Wiz Research Uncovers Critical Flaws in SAP AI, Risking Customer Data and Cloud Security

Wiz Research uncovers critical vulnerabilities in SAP AI Core, potentially exposing customer data and cloud environments to malicious actors. The research reveals that executing arbitrary code through AI training procedures allowed lateral movement and service takeover, granting access to sensitive customer files and cloud credentials.

Key findings: Wiz researchers gained privileged access to SAP AI Core’s internal assets by exploiting vulnerabilities, enabling them to:

• Read and modify Docker images on SAP’s internal container registry and Google Container Registry
• Access and modify artifacts on SAP’s internal Artifactory server
• Obtain cluster administrator privileges on SAP AI Core’s Kubernetes cluster
• Retrieve customers’ cloud credentials and private AI artifacts

Vulnerability chain: The attack began by bypassing network restrictions enforced by an Istio proxy sidecar. This provided access to several internal services that lacked additional authentication:

• Grafana Loki leaked AWS secrets used to access S3 buckets containing customer logs
• Unauthenticated EFS shares exposed vast amounts of customer AI data
• An unauthenticated Helm server allowed compromising SAP’s internal Docker registry, Artifactory, and the Kubernetes cluster

Broader implications: The research highlights the unique challenges of securing AI services, where executing arbitrary code is part of the standard training process. It demonstrates the importance of defense-in-depth and the pitfalls of perceiving internal networks as inherently trusted. Appropriate guardrails must be implemented to properly isolate untrusted AI workloads from internal assets and other tenants.

SAP addressed all reported vulnerabilities in cooperation with Wiz Research. The disclosure process spanned from January to July 2024.