SAP’s AI Core Platform Exposed to Multiple Vulnerabilities
SAP’s AI Core platform, a service in the SAP Business Technology Platform, has been found to carry multiple vulnerabilities that could have allowed threat actors to steal access tokens and sensitive customer information, experts have warned.
About AI Core
AI Core is a service designed to help the execution and operations of predictive artificial intelligence (AI) workflows in a standardized and scalable way. It was built to seamlessly integrate with other SAP solutions, allowing any AI function to be easily realized using open-source frameworks.
Vulnerabilities Discovered
Wiz, a cybersecurity firm, discovered five flaws in the AI Core platform, which they have dubbed “SAPwned.” These vulnerabilities could have allowed attackers to access customers’ data and contaminate internal artifacts, spreading to related services and other customers’ environments.
Consequences of the Vulnerabilities
The researchers explained that hackers could have stolen credentials to people’s Amazon Web Services (AWS) instances, Microsoft Azure, and SAP HANA Cloud. Furthermore, the vulnerabilities allowed hackers to modify Docker images or artifacts on the SAP Artifactory, which could have been used in supply chain attacks.
Additionally, SAPwned could have been leveraged to gain admin access to SAP AI Core’s Kubernetes cluster. This access level would have allowed attackers to directly access other customers’ Pods and steal sensitive data, such as models, datasets, and code. This access also would have allowed attackers to interfere with customers’ Pods, taint AI data, and manipulate models’ inference.
Discovery and Patching
The researchers tipped SAP off in late January 2024, and the company came back with a patch in mid-May. Wiz confirmed that no customer data was compromised by the flaws, suggesting that the researchers found the vulnerabilities before any malicious groups.
Conclusion
The discovery of these vulnerabilities serves as a reminder of the importance of regular security audits and patches. It is crucial for organizations to stay vigilant and proactive in addressing potential security threats to protect their customers’ data and systems.
FAQs
Q: What is SAP AI Core?
A: SAP AI Core is a service in the SAP Business Technology Platform designed to help the execution and operations of predictive artificial intelligence (AI) workflows in a standardized and scalable way.
Q: What are the vulnerabilities in SAP AI Core?
A: Wiz discovered five flaws in the AI Core platform, which they have dubbed “SAPwned.” These vulnerabilities could have allowed attackers to access customers’ data and contaminate internal artifacts, spreading to related services and other customers’ environments.
Q: What were the consequences of the vulnerabilities?
A: The vulnerabilities could have allowed hackers to steal credentials to people’s Amazon Web Services (AWS) instances, Microsoft Azure, and SAP HANA Cloud. Additionally, they could have been used to modify Docker images or artifacts on the SAP Artifactory, gain admin access to SAP AI Core’s Kubernetes cluster, and interfere with customers’ Pods.
Q: Was any customer data compromised?
A: No, Wiz confirmed that no customer data was compromised by the flaws, suggesting that the researchers found the vulnerabilities before any malicious groups.
Q: Has SAP patched the vulnerabilities?
A: Yes, SAP patched the vulnerabilities in mid-May 2024 after being tipped off by Wiz in late January 2024.
