Wave Systems Corp. (fka WAVXQ)

[Genz2]

50,000 enterprise firms running SAP software vulnerable to attack

https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-vulnerable-to-attack/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5ccc9a5edf42390001117c81&utm_medium=trueAnthem&utm_source=twitter

9 out of 10 SAP production systems are believed to be vulnerable to new exploits.

Up to 50,000 enterprises that have adopted SAP solutions may be susceptible to cyberattacks due to new exploits targeting configuration flaws in the software, researchers say.

According to the cybersecurity team from the Onapsis Research Labs, exploits dubbed 10KBlaze which target two technical components of SAP software have been recently released and can lead to the "full compromise" of SAP applications.

In a report detailing the exploits, Onapsis said such compromises include the deletion of business-critical application data, as well as the theft or modification of sensitive information.

The "10KBlaze" tools could also be used to create new users with arbitrary privileges, to perform business functions such as creating new vendors or purchase orders -- in other words, to commit financial fraud -- and to gain access to SAP databases or disrupt business operations.

Without any form of authentication, remote attackers only need some technical knowledge and network connectivity to the vulnerable system to perform an attack.

All SAP NetWeaver Application Server (AS) and S/4HANA systems, as they use an Access Control List in Gateway and a Message Server, may be at risk. The researchers say that the applications are impacted, among others:
•SAP S/4HANA
•SAP Enterprise Resource Planning (ERP)
•SAP Product Lifecycle Management (PLM)
•AP Customer Relationship Management (CRM)
•SAP Human Capital Management (HCM)
•SAP Supply Chain Management (SCM)
•SAP Supplier Relationship Management (SRM)
•SAP NetWeaver Business Warehouse (BW)
•SAP Business Intelligence (BI)
•SAP Process Integration (PI)
•SAP Solution Manager (SolMan)
•SAP Governance, Risk & Compliance 10.x (GRC)
•SAP NetWeaver ABAP Application Server 7.0 - 7.52

The exploits do not rely on core vulnerabilities in SAP code. Rather, errors in SAP NetWeaver installation administrative configuration and settings can be used to compromise applications.

According to Onapsis, up to 50,000 companies and a collective one million systems using SAP NetWeaver and S/4HANA are misconfigured. The team estimates that 90 percent of SAP systems in use by the enterprise may be vulnerable.

"If these configurations are not secured, as recommended by SAP (easier to do during implementation and GoLive process), [the] recently published exploits can be used against affected companies," Onapsis says.

SAP has previously released guidelines in 2005, 2009, and 2010 to customers which describe how to properly setup application configuration to prevent exploit. It is recommended that IT teams check their builds immediately to ensure they are protected.

"SAP always strongly recommends to install security fixes as they are released," SAP said.
==================================================================
'WITHOUT ANY FORM OF AUTHENTICATION'!! That seems like the biggest problem over software problems! Wave VSC 2.0 for cloud applications for SAP could fix the major part of this problem!!! 50,000 enterprises could benefit by having Wave VSC 2.0 and for other reasons as well as having 2FA for SAP apps!!! The government has used this technology (Wave VSC 2.0) with no known complaints, and a leading global financial services company tested it (won the competitive evaluation against market leader in two factor authentication tokens) and signed a 5 year master license agreement! These companies could benefit by having better security at less than half the cost!!!
==================================================================
https://www.wavesys.com/

https://www.wavesys.com/products/wave-virtual-smart-card

Excerpt:

What can it be used for?

What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.