14 DAY TRIAL // Speaking at the Black Hat Sessions conference in Ede, Netherlands, Dmitry Chastukhin, Director of Professional Services for ERPScan, has presented a report in which he details various problems with SAP's encryption algorithms and static keys.
These issues affect the SAP HANA and SAP Mobile platforms and are caused by design solutions used in the way the services were built.
Detailed in the report are problems with SAP HANA, an in-memory database used for SAP's commercial offering for medium to large businesses.
To be more exact, the way default keys are used to encrypt data such as passwords, storages, and backups, makes the SAP HANA platform vulnerable to SQL injections.
Static master keys can give you access to the entire database's content
The bug was found in April 2014 and is now fixed, and was because the SAP HANA in-memory database, wasn't behaving like a normal in-memory database to begin with.
"Some data is actually stored on the disk. For example, some technical user accounts and passwords along with keys for decrypting savepoints are kept in a storage named hdbuserstore. This storage is a simple file on the disk," said Alexander Polyakov, CTO of ERPScan.
Because sensitive data was being saved on disk, attackers could easily get their hands on it and attempt to decrypt it, gaining access to sensitive information which could help them compromise the system later on.
This data was encrypted using a simple 3DES algorithm with a static master key, which was easily to decrypt and provided an attacker access to the user's passwords and disk encryption keys.
The static master key was also the same on every client's installations, and according to ERPScan, 100% of all SAP clients were still using their default master keys when the vulnerability was found.
XSS bug also plagues the SAP HANA data storage service
On top of this, a cross-site scripting (XSS) vulnerability was also identified in HANA, found more exactly in its SAP Extended Services component, a server-side JavaScript platform used to interact and query the HANA database.
This component runs a custom version of the JavaScript language, called XS JavaScript, which is interpreted through the XS Engine, as part of the SAP Extended Services component.
Attackers could use this feature to execute arbitrary code and get access to the database and its data.