SAP security holes raise questions about the rush to AI

Cloud security firm Wiz has published a detailed report about SAP security holes, now patched, that raises alarming questions about the secondary role AI efforts are having on cybersecurity defenses.

Cloud security firm Wiz has probed SAP defenses as part of its tenant isolation research on AI service providers, and on Wednesday published a lengthy list of shortcomings. SAP says that they fixed all of the problems before Wiz published.

Most deal with either a lack of meaningful segmentation or network components trusting other components without any authentication — a violation of the basic tenet of Zero Trust. Although AI played a minor role in the problems, some have pointed to the report as further evidence that the rush to GenAI deployments is undermining basic cybersecurity protections.

“We believe these (SAP) services are more susceptible to tenant isolation vulnerabilities because, by definition, they allow users to run AI models and applications – which is equivalent to executing arbitrary code,” the Wiz report said.

“As AI infrastructure is fast becoming a staple of many business environments, the implications of these attacks are becoming more and more significant. The AI training process requires access to vast amounts of sensitive customer data, which turns AI training services into attractive targets for attackers. SAP AI Core offers integrations with S/4HANA and other cloud services, to access customers’ internal data via cloud access keys. These credentials are highly sensitive.”

Alarming holes

Given how widely deployed SAP systems are within enterprises, and how integrated SAP is with so many other enterprise-level applications and cloud environments, Wiz said the holes were especially alarming.

“By executing arbitrary code, we were able move laterally and take over the service – gaining access to customers’ private files, along with credentials to customers’ cloud environments: AWS, Azure, SAP S/4HANA Cloud, and more,” the report said. “The vulnerabilities we found could have allowed attackers to access customers’ data and contaminate internal artifacts – spreading to related services and other customers’ environments.”

The Wiz report noted that researchers were able to access and often able to modify Docker images on SAP internal container registry, SAP’s Docker images on Google Container Registry, and SAP’s internal Artifactory server. They also gained cluster administrator privileges on SAP AI Core’s Kubernetes cluster, as well as gaining full access to a variety of SAP customers’ cloud credentials and private AI artifacts.

Risks involved in the rush to AI

Analysts and industry AI specialists found little surprising in the findings, but did agree that this should be a stark reminder that AI deployments need to be carefully and strictly scrutinized and managed by CISO teams.

“There is this rush to deploy (AI) and security is an afterthought until something bad happens,” said Michelle Abraham, the IDC senior research director for security and trust.

Vaibhav Malik, the architect leader at Cloudflare, said that although AI may not be the direct cause of the SAP holes that were discovered, the mechanisms needed for GenAI rollouts often undermine defenses.

“The vulnerabilities discovered in SAP AI Core are unfortunately not surprising to me. In my experience working on enterprise AI initiatives, I’ve observed a concerning trend where the rapid adoption of AI technologies often outpaces the implementation of robust security measures,” Malik said. “The ability to run arbitrary code for AI model training inherently creates a complex isolation problem. Traditional sandboxing techniques often fall short in AI environments. I’ve seen multiple cases where seemingly isolated environments were compromised due to overlooked interconnections or misconfigurations.”

Malik also noted that the ability described in the Wiz report to poison artifacts or compromise internal registries “highlights a critical weakness in many AI pipelines. In my experience, securing the entire AI supply chain — from data ingestion to model deployment — is an area where many organizations have significant blind spots.”

Forrester Research reached similar conclusions.

The Wiz report “is mostly comprised of issues related to configuration and infrastructure that could jeopardize data in any cloud instance of any type. Based on the writeup, these are issues related to infrastructure configured or implemented improperly in SAP’s AI Core offering. As a result, this could impact cloud infrastructure and the data it houses,” said Jeff Pollard, Forrester VP and principal analyst.

“The issues are real and correct,” he added. “Better isolation such as microsegmentation using Zero Trust, and better configurations and implementations would’ve prevented this.”

Another consultant, Three Arc Advisory President Meghan Anzelc, said that CISOs need to focus on the intersection of technology between AI and cybersecurity.

“AI cybersecurity issues are a combination of different areas of expertise not partnering appropriately upfront,” Anzelc said. “Data scientists are typically curious and creative, and many have no understanding of information security or cybersecurity issues and best practices. At the same time, you have traditional IT architecture and InfoSec teams who may not have ever worked with data scientists before, and are struggling with their needs for large data volumes, access to a wide range of data sources, often including sensitive information.

“You also have executives pushing to move quickly on AI, sometimes at organizations that have no internal AI or data science expertise, sometimes at organizations that have no or limited expertise in the particular cloud services needed. It’s a tricky combination.”

SUBSCRIBE TO OUR NEWSLETTER