Last Week, May 2, 2019, Reuters reported that over 50,000 companies are exposed to hacks of ‘business critical’ SAP systems and that with certain new exploits, and that a hacker could steal anything that sits on a company’s SAP systems and also modify any information in order to perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.
Also, ZDNET suggests that 9 out of 10 SAP production systems are believed to be vulnerable to new exploits (which are publicly available).
But,, what does the FUD being spread around and scary numbers flying around mean for SAP customers in South Africa?
Long before the FUD, late April 2019, by the research of Dmitry and Mathieu, two exploits were talked about and publicly released at the OPCDE security conference in Dubai, Basically, these exploits don’t take advantage of security vulnerabilities, but, misconfigured SAP NetWeaver installations (including S4/HANA) that affect the Access Control List in Gateway or Message Server.
How do I find out If my SAP installation is part of the “50,000 Hackable customers” ?
Whilst SAP specialized TCP SYN scans can help us to detect presence of a specific SAP service such as SAP Gateway, SAP Router, SAP Message Server, behind a certain port, it DOES NOT imply that the services are affected. Although, this TCP SYN scans can definitely help to quantify the “external threat” and show that backend servers holding usually sensitive data can be exposed via internet.
In order to find out if you are indeed “9 of the 10 SAP systems” believed the be susceptible to attack in South Africa by this new publicly released exploits, you can easily run a self-in-house quick assessment as per below:
- Gateway threat
You can check all your landscape with the SAP Gateway RCE exploits code by trying to execute for instance OS command whoami – (This code is open sourced under the GPL license V 2 by authors Dmitry Chastuhin (@_chipik) and Mathieu Geli (@gelim)
- Message Server threat
Assessing this one is a bit trickier, as the “be_trusted” PoC is not 100% reliable and may have side effects on Logon Group availability. We strongly do not advise testing on production systems.
If you really want to showcase that during a Blackbox assessment, you better choose a landscape that is not user-facing.
For Whitebox, you can assume the issue exists if both conditions are met:
- The file pointed by the ms/acl_info profile parameter contains HOST=*
- The MS internal port tcp/39NN is available from the user VLAN
- The Gateway port tcp/33NN is available from the user VLAN
Moreover you can use scripts from SecureAuth’s Martin Gallo ms_dump_info.py and ms_dump_param.py to remotely check profile parameters against the Message Server internal port.
Now that you most likely have concluded you are part of the affected SAP system then you need to remediate, Yes? For Remediation , take steps below:
- Secure your Gateway ACL pointed by profile parameter gw/sec_info with help of SAP note 1408081
- Filter out access from untrusted sources to the Gateway (port tcp/33NN)
- Message Server
- Implement secure Message Server ACL in the file pointed by the profile parameter ms/acl_info, that will help you restrict within the SAP server VLAN only those authorized to connect to. See SAP notes 821875 and 1421005
- Filter out access from untrusted sources to the Message Server internal port (tcp/39NN) of all your SAP instances