Almost 50,000 companies that run SAP software are at risk of data breaches, new research has claimed.
A report from security researchers at Onapsis found new ways of exploiting vulnerabilities of systems that have not been properly protected.
The vulnerabilities, and the tools, have been published online. Onapsis is calling the exploits 10KBLAZE, because of the threat they pose to “business-critical applications”.
SAP said it published guidelines on how to properly set up the system in 2013, but Onapsis says 90 per cent of systems aren’t doing it properly.
“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.
“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”
SAP said: “SAP always strongly recommends to install security fixes as they are released.”
Security experts are saying that such attacks could be ‘hugely damaging’ for everyone involved. SAP’s customers collectively distribute 78 per cent of the world’s food, according to Reuters, and 82 per cent of global medical devices.
Following the release of the article, SAP has reached out with a statement which we share below, in full:
"SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however these have been patched by SAP a few years ago. Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape.
SAP takes the security of customer data seriously. The recommendations published in the white papers A Practical Guide for Securing SAP® Solutions and Securing Remote Function Calls (RFC) emphasizes secure configuration of SAP landscape. Customers can enable related security checks in the EarlyWatch Alert (note 863362) and the SAP Security Optimization Service (https://support.sap.com/sos)
SAP stands for secure and reliable software solutions. As the global leader in business software, SAP has based its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.
Image Credit: Balefire / Shutterstock