3 security issues (detailed below) were found by Onapsis security and reported to SAP in relation to SAP’s Mobile platform specifically version 3.0 SP5 earlier this month.
None of the issues are remotely exploitable but if an attacker has access to the mobile device no further authentication would be needed for them to exploit these issues.
Why Should These Issues Be Considered Important?
Since all of the issues discussed below make it easier for an attacker to attempt to retrieve the encrypted data or provide them with a fixed encryption key in an attempt to brute force, if they were successful your encrypted data is no longer secure.
How Can I Protect Myself From These Issues?
SAP recommends implementing/installing the patches discussed within SAP Security Note 2094830. This note is also mentioned within this Onapsis blog post. Please note that a SAP Marketplace account is required to access the contents of this Security Note. An account can be created from this page.
If you are in any doubt or would like further advice, please contact SAP Support for more information.
Issue 1: SAP Mobile Platform DataVault Keystream Recovery:
This component is used to access encrypted data on mobile devices. Due to an implementation error it is possible to recover the keystream (defined) for the encrypted data. Thus it becomes possible to retrieve part of the unencrypted plaintext corresponding to encrypted data within the DataVault of the mobile device. There is also a limited possibility that an attacker could re-encrypt the data within the vault (potentially blocking access to the legitimate/original authorized person).
Having both the plaintext and the encrypted version of data will allow the use of a known plaintext attack (see Aside below for a definition).
Issue 2: SAP Mobile Platform Predictable Encryption Password for Configuration Values:
The password of the SAP DataVault is derived from the combination (more details below) of easily obtainable (plaintext i.e. “in the clear”) values. This password is used to encrypt important configuration details of the SAP DataVault e.g. the count of invalid attempts to unlock a secure store.
The password is a combination of a value stored in plaintext within the secured store in addition to another fixed value. The salt value (a random value added to another value to make the encryption key unique each time a new key is created) is also a fixed value. These fixed values are the same for all installations of the SAP Mobile DataVault (this is similar to static encryption keys discussed in a previous blog post).
Issue 3: SAP Mobile Platform DataVault Predictable Encryption Password for Secure Storage:
If no password or salt value is provided during the initial creation of the DataVault, the password and salt are then derived from a combination of fixed values and the ID number of the vault. This again results in a fixed encryption key used to secure the data within the vault.
What is a known plaintext attack?
This attack relies on recovering and analyzing a matching plaintext and cipher text pair with the goal of deriving the key that was used. Techniques such as reverse-engineering, frequency analysis (e.g. looking for the word “the” usually the most common word that is used) and brute force attempts are used to carry out such an attack. Obtaining the key will allow you to decrypt cipher texts encrypted with the same key.
Please note that encryption algorithms have defences against such attacks e.g. using a large keystream, initialization vectors (IVs), substitution and transposition (among others) usually making such attacks non-trivial.