Security researchers have discovered new ways to exploit vulnerabilities in SAP software which could leave up to 50,000 companies, that haven’t properly protected their systems, at greater risk of being hacked.
The German software giant SAP previously released guidance on how to correctly configure the security settings of its software back in 2009 and 2013. However, data compiled by the security firm Onapsis has revealed that 90 percent of the affected SAP systems have not been properly protected.
The firm’s chief executive Mariano Nunez provided further insight into the risk organizations face by not configuring the security settings of their SAP software correctly, saying:
“Basically, a company can be brought to a halt in a matter of seconds. With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”
SAP responded to Onapsis’ findings by saying that “SAP always strongly recommends to install security fixes as they are released.”
SAP software flaw
SAP software is currently used by more than 90 percent of the world’s top 2,000 companies to handle everything from employee payrolls to product distribution and industrial processes.
According to security experts, an attack on those systems could have huge implications both for the victim organization as well as the wider supply chain. For instance, SAP customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices.
Mathieu Geli, security consultant at Sogeti, was one of the researchers who developed the exploits released online last month and according to him, the issue concerns the way SAP applications talk to one another inside a company. If a company’s security settings are not configured correctly, a hacker could trick an application into thinking they are another SAP product to gain full access without having to login.
Onapsis’ researchers have named the exploits “10KBLAZE” because of the threat they pose to “business-critical applications”. Luckily though, the company has said that it will share its ability to detect the vulnerabilities with other security vendors to help secure all SAP users against any potential attacks.