SAP HANA security: Static encryption keys as the latest trend

Het persbericht dat ERPscan publiceerde naar aanleiding van de lezing van Dmitry Chastuhin, director of security consulting bij ERPscan, over SAP HANA tijdens ons security congres 'Black Hat Sessions' op 18 juni jl.

Today Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands. It covers multiple problems related to encryption algorithms and static keys affecting SAP HANA Security and other SAP products such as SAP Mobile Platform.

Latest findings show that the focus of research is shifting from old systems such as SAP NetWeaver ABAP and SAP NetWeaver JAVA to new applications based on SAP HANA and SAP Mobile platforms. Compared with the last few years, both types of systems (HANA and Mobile) have an increasing number of identified vulnerabilities. But what is more important is that they have highly critical design issues and use default keys to encrypt valuable data such as passwords, secure storages, and backups.

Speaking about the SAP HANA Security, Dmitry explained its encryption weaknesses and how it is vulnerable to SQL Injection.

SAP HANA is a recent key product of SAP. It is a software solution based on the in-memory technology, which provides a considerable increase in the speed of data processing. This product has obviously caused an initial excitement among large enterprises interested in processing their data in real time. According to Business Insider, SAP HANA is implemented in more than 6400 companies, mainly in Manufacturing, Finance, IT, Utilities, and Retail industries. There are more than 815,000 active users of SAP HANA, SAP says. The security of the critical data that companies entrust to SAP HANA must receive priority attention.

The key SAP HANA element is the eponymous database called SAP HANA. A typical SAP HANA installation also includes multiple additional modules and services: a built-in application server called SAP Extended Services (XS Engine), an application development environment, and a revision control repository.

XS Engine and the built-in development environment provide an opportunity to write applications in the XS JavaScript language for working with the HANA database. XS JavaScript is HANA's version of Server-Side JavaScript based on the SpiderMonkey engine. Thus, in addition to the classic database security issue that is SQL Injections, XSS attacks have also become highly critical because they allow executing JavaScript code in the context of the attacked user's rights.

The SAP HANA database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case of failure. Data is automatically saved from memory to disk at regular savepoints. The data belonging to a savepoint represents a consistent state of the data on disk and remains so until the next savepoint operation is completed, according to SAP HANA Security Guide. It means that some data is stored on the file system, and an attacker can get access to these data.

People think that SAP HANA, as an in-memory database, doesn't store any sensitive data on hard drive. The reality is not that nice. Some data is actually stored on the disk. For example, some technical user accounts and passwords along with keys for decrypting savepoints are kept in a storage named hdbuserstore. This storage is a simple file on the disk. It is encrypted using the 3DES algorithm with a static master key. Once you get access to this file and decrypt it with the static master key, which is the same on every installation, you have system user passwords and disk encryption keys. After that, you can get access to all data. According to our consulting services, 100 % of customers we analyzed still use the default master key to encrypt hdbuserstore, – says Alexander Polyakov, CTO of ERPScan.

SAP has provided SAP HANA Security guidelines stipulating that the master key should be changed, and SAP Security Notes state the same. But, unfortunately, very few customers follow those recommendations, as it usually is. SAP recommends to:

- Change the SSFS master key using the rsecssfx tool
- Change the data volume encryption root key using the hdbnsutil tool
- Change the data encryption service root key using the hdbnsutil tool
- Restrict access to the key file
- Restrict access to the DAT file

There are some vulnerabilities published by ERPScan and presented at the conference that allow getting access to SAP HANA. One of these vulnerabilities, an SQL Injection vulnerability in SAP HANA XS Server, is patched by SAP Security Note 2067972. Detailed information can be found here.

If we can discover these types of issues in SAP's code, imagine how many similar issues can be found in custom applications developed by 3rd parties or by in-house developers, who are much less aware of secure development and can make more mistakes.

Static key encryption is not just SAP HANA's issue. SAP Mobile Platform has a similar problem. Application passwords are stored in encrypted form with a known static key. One of the vulnerabilities highlighted at Black Hat Sessions (XXE ) can be used to get access to the configuration file that stores a password and decrypt it if the default encryption key is used.

The trend of hardcoded values such as passwords and password keys continues in SAP NetWeaver ABAP, the default platform for SAP ERP system that is used in more than 30000 organizations worldwide. On the 9th of June, SAP released patches for two vulnerabilities in SAP ERP related to hardcoded passwords in some modules: /advisories/erpscan-15-016-sap-netweaver-hardcoded-credentials/ and /advisories/erpscan-15-015-sap-netweaver-hardcoded-credentials/

Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications such as ERP systems. Recently, our researchers have found a critical vulnerability in token generation for Oracle PeopleSoft HRMS. More than 200 publicly available systems were vulnerable to this attack. Moreover, such vulnerabilities as FREAK and BEAST also affect ERP systems. Just a week ago, SAP released patches for FREAK vulnerability affecting SAP HANA security,
– adds Alexander Polyakov.

Obviously, more and more security issues require additional configuration now. One thing is to make a secure product, but another thing is to implement it securely, taking into account its complexity and customization.

@Secura 2018
Webdesign Studio HB / webdevelopment Medusa