SAP HANA Database Uses Static Encryption Key By Default

Earlier this month leading ERP (Enterprise Resource Planning) vendor SAP released an updated version of their HANA database (a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)). However it has been revealed that in the vast majority of installations of this product the data encryption key is left at the default value. Thus if an attacker obtains access to the database, they can potentially obtain access to all of the data since the encryption key is static (unchanged) for a very large number of database installations. In addition, the databases have been known to have SQL injection flaws (however one such flaw has been recently resolved).

Please note that I don’t consider the fact that a default encryption key is used by SAP HANA a failing on SAP’s part. It is up to the individuals who manage the HANA database to understand that important default settings should be changed. However I do acknowledge that such important default settings should be set (and that such steps cannot be bypassed) during the installation/setup of the HANA database and that the installer/setup routine should enforce very strong criteria in relation to the complexity of the encryption key since all of the information within the database will be protected by this key.

How Can I Protect Myself From These Issues?
It is recommend to have the most recent version of SAP HANA installed and ensure that it has all of the necessary security updates installed (recent updates are detailed in this blog post). In addition, please follow the advice within the SAP security handbook as well as the administration book specifically the following pages:

SAP HANA Security Handbook:

Page 115 to 120: Encryption keys and admin encryption tasks
Page 121 to 126: Protecting user credential stores and SAP HANA Studio Workspaces

SAP HANA Administration Guide:

Pages 479 to 485: Managing data volume encryption (ignore section 3.3.4 Disable Data Volume Encryption)
Pages 486 – 492: Managing/Changing Encryption Keys

Finally I would also recommend following the advice in the Cross-site Scripting (XSS) flaw blog post (part 2 of that blog post should be published at a later date). The main blog index may also contain posts that you may find useful for your environment. If you are in any doubt or would like further advice, please contact SAP Support for more information.

Please note that the links to the blog posts written by ERPScan were not functioning when the post was added to this blog but were operational when I originally referred to them. The availability of links provided within my blog is a factor outside of my control. I will update this post when these links become functional again. Apologies for the inconvenience.

Update: 5th July 2015: I’ve verified that the blog posts written by ERPScan linked to above are now functional again.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s