SAP’s in-memory relational database management system, HANA, contains a whopper of a security weakness: a default encryption key guarding passwords, stored data and backups.
Researchers from ERPScan, which recently uncovered serious configuration vulnerabilities in Oracle PeopleSoft products, on Thursday presented their findings on SAP systems during the Black Hat Sessions conference in Amsterdam.
The HANA system is marketed by SAP as a platform converging application and database capabilities in memory, speeding up the performance of transactions, analytics and other processing duties central to business tasks carried out by SAP. HANA was launched four years ago, and is considered one of SAP’s flagship products moving forward.
Alexander Polyakov, chief technology officer of ERPScan, told Threatpost that an attacker could use a SQL injection, directory traversal, XML external entity attack or exploit another web-based vulnerability in order to remotely execute code. Since the encryption key is static and the same for every SAP HANA installation by default, an attacker with access would be able to read an encrypted data store.
Polyakov said the issue lies with the fact that admins rely on the password protecting system and rarely change the encryption key.
“The software ships with a default configuration and the user can actually change this configuration as it says in the security guide. But this document is quite complex (170 pages),” Polyakov said.
Researcher Dmitry Chastuhin shared not only the encryption vulnerability but also a SQL injection bug in Hana XS Server, which has since been patched by SAP. The company said it has more than 6,400 HANA customers.
ERPScan said that users may be living under the false sense of security that data does not live on the disk, but HANA does save from memory to disk and file systems at regular savepoints, and changes only at the next savepoint.
“Some data is actually stored on the disc. For example, some technical user accounts and passwords along with keys for decrypting savepoints are stored in storage named hdbuserstore.,” Polyakov said. “This storage is a simple file on the disc. It is encrypted using 3DES algorithm with a static master key. Once you have access to this file and decrypt it with static master key, which is the same on every installation, you get system user passwords and keys for disk encryption. After that, you can get access to all data.”
ERPScan said that 100 percent of its customers using HANA still use the default master key to encrypt hdbuserstore.
Chastuhin also presented a similar encryption vulnerability in the SAP Mobile platform, where application passwords are encrypted, but secured with a known static key. An attacker can use a XXE vulnerability disclosed Thursday as well to access the configuration file that stores a password and decrypt is using the static key.
“Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications such as ERP systems,” Polyakov said, adding that on June 9 SAP patched two vulnerabilities in NetWeaver, SAP’s default ERP platform, that addressed hardcoded passwords in some of its modules.
