SAP’s AI Core service was until recently affected by vulnerabilities that could have allowed attackers to take over the service and access customer data, cloud security giant Wiz reported on Wednesday.
Part of the SAP Business Technology Platform, SAP AI Core enables users to develop, train and run AI services. It can be integrated with SAP and other cloud services for access to the customer’s data.
Wiz discovered a total of five bugs, which it reported to SAP in January and February. The enterprise software giant released patches for all of the flaws on May 15.
The security holes, dubbed SAPwned by Wiz, enabled the firm’s researchers to execute arbitrary code, move laterally, and take control of the service, which gave them access to customer data, including credentials for their AWS, Azure and SAP cloud environments.
“The vulnerabilities we found could have allowed attackers to access customers’ data and contaminate internal artifacts – spreading to related services and other customers’ environments,” Wiz explained.
The company’s researchers managed to read and modify Docker images on SAP’s internal container registry and on Google’s container registry, read and modify artifacts on SAP’s Artifactory server, and gain cluster admin privileges on the AI Core Kubernetes cluster.
“The root cause of these issues was the ability for attackers to run malicious AI models and training procedures, which are essentially code,” the security firm said.
It’s worth noting that conducting such an attack required basic permissions on SAP’s platform.
Related: Google in Advanced Talks to Buy Wiz for $23B: WSJ Report
Related: Wiz Raises $1 Billion at $12 Billion Valuation
Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service
