Security News > 2024 > July > SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks
Cybersecurity researchers have uncovered security shortcomings in SAP AI Core cloud-based platform for creating and deploying predictive artificial intelligence workflows that could be exploited to get hold of access tokens and customer data.
"The vulnerabilities we found could have allowed attackers to access customers' data and contaminate internal artifacts - spreading to related services and other customers' environments," security researcher Hillai Ben-Sasson said in a report shared with The Hacker News.
They could also be used to modify Docker images on SAP's internal container registry, SAP's Docker images on the Google Container Registry, and artifacts hosted on SAP's internal Artifactory server, resulting in a supply chain attack on SAP AI Core services.
The access could be weaponized to gain cluster administrator privileges on SAP AI Core's Kubernetes cluster by taking advantage of the fact that the Helm package manager server was exposed to both read and write operations.
As a result, a threat actor could create a regular AI application on SAP AI Core, bypass network restrictions, and probe the Kubernetes Pod's internal network to obtain AWS tokens and access customer code and training datasets by exploiting misconfigurations in AWS Elastic File System shares.
"Regulated data makes up more than a third of the sensitive data being shared with generative AI applications - presenting a potential risk to businesses of costly data breaches," the company said.
News URL
https://thehackernews.com/2024/07/sap-ai-core-vulnerabilities-expose.html
Related news
- CUPS vulnerabilities could be abused for DDoS attacks (source)
- 20% of Generative AI ‘Jailbreak’ Attacks Succeed, With 90% Exposing Sensitive Data (source)
- From Misuse to Abuse: AI Risks and Attacks (source)
- Researchers Uncover Vulnerabilities in Open-Source AI and ML Models (source)
- AIs Discovering Vulnerabilities (source)
- AI-Assisted Attacks Top Cyber Threat For Third Consecutive Quarter, Gartner Finds (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects (source)