SAP Hana riddled with encryption and SQL injection vulnerabilities, claims security company
ERPScan highlights a series of new vulnerabilities in SAP's flagship database and ERP packages
SAP Hana, SAP's in-memory database that it is encouraging customers to adopt, is vulnerable to SQL injection attacks and contains encryption weaknesses, according to security company ERPScan.
According to SAP, there are more than 815,000 "active users" of SAP Hana in some 6,400 companies.
"XS Engine and the built-in development environment provide an opportunity to write applications in the XS JavaScript language for working with the SAP Hana database. XS JavaScript is Hana's version of server-side JavaScript, based on the SpiderMonkey engine. Thus, in addition to the classic database security issue from SQL injection attacks, XSS attacks have also become highly critical because they enable executing JavaScript code in the context of the attacked user's rights," it continued.
"The SAP Hana database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case of failure. Data is automatically saved from memory to disk at regular save-points. The data belonging to a save-point represents a consistent state of the data on disk and remains so until the next save-point operation is completed, according to the SAP Security Guide. It means that some data is stored on the file system, and an attacker can get access to these data."
Alexander Polyakov, founder and chief technology of ERPScan, said that many people do not think that SAP Hana stores sensitive data on hard disk but in reality, user names and passwords are stored, often protected only be a default password.
"Some data is actually stored on the disk. For example, some technical user accounts and passwords along with keys for decrypting savepoints are kept in a storage named 'hdbuserstore'. This storage is a simple file on the disk. It is encrypted using the Triple-DES algorithm with a static master key," said Polyakov.
He continued: "Once you get access to this file and decrypt it with the static master key, which is the same on every installation, you have system user passwords and disk encryption keys. After that, you can get access to all data. According to our consulting services, 100 per cent of customers we analysed still use the default master key to encrypt 'hdbuserstore'."
Static key encryption in SAP Hana is not the only SAP security issue uncovered by ERPScan. SAP Mobile Platform has similar problems, the company adds.
"Application passwords are stored in encrypted form with a known static key. One of the vulnerabilities highlighted at Black Hat Sessions (XXE) can be used to get access to the configuration file that stores a password and decrypt it if the default encryption key is used.
"The trend of hardcoded values such as passwords and password keys continues in SAP NetWeaver ABAP, the default platform for SAP ERP system that is used in more than 30,000 organisations worldwide. On the 9th of June, SAP released patches for two vulnerabilities in SAP ERP related to hardcoded passwords in some module," it warned.
"Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications, such as ERP systems. Recently, our researchers have found a critical vulnerability in token generation for Oracle PeopleSoft HRMS. More than 200 publicly available systems were vulnerable to this attack. Moreover, such vulnerabilities as FREAK and BEAST also affect ERP systems. Just a week ago, SAP released patches for the FREAK vulnerability affecting SAP Hana security," said Polyakov.
You may also be interested in: