Sap hana system exposed security vulnerabilities, static keys in the database

Sap hana system exposed security vulnerabilities, static keys in the database

 

SAP well-known Memory Database Management System HANA has been exposed to be installed ?? The static encryption key is stored in the database. Sap hana is the fastest growing product in SAP history.

Vulnerability Overview

ERPScan researchers showed the vulnerability at a black hat conference in Amsterdam. This team also recently announced configuration vulnerabilities in Oracle's PeopleSoft.

The encryption key is static, that is, all sap hana is installed with the same key by default. If attackers can read this key, they can attack multiple systems.

Alexander Polyakov, chief technology officer of ERPScan, said attackers can perform various attacks: such as SQL injection to steal keys in the SAP database, use directory traversal, or XXE injection (XML External Entity attack, XML external entity injection ). The default encryption key is used to protect data on the platform, including passwords and platform backups.

On the other hand, because SAP administrators rarely change the default encryption key, this also makes the platform vulnerable to attacks.

At the black hat conference, researchers Dmitry Chastuhin not only shared the encryption vulnerability, but also shared an SQL injection vulnerability in the Hana XS server.

 

Decrypt all data with the default key

"Some data is stored on disks, for example, the account, password, and key used to decrypt the storage point of a technician are stored in hdbuserstore," experts explained. This hdbuserstore is a simple file on the disk. It is encrypted using the 3DES algorithm and uses a static master key. Once you can read the file and decrypt it with the same static master key as each system, you will get the System user password and the key used for hard disk encryption. You can get all the data ."

ERPScan said that 100% still uses the default CMK to encrypt hdbuserstore among its customers.

Chastuhin also found that this problem also exists in the SAP mobile platform, that is, a default static key is used to encrypt data. Attackers can exploit the XXE vulnerability to obtain password-containing configuration files, use a static key for decryption.