks related to these exploits and misconfigurations in three ways:

  • by determining their level of exposure
  • by monitoring and detecting possible attacks using this exploit while misconfigurations are being addressed
  • by adjusting their configurations and locking them in place to prevent exposure in the future

How can I check if I currently have this misconfiguration in my SAP landscape?

For companies that are not OSP customers, Onapsis is able to provide a risk assessment to quickly determine if they are vulnerable to this attack.

For more information contact us at [email protected].

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.