Tag Archives: SAP HANA

SAP Releases Security Updates for HANA Database November 2015

Yesterday the security firm Onapsis issued 21 security advisories (detailing 22 security issues) for SAP’s HANA database. As mentioned in previous blog posts, this a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).

All 22 issues are remotely exploitable with only 1 requiring an attacker to be already authenticated (logged into) into the database.

Why Should These Issues Be Considered Important?
The severity of the security issues disclosed can be summarized as follows:

9x critical issues: These issues could allow an unauthenticated remote attacker to take any action they wish with any of your business information stored within your HANA database. The attacker could also shut down the database.

6x high risk issues: Such issues could allow an attacker to access sensitive business information or conduct a DoS (denial of service)(defined) attack on your database since the database would be in an unusable state until restarted as a result of exploiting these issues.

7x medium risk issues: These issues could allow an attacker to obtain the values of environmental variables used within the HANA database, create directories (folders) of their choice, create files of their choice, lists the files within database and access sensitive information.

As noted by Onapsis in their analysis within this blog post the critical issues mentioned above are some of the most severe they have encountered since they allow the attacker unprecedented access to your database.

How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those 21 downloadable PDF advisories contain the necessary links to obtain patches from SAP for these issues.

In addition, Onapsis has published the first in a series of blog posts focused on improving the security of SAP HANA installations. They provide best practice advice for the configuration of this database as well as user privileges etc.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

Thank you.

SAP Releases Security Updates for HANA Database and Business Objects BI Platform

10 security issues were found by Onapsis security and reported to SAP earlier this year in SAP’s HANA database but were publicly announced earlier last week. This a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).

1 of the 2 most serious vulnerabilities within SAP HANA is remotely exploitable.

A further flaw was also discovered in SAP’s Business Objects BI Platform. This issue is caused by a buffer overflow (defined) which can be exploited by a remote attacker.

Why Should These Issues Be Considered Important?
The 2 high risks vulnerabilities could allow an attacker to execute commands of their choice on the victim SAP HANA system disclosing sensitive information and giving them the potential to alter the systems settings blocking legitimate users from accessing it.

The remaining 8 medium risk vulnerabilities provide an attacker with the ability to partially compromise a HANA system but the attacker would have to have already partially compromised the system in the first instance to use these flaws to their further advantage.

For the Business Objects BI Platform vulnerability if an attacker can successfully exploit the buffer overflow issue, they can cause a denial of service issue (defined) and/or provide the attacker with access to sensitive information within the system and allowing them the ability to modify this data.

How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those advisories contain the necessary links to obtain patches from SAP for these issues.

For the Business Objects BI Platform vulnerability, SAP recommends implementing/installing the patches discussed within SAP Security Note 2001108 This note is also mentioned within this Onapsis blog post. Please note that a SAP Marketplace account is required to access the contents of this Security Note. An account can be created from this page.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

If any further information concerning the above vulnerabilities becomes available I will update this blog post as appropriate.

Thank you.

SAP HANA Database Uses Static Encryption Key By Default

Earlier this month leading ERP (Enterprise Resource Planning) vendor SAP released an updated version of their HANA database (a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)). However it has been revealed that in the vast majority of installations of this product the data encryption key is left at the default value. Thus if an attacker obtains access to the database, they can potentially obtain access to all of the data since the encryption key is static (unchanged) for a very large number of database installations. In addition, the databases have been known to have SQL injection flaws (however one such flaw has been recently resolved).

Please note that I don’t consider the fact that a default encryption key is used by SAP HANA a failing on SAP’s part. It is up to the individuals who manage the HANA database to understand that important default settings should be changed. However I do acknowledge that such important default settings should be set (and that such steps cannot be bypassed) during the installation/setup of the HANA database and that the installer/setup routine should enforce very strong criteria in relation to the complexity of the encryption key since all of the information within the database will be protected by this key.

How Can I Protect Myself From These Issues?
It is recommend to have the most recent version of SAP HANA installed and ensure that it has all of the necessary security updates installed (recent updates are detailed in this blog post). In addition, please follow the advice within the SAP security handbook as well as the administration book specifically the following pages:

===========================
SAP HANA Security Handbook:

Page 115 to 120: Encryption keys and admin encryption tasks
Page 121 to 126: Protecting user credential stores and SAP HANA Studio Workspaces
===========================

SAP HANA Administration Guide:

Pages 479 to 485: Managing data volume encryption (ignore section 3.3.4 Disable Data Volume Encryption)
Pages 486 – 492: Managing/Changing Encryption Keys
===========================

Finally I would also recommend following the advice in the Cross-site Scripting (XSS) flaw blog post (part 2 of that blog post should be published at a later date). The main blog index may also contain posts that you may find useful for your environment. If you are in any doubt or would like further advice, please contact SAP Support for more information.

Please note that the links to the blog posts written by ERPScan were not functioning when the post was added to this blog but were operational when I originally referred to them. The availability of links provided within my blog is a factor outside of my control. I will update this post when these links become functional again. Apologies for the inconvenience.

Update: 5th July 2015: I’ve verified that the blog posts written by ERPScan linked to above are now functional again.

Thank you.