ERPScan technology boss Alexander Polyakov says default security settings are exposing passwords and root keys in SAP HANA to external attackers.
Attackers can use universal default keys to decrypt encrypted passwords used by the in-memory, column-oriented, relational database management system.
Polyakov says administrators are not bothering to change the keys which protects the hdbuserstore secure user storage facility that contains account passwords and keys for savepoints.
"People think that SAP HANA, as an in-memory database, doesn’t store any sensitive data on hard drive [but] some data is actually stored on the disk," Polyakov says.
"Once you get access to this file (hdbuserstore) and decrypt it with the static master key, which is the same on every installation, you have system user passwords and disk encryption keys. After that, you can get access to all data.
"According to our consulting services, 100 percent of customers we analysed still use the default master key to encrypt hdbuserstore."
The avid SAP hacker disclosed the findings at the Blackhat technical talks in The Netherlands revealing separate HANA vulnerabilities including a since-patched SQL injection hole in XS Server.
Default and to a lesser extent hardcoded credentials are a common problem across IT systems notably because attackers can often consult security recommendations contained in vendor documentation to learn default passwords. Forward-facing exposed services, also a common security issue, can then be targeted.
"Static keys and weak encryption algorithms are a very widespread problem in enterprise business applications such as ERP systems," Polyakov says.
SAP documentation [PDF] says the master key should be changed.
It advises database admins to:
- Change the SSFS master key using the rsecssfx tool
- Change the data volume encryption root key using the hdbnsutil tool
- Change the data encryption service root key using the hdbnsutil tool
- Restrict access to the key file
- Restrict access to the DAT file