SAP HANA is the ERP specialist's recent key product. Based on in-memory technology, it provides a considerable increase in the speed of data processing, helping large enterprises process their data in real time. It's implemented in more than 500 companies.
But at a "Black Hat Sessions" conference today in the Netherlands, Dmitry Chastuhin, Director of professional services at SAP security company ERPScan, has presented a report on the latest trends in SAP Security. It uncovers multiple problems related to encryption algorithms and static keys used by SAP in their products.
The SAP HANA database holds the bulk of its data in memory for maximum performance, but it still uses persistent disk storage to provide a fallback in case of failure. Data is automatically saved from memory to disk at regular savepoints. The data belonging to a savepoint represents a consistent state of the data on disk and remains in place until the next savepoint operation has completed - according to the SAP Security Guide. This means that some data is stored on the file system, and an attacker can get access to it.
"People think that SAP HANA is in-memory database and doesn’t store any sensitive data on hard drive. The reality is not that nice as you might think. Some data is actually stored on the disc," says Chastuhin.
"For example, some technical user accounts and passwords along with keys for decrypting savepoints are stored in storage named hdbuserstore. This storage is a simple file on the disc. It is encrypted using 3DES algorithm with a static master key. Once you have access to this file and decrypt it with static master key, which is the same on every installation, you get system user passwords and keys for disk encryption.
"After that, you can get access to all data. According to our consulting services, 100 per cent of customers we analyzed still use default master key to encrypt hdbuserstore".
It points out that if these issues are present in SAP's code they're also likely to be found on custom applications developed by third-party or in-house developers.
More information on the vulnerabilities uncovered in SAP can be found on the ERPScan website.