Static encryption keys affect SAP security

Yesterday, Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands. He covered multiple problems related to encryption algorithms and static keys used by SAP in their products.

Latest findings show that the focus of research is shifting from old systems such as SAP NetWeaver ABAP and SAP NetWeaver JAVA to new applications based on SAP HANA and SAP Mobile platforms. Compared with the last few years, both types of systems have an increasing number of identified vulnerabilities. But what is more important is that they have highly critical design issues and use default keys to encrypt important data such as passwords, secure storages, and backups.

Speaking about the HANA platform, Dmitry explained its encryption weaknesses and how it’s vulnerable to SQL Injection.

SAP HANA is a recent key product of SAP. It is a software solution based on the in-memory technology, which provide a considerable increase in the speed of data processing. This product has obviously caused an initial excitement among large enterprises interested in processing their data in real time. There are more than 815,000 active users of SAP HANA, according to SAP.

The key SAP HANA element is the eponymous database called SAP HANA. A typical SAP HANA installation also includes multiple additional modules and services: a built-in application server called SAP Extended Services (XS Engine), an application development environment, and a revision control repository.

XS Engine and the built-in development environment provide an opportunity to write applications in the XS JavaScript language for working with the HANA database. XS JavaScript is HANA’s version of Server-Side JavaScript based on the SpiderMonkey engine. Thus, in addition to the classic database security issue that is SQL Injections, XSS attacks have also become highly critical because they allow executing JavaScript code in the context of the attacked user’s rights.

The SAP HANA database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case of failure. Data is automatically saved from memory to disk at regular savepoints. The data belonging to a savepoint represents a consistent state of the data on disk and remains so until the next savepoint operation is completed, according to SAP Security Guide. It means that some data is stored on the file system, and an attacker can get access to these data.

People think that SAP HANA, as an in-memory database, doesn’t store any sensitive data on hard drive. The reality is not that nice. Some data is actually stored on the disk, according to Alexander Polyakov, CTO of ERPScan. “For example, some technical user accounts and passwords along with keys for decrypting savepoints are kept in a storage named hdbuserstore. This storage is a simple file on the disk. It is encrypted using the 3DES algorithm with a static master key. Once you get access to this file and decrypt it with the static master key, which is the same on every installation, you have system user passwords and disk encryption keys. After that, you can get access to all data. According to our consulting services, 100 % of customers we analyzed still use the default master key to encrypt hdbuserstore,” Polyakov added.

SAP has provided guidelines stipulating that the master key should be changed, and SAP Security Notes say the same. But, unfortunately, very few customers follow those recommendations. SAP recommends to:

• Change the SSFS master key using the rsecssfx tool
• Change the data volume encryption root key using the hdbnsutil tool
• Change the data encryption service root key using the hdbnsutil tool
• Restrict access to the key file
• Restrict access to the DAT file.

There are some vulnerabilities published by ERPScan and presented at the conference that allow getting access to SAP HANA. One of these vulnerabilities, an SQL Injection in SAP HANA XS Server, is patched by SAP Security Note 2067972.

Static key encryption is not just SAP HANA’s issue. SAP Mobile Platform has a similar problem. Application passwords are stored in encrypted form with a known static key. One of the vulnerabilities highlighted at Black Hat Sessions (XXE ) can be used to get access to the configuration file that stores a password and decrypt it if the default encryption key is used.

The trend of hardcoded values such as passwords and password keys continues in SAP NetWeaver ABAP, the default platform for SAP ERP system that is used in more than 30000 organizations worldwide. On the 9th of June, SAP released patches for two vulnerabilities in SAP ERP related to hardcoded passwords in some modules.