Security Experts:

SAP Encryption Issues Pose Serious Risk to Organizations: Researchers

The use of static keys and other encryption issues expose numerous organizations that rely on SAP products to malicious hacker attacks, researchers have warned.

Dmitry Chastukhin, director of professional services at ERPScan, a company that specializes in protecting SAP and Oracle business-critical ERP systems against cyberattacks, revealed today at the Black Hat Sessions conference in the Netherlands that SAP solutions such as SAP HANA and the SAP Mobile platform are exposed to attacks not just because of vulnerabilities, but also due to some serious encryption-related problems.

SAP is one of the world’s largest software makers. Its products are used by 291,000 customers across 190 countries, according to the company’s website. SAP’s enterprise software includes solutions for customer relationship management (CRM), enterprise resource planning (ERP), product lifecycle management (PLM), supply chain management (SCM), and supplier relationship management (SRM).

Over the past period, researchers have uncovered numerous vulnerabilities in the company’s business applications, including SAP ASE, SAP HANA, SAP BusinessObjects, and SAP Netweaver. Recent studies have shown that pivoting, portal attacks, and database warehousing are the three most common techniques used to compromise SAP systems.

Vulnerabilities pose a serious risk to SAP customers and the vendor often releases patches to address them, but experts have pointed out that encryption issues can also be highly problematic.

In the case of the database management solution SAP HANA, ERPScan researchers have pointed out that the product can be plagued not only by SQL injection vulnerabilities, but also by cross-site scripting (XSS) vulnerabilities that allow an attacker to execute arbitrary JavaScript code.

XSS attacks are possible because one of the components of SAP HANA is a built-in application server called SAP Extended Services (XS Engine). The XS Engine and the application development environment in SAP HANA enable developers to create applications with the XS JavaScript language. This allows malicious actors to exploit XSS bugs in order to execute arbitrary code in the context of the targeted user, experts said.

Chastukhin has pointed out that while SAP HANA is designed to store most of the processed data in memory for increased performance, the data is also saved to the disk at regular savepoints as a fallback mechanism in case of an error.

The stored data is encrypted, but it’s not difficult for an attacker to gain access to it because the encryption key is the same for all installations.

“People think that SAP HANA is in-memory database and doesn’t store any sensitive data on hard drive. The reality is not that nice as you might think,” explained Chastukhin. “Some data is actually stored on the disc. For example, some technical user accounts and passwords along with keys for decrypting savepoints stored in storage named hdbuserstore. This storage is a simple file on the disc. It is encrypted using 3DES algorithm with a static master key. Once you have access to this file and decrypt it with static master key, which is the same on every installation, you get system user passwords and keys for disk encryption. After that, you can get access to all data.”

SAP’s security guide for SAP HANA advises customers to change the master encryption key after installation, but it appears many organizations don’t take the time to read and apply the advice from the 160-page document. Chastukhin said none of the organizations they analyzed had changed the default master key.

One of the vulnerabilities that can be used to access the HANA file system and decrypt the storage is a SQL injection bug identified by ERPScan back in April 2014. The issue was fixed by SAP, but its existence demonstrated the serious threat posed by such vulnerabilities.

SAP HANA is not the only solution exposed to cyberattacks by static key encryption. Application passwords in the SAP Mobile platform are also encrypted with a known static key. An XXE vulnerability discovered recently by ERPScan can be exploited to access the configuration file that stores a password and decrypt it using the default encryption key, assuming it hasn’t been changed.

Hardcoded passwords and encryption keys are problematic for SAP ERP customers as well. Earlier this month, SAP released patches for two such bugs in ERP.

“Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications such as ERP systems,” said Alexander Polyakov, CTO of ERPScan. “Recently our researchers have found critical vulnerability in token generation for Oracle Peoplesoft HRMS Application. There were more than 200 publicly available systems vulnerable to this attack. Moreover, such vulnerabilities as FREAK, BEAST and others are also affecting ERP systems. Just a week ago, SAP released patches for FREAK vulnerability affecting SAP HANA Security.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.