SAP HANA system exposed to security vulnerabilities, static key exists in the database-vulnerability warning-the black bar safety net

2015-06-23T00:00:00
ID MYHACK58:62201563880
Type myhack58
Reporter 佚名
Modified 2015-06-23T00:00:00

Description

! SAP is well-known in-memory database management system HANA was traced to the presence of security vulnerabilities, static encryption key is actually stored in the database. SAP HANA is SAP ever the fastest-growing products. Vulnerability overview ERPScan researchers held in Amsterdam the black hat conference demonstrated this vulnerability. This team also recently published the Oracle PeopleSoft configuration vulnerabilities. The encryption key is static, that is to say all of the SAP HANA default after installation using the same key-the attacker if you can read this key also will be able to attack multiple systems. ERPScan CTO Alexander Polyakov said the attacker may have a variety of methods to attack: such asSQL injectionto steal the SAP database key, directory traversal, or XXE injection attacks(XML External Entity attack,an XML external entity injection attack). The default encryption key is used to protect the Platform Data, including the password, and platform backup. On the other hand, due to the SAP administrator who will rarely change the default encryption key, it also makes the platform vulnerable to attacks. At the black hat conference, researchers Dmitry Chastuhin not share the encryption vulnerability, but also share the Hana XS server in aSQL injectionvulnerabilities. ! Use default key to decrypt all the data The expert explained that“some data is stored on disk, such as the art of account and password and used to decrypt the Save point key, are stored in hdbuserstore. This hdbuserstore is on the disk simple file, using 3DES encryption algorithm, with a static master key. Once you are able to read this file and use each system as a static master key to be decrypted, you will be able to get the system user password for the hard disk encryption key. Also it is possible to get all the data.” ERPScan said its customers, the 1 0 0% still using the default master key encryption hdbuserstore it. Chastuhin also found that SAP mobile platform is also present this problem, even with a default static key to encrypt data, the attacker can use the XXE vulnerability to obtain containing the password of the configuration file, and then use the static key to decrypt.