The Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, issued an alert on May 2 warning of exploits in SAP software systems that had been brought to the agency’s attention. A presentation at the 2019 Operation for Community Development and Empowerment conference for cybersecurity revealed that persistent misconfigurations would expose Internet-facing SAP solutions to potential attacks. The exploit would allow hackers to connect to SAP software remotely with external applications and seize control of server data.
SAP 10KBLAZE Exploit
The misconfigurations that create the 10KBLAZE exploit in SAP has been known of for at least 10 years. The vulnerability is not technically present in SAP code, but rather in the SAP NetWeaver platform that integrates all of their enterprise applications. Cybersecurity firm Onapsis claims that the exploit is present in 9 out of 10 of every SAP system deployed worldwide.
The vulnerability affects several SAP products, including SAP S/4HANA, SAP ERP, SAP PLM, SAP CRM, SAP HCM, SAP SCM and SAP BI. Most of the vulnerable systems are the same that appeared in a previous CISA alert released three years ago, and a similar misconfiguration was also brought to light by Onapsis and digital risk management firm, Digital Shadows, last year.
Legacy ERP – SAP, Oracle, Microsoft and More
Last year’s exploit alert highlighted the liabilities of using misconfigured legacy systems, including enterprise applications made by SAP, Oracle, Microsoft and other big-name publishers. Many older software products are being redeployed as cloud solutions to compete with more modern innovations, yet reconfiguring a system that was not designed from the ground up to be protected against external access is complicated. The situation with SAP NetWeaver illustrates how easy it is for a single flaw to appear in a critical component and compromise the entire suite.
Cloud ERP Security
Software hosted in the cloud is a different beast from traditional deployments, which could rely on living in a single physical space as a security measure. Cloud ERP requires more active monitoring as well as informed users to maintain information security best practices. This is especially true for legacy ERP systems reconfigured for cloud connectivity, which – as demonstrated by these many SAP alerts – often have gaps in their architecture appear when granting access to the Internet.
Learn How to Secure Your ERP Against Vulnerability Exploits
Legacy ERP software often still deliver value to businesses in fulfilling their core functionality purposes. Yet publishers will continue to push outdated systems towards cloud capabilities they were not built for, so the burden of network security will fall on the user side to maintain.
Read these security tips for small business cloud software to learn how you can protect your investment in technology using SMB-level resources.
