As per a recent report published by ERPScan, a reputed security company, SAP's in-memory database, SAP Hana, is quite vulnerable to SQL injection attacks, along with containing other encryption weaknesses too.
As per the statistics revealed by SAP, there exist over 815,000 "active users" related to SAP Hana. These users are connected with over some 6,400 companies globally. So, does it mean that they are all subject to vulnerabilities?
ERPScan explains, "A typical SAP HANA installation also includes multiple additional modules and services: a built-in application server called SAP Extended Services (XS Engine), an application development environment, and a revision control repository."
"The SAP Hana database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case of failure. Data is automatically saved from memory to disk at regular save-points. The data belonging to a save-point represents a consistent state of the data on disk and remains so until the next save-point operation is completed, according to the SAP (Systems, Applications and Products) Security Guide. It means that some data is stored on the file system, and an attacker can get access to these data."
Chief Technology Officer (CTO) and founder of of ERPScan, Alexander Polyakov, mentioned that most users believe that sensitive SAP Hana data is not stored on hard disks. However, in reality, a lot of data is stored on hard disks, along with passwords and user names; and yes, they are more often than not, protected by default passwords.
Polyakov said, "Some data is actually stored on the disk. For example, some technical user accounts and passwords, along with keys for decrypting save points, are kept in a storage named 'hdbuserstore'. This storage is a simple file on the disk. It is encrypted using the Triple-DES algorithm with a static master key." He further added," Once you get access to this file and decrypt it with the static master key, which is the same on every installation, you have system user passwords and disk encryption keys. After that, you can get access to all data. According to our consulting services, 100 per cent of customers we analysed still use the default master key to encrypt 'hdbuserstore."
According to his Company, static key encryptions in SAP Hana are not the singular SAP security issues brought to light by ERPScan; the SAP Mobile Platform also seems to be having similar problems. ERPScan warns, "Application passwords are stored in encrypted form with a known static key. One of the vulnerabilities highlighted at Black Hat Sessions (XXE) can be used to get access to the configuration file that stores a password and decrypt it if the default encryption key is used." It added, "The trend of hardcoded values such as passwords and password keys continues in SAP Net Weaver ABAP, the default platform for SAP ERP system that is used in more than 30,000 organisations worldwide. On the 9th of June, SAP released patches for two vulnerabilities in SAP ERP related to hardcoded passwords in some module."
Polyakov said, "Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications, such as ERP (Enterprise Resource Planning) systems. Recently, our researchers have found a critical vulnerability in token generation for Oracle PeopleSoft HRMS. More than 200 publicly available systems were vulnerable to this attack. Moreover, such vulnerabilities as FREAK and BEAST also affect ERP systems. Just a week ago, SAP released patches for the FREAK vulnerability affecting SAP Hana security."