Chief Technology Officer (CTO) and founder of of ERPScan, Alexander Polyakov opines that default security settings are revealing root keys and passwords in SAP HANA to hackers. Using universal default keys, attackers can decrypt encrypted passwords securing column-oriented, in-memory, relational database management systems.
Polyakov adds that in spite of looming dangers, administrators are not too concerned about changing the keys that are protecting hdbuserstore secure users with regards to the storage facilities containing account related keys and passwords for savepoints.
Polyakov says, "People think that SAP HANA, as an in-memory database, doesn’t store any sensitive data on hard drive [but] some data is actually stored on the disk." He continues, "Once you get access to this file (hdbuserstore) and decrypt it with the static master key, which is the same on every installation, you have system user passwords and disk encryption keys. After that, you can get access to all data."
"According to our consulting services, 100 percent of customers we analyzed still use the default master key to encrypt hdbuserstore," Polyakov reveals.
The SAP hacker disclosed these findings at Netherlands, during the Blackhat technical talks. These declarations separate different HANA vulnerabilities, which includes a since-patched injection hole in SQL XS Server.
Extent hardcoded credentials, and to a larger extent, the default ones, serve as a common problem across diverse IT systems. This is specifically the case because attackers are capable of consulting security recommendations contained in provided vendor documentation; thereby enabling them to crack open and learn default passwords. Another common security issue, in the nature of forward-facing exposed services, can then be targeted easily.
Polyakov says, "Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications such as ERP Systems."
SAP documentation [PDF] recommends that the master key be changed at the earliest to avoid these issues. It advises all database admins to:
- Change the default SSFS master key by using the components of rsecssfx tool;
- Change the default data volume encryption related root key by using the components of hdbnsutil tool;
- Change the default data encryption service related root key by using the components of hdbnsutil tool;
- Offer restricted access to key files;
- Restrict external access to the important DAT file.