SAP: Today in Edworking News, we delve into “SAPwned”—a critical set of vulnerabilities in SAP AI Core uncovered by Wiz Research. These flaws exposed customers’ cloud environments and private AI artifacts, allowing attackers to potentially take over the service and access sensitive data.
Overview
Over the last few months, the Wiz Research Team conducted an in-depth investigation into tenant isolation across various AI service providers, uncovering critical vulnerabilities in SAP AI Core. These weaknesses allow malicious actors to take control of the service, access customer data, and propagate across interconnected systems. As AI infrastructures increasingly permeate business environments, recognizing these vulnerabilities is essential for ensuring security. The research, named ‘SAPwned,’ reveals how attackers could exploit these flaws and underscores the urgent need for stronger isolation and sandboxing protocols in AI model operations.
Unveiling the Research
SAP AI Core enables users to develop, train, and deploy AI services using SAP’s cloud infrastructure. However, executing customer code in a shared environment introduces inherent risks.
Our investigation began by leveraging basic customer permissions to create AI projects. We utilized an Argo Workflow file to initiate a Kubernetes Pod, running our code within the Pod and bypassing the network restrictions imposed by the Istio proxy sidecar.
Exploit #1: Overcoming Network Restrictions
Although protections were in place through an admission controller, we identified certain configurations that were not restricted. By leveraging the shareProcessNamespace runAsUser settings, we gained access to Istio’s configuration and obtained an access token for the cluster’s centralized Istiod server. This provided us with network access, which we used to scan the Pod’s internal network.
Exploit #2: Loki Exposes AWS Credentials
An instance of Grafana Loki on the cluster exposed AWS secrets used for accessing S3, granting access to extensive logs from AI Core services and customer Pods
Edworking identified six publicly configured AWS Elastic File System (EFS) instances, enabling unauthorized access to AI data, including training datasets and code organized by customer ID
Exploit #4: Unsecured Helm Server
The Helm server Tiller (version 2) was exposed without authentication, exposing secrets to SAP’s Docker Registry and Artifactory server. Attackers could exploit this vulnerability to read or modify internal images and access customers’ commercial secrets.
Exploit #5: Full Control Over Cluster
The Helm server permitted both read and write operations, enabling a full cluster takeover. This exposure gave attackers access to sensitive customer data, models, datasets, and more.
Additionally, customer secrets stored across AWS, SAP HANA, and Docker Hub were left exposed and accessible
More: Critical SAP Zero-Day (CVE-2024-41730) Exploited by Initial Access Brokers
Actionable Insights
Edworking Research highlights several critical insights:
- The importance of defense-in-depth strategies: Relying solely on perimeter defenses, such as Istio, proved inadequate once these defenses were bypassed.
- The need to address tenant isolation weaknesses in Kubernetes-managed services, which allow logical connections between the control and data planes.
- The necessity of implementing guardrails in AI model training to prevent untrusted code from accessing internal assets and impacting other tenants.
Conclusion
The findings of the “SAPwned” research expose critical vulnerabilities within SAP AI Core, revealing the dangers of insufficient isolation and the risks posed by shared environments.
With AI infrastructures rapidly becoming integral to business operations, these vulnerabilities highlight the urgent need for comprehensive security measures. The exploits uncovered in our investigation demonstrate how attackers can bypass protections, gain access to sensitive data, and potentially take full control of cloud environments.
Moving forward, organizations must prioritize defense-in-depth strategies, addressing weaknesses in tenant isolation and implementing stronger guardrails for AI model operations. Ensuring that AI systems are both secure and isolated is essential to safeguarding customer data and protecting against future breaches. By understanding these vulnerabilities and taking actionable steps, businesses can significantly enhance their security posture in an increasingly complex AI-driven landscape.