Multiple vulnerabilities in SAP AI Core had been identified, giving malicious actors access to customer data and the ability to take control of the service.
With SAP AI Core, users may leverage the company’s extensive cloud resources to create, train, and operate AI services in a scalable and controlled manner.
The customer’s code operates inside SAP’s common environment, much like other cloud providers (and AI infrastructure suppliers) do. This presents a risk of cross-tenant access.
“ The vulnerabilities we found could have allowed attackers to access customers’ data and contaminate internal artifacts – spreading to related services and other customers’ environments”, Wiz Research Team shared with Cyber Security News.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Findings Into SAP AI Core
Research on SAP AI Core, dubbed “SAPwned,” began by utilizing SAP’s infrastructure to conduct legitimate AI training techniques.
Researchers could move laterally and take over the service by executing arbitrary code.
They obtained credentials to customers’ cloud environments, including AWS, Azure, SAP HANA Cloud, and more, as well as access to their private data.
The primary cause of these issues was attackers’ ability to execute malicious AI models and training procedures, which are effectively code.
Vulnerabilities Detected
Despite the fact that SAP’s admission controller eliminated every risky security setting, experts discovered two intriguing configurations that the admission controller overlooked.
An access token to the cluster’s centralized Istiod server was obtained, granting access to the Istio configuration. Finally using the power of 1337 to bypass the network restrictions.
After requesting to inspect Loki’s configuration via the /config path, the complete setup, including the AWS secrets that Loki needed to access, was sent back via the API.
Moreover, massive volumes of AI data, including code and training datasets, sorted by customer ID have been revealed by AWS Elastic File System (EFS) instances.
The internal Docker Registry and Artifactory are compromised via an unauthenticated Helm server.
Here, an attacker might examine internal builds and images using the read access provided by these secrets, potentially capturing client data and commercial secrets.
Also, an attacker could undertake a supply-chain attack against SAP AI Core services by compromising builds and images by leveraging the write access granted by the secrets.
Finally, an unauthorized Helm server was found to be infecting the K8s cluster, revealing Google access tokens and confidential client information.
The SAP access key increases the scope of a possible supply-chain attack by granting read and write access.
As stated on their website, SAP has recognized that all vulnerabilities have been disclosed to and addressed by their security team. There was no compromise of customer information.
The attack’s impact might have been reduced by hardening the internal services, and the severity might have gone down from a full-service takeover to minor security events.
Additionally, suitable barriers must be in place to guarantee that untrusted code is kept apart from other tenants and internal resources.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.