New Exploits for Unsecure SAP ... Note

New Exploits for Unsecure SAP Systems

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding exploits targeting insecure SAP configurations. These vulnerabilities, detailed at a cybersecurity conference, allow attackers to compromise internet-exposed SAP systems. A primary concern is the SAP Gateway's Access Control List (ACL) if misconfigured, enabling anonymous OS command execution. Approximately 900 U.S. internet-facing systems were identified as potentially vulnerable in this manner. Another vulnerability lies with the SAP Router's secinfo configuration, which can allow anonymous internal host command execution. Over a thousand SAP routers were found exposed online, though their specific vulnerability status is unconfirmed. SAP Message Servers, acting as brokers, also pose a risk without proper authentication, potentially enabling man-in-the-middle attacks. Over 600 U.S. internet-exposed Message Servers were detected, which could lead to credential theft and code execution. CISA, in collaboration with Onapsis Inc., developed a Snort signature to detect these exploits. Administrators are strongly advised to secure SAP configurations by restricting access to Message Servers and Gateways. Properly configuring ACL files and reviewing SAP Notes are crucial mitigation steps. Furthermore, ensuring SAP components are not exposed to the internet or are adequately secured is paramount.