The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [1]
A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed β10KBLAZE.β The presentation details the new exploit tools and reports on systems exposed to the internet.
The SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[2] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition.
The SAP router is a program that helps connect SAP systems with external networks. The default secinfo
configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attackerβs requests, which may result in remote code execution.
According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service.
SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication. If an attacker can access a Message Server, they can redirect and/or execute legitimate man-in-the-middle (MITM) requests, thereby gaining credentials. Those credentials can be used to execute code or operations on AS servers (assuming the attacker can reach them). According to the OPCDE presentation, there are 693 Message Servers exposed to the internet in the United States. The Message Server ACL must be protected by the customer in all releases.
CISA worked with security researchers from Onapsis Inc.[3] to develop the following Snort signature that can be used to detect the exploits:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:β10KBLAZE SAP Exploit execute attemptβ; flow:established,to_server; content:β|06 cb 03|β; offset:4; depth:3; content:βSAPXPG_START_XPGβ; nocase; distance:0; fast_pattern; content:β37D581E3889AF16DA00A000C290099D0001β; nocase; distance:0; content:βextprogβ; nocase; distance:0; sid:1; rev:1;)
CISA recommends administrators of SAP systems implement the following to mitigate the vulnerabilities included in the OPCDE presentation:
gw/acl_mode
and secinfo
) and Message Servers (ms/acl_info
).[4], [5] rdisp/msserv=0 rdisp/msserv_internal=39NN
. [6]tcp/39NN
) to clients or the internet.[2] SAP: Gateway Access Control Lists
May 2, 2019: Initial version
github.com/comaeio/OPCDE/tree/master/2019/Emirates/(SAP)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli
github.com/comaeio/OPCDE/tree/master/2019/Emirates/(SAP)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli
launchpad.support.sap.com/#/notes/1408081
launchpad.support.sap.com/#/notes/1408081
launchpad.support.sap.com/#/notes/1421005
launchpad.support.sap.com/#/notes/1421005
launchpad.support.sap.com/#/notes/821875
launchpad.support.sap.com/#/notes/821875
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=New%20Exploits%20for%20Unsecure%20SAP%20Systems+https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a
wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists
wiki.scn.sap.com/wiki/display/SI/Gateway+Access+Control+Lists
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a&title=New%20Exploits%20for%20Unsecure%20SAP%20Systems
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a
www.oig.dhs.gov/
www.onapsis.com
www.onapsis.com/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=New%20Exploits%20for%20Unsecure%20SAP%20Systems&body=www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a