Default keys used to encrypt important data such as passwords, secure storage and backups in SAP HANA and SAP Mobile platforms could be exposing enterprises to risk of cyberattack.
This was the finding of a new report by ERPScan, presented last week by director of professional services, Dmitry Chastuhin, at the Black Hat Sessions Conference in the Netherlands.
The report covers multiple issues relating to encryption algorithms and static keys used by SAP in their platforms.
According to ERPScan, because a typical SAP HANA installation includes a built-in application server called SAP Extended Services (XS Engine) and an application development environment, the in-memory platform is vulnerable to XSS attacks because JavaScript code can be executed in the context of the attacked user’s rights, in addition to classic database security issues such as SQL injections.
While the bulk of data in the HANA database is held in memory, it still uses persistent disk storage at regular savepoints to provide a fallback in case of failure.
“For example, some technical user accounts and passwords along with keys for decrypting savepoints are stored in storage named hdbuserstore. This storage is a simple file on the disk. It is encrypted using 3DES algorithm with a static master key,” said Alexander Polyakov, CTO, ERPScan. “Once you have access to this file and decrypt it with a static master key, which is the same on every installation, you get system user passwords and keys for disk encryption. After that, you can get access to all data. According to our consulting services, 100 per cent of customers we analysed still use the default master key to encrypt hdbuserstore.”
There are also issues with static encryption keys on the SAP Mobile platform. One of the vulnerabilities highlighted at the Black Hat Sessions Conference (detailed in this report) was how a default encryption key can be used to gain access to and decrypt configuration files that store passwords.
“Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications such as ERP systems. Recently our researchers have found a critical vulnerability in token generation for Oracle Peoplesoft HRMS Application. There were more than 200 publicly available systems vulnerable to this attack. Moreover, such vulnerabilities as FREAK, BEAST and others are also affecting ERP systems. Just a week ago, SAP released patches for FREAK vulnerability affecting SAP HANA Security,” said Alexander Polyakov, CTO, ERPScan. Details of the SAP Security Notes can be found here.
Following the presentation, SAP notified all customers that they should change their encryption keys.
