New vulnerabilities in business critical applications of SAP could expose more than 50,000 enterprises to hackers unless clients took security measures seriously
Security researchers have found that there are risks in some SAP applications that are actually business critical. With this information, almost 50,000 companies running SAP software could be at greater risk of being hacked. Security researchers have published the tools that could help in protection if they have not been properly protected from risks.
The issue was about the way SAP applications to talk to one another inside a company, according to Mathieu Geli, a security consultant with Sogeti, one of the researchers who developed the exploits that were released last month. The risk discovered was that in the absence of correct security settings configuration, an application could be tricked into thinking they are another SAP product and share data and access. Geli said he created the exploits to prove the danger of the vulnerabilities. The objective of releasing them online was to help experts test the security of SAP systems, he said.
However, SAP stated that the brand always strongly recommends the installation of security fixes as soon as they are released. For SAP, customer security was a priority, they maintained. It was also the responsibility of the client company to ensure recommended fixes are implemented when they are released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.
SAP is a technology brand that is used by more than 90 percent of the world’s top 2,000 companies. It streamlines all business processes for companies- managing everything from employee payrolls to product distribution and industrial processes. The scary fact is that SAPs’ applications are used for products that play a huge role in the market. SAP’s website indicates that its customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices.
According to data compiled by security firm Onapsis, 90 percent of affected SAP systems had not been properly protected earlier, even though German software giant SAP has very proactively issued guidance on the process for meeting the risks even earlier when such issues came up in 2009 and 2013. These attacks, experts say, could be actually debilitating for the companies as well as their networks.
Onapsis specializes in securing business applications made by SAP and some other brands like Oracle. “Basically, a company can be brought to a halt in a matter of seconds,” said Chief Executive of Onapsis, Mariano Nunez. “With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.” Earlier, researchers at Onapsis named the exploits “10KBLAZE”. The name is taken as a threat they posed to “business-critical applications” which, if hacked, could result in “material misstatements” in U.S. financial filings. Hence 10K. Onapsis would be going forward, help to identify vulnerabilities and share with other security vendors, said Nunez, in order to help secure all SAP users against known and yet undiscovered vulnerabilities.