Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Public
SEC203 – SAP Runs SAP: How to Protect
ABAP Applications Against Password Cracking
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Public
Speakers
Bangalore, October 5 - 7
Chandan Veerabhadra Setty
Las Vegas, Sept 19 - 23
Frank Buchholz
Barcelona, Nov 8 - 10
Bjoern Brencher
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3 Public
Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of
SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or
any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or any related document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.
The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality.
This presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
presentation, except if such damages were caused by SAP’s intentional or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially
from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only
as of their dates, and they should not be relied upon in making purchasing decisions.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4 Public
Abstract
Still struggling with the challenge of configuring your ABAP-based SAP solutions securely?
For user authentication purposes, ABAP applications have to store user passwords in a hashed
version. After demonstrating how to steal and crack password hashes in an ABAP application on the
SAP NetWeaver technology platform, SAP’s own internal security experts will explain suitable
protection mechanisms.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5 Public
Agenda
Common attack points for SAP NetWeaver Application Server ABAP
Password hashes in SAP NetWeaver Application Server ABAP
Introduction to the vulnerability
Live hacking demo – exploiting the vulnerability
SAP Runs SAP: How do we protect our SAP internal systems?
Summary
Public
Common attack points for
SAP NetWeaver AS ABAP
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7 Public
SAP Runs SAP: Common attack points to SAP ABAP systems
* RFC gateway is a technical component in the SAP kernel. It is not the product SAP NetWeaver Gateway.
Firewalls
Security
Notes
Standard Users
Authorizations
RFC
Gateway*
Encryption
Password Hashes
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8 Public
SAP Runs SAP: Common attack points to SAP ABAP systems
Each of the three vulnerabilities allows easy full
access to SAP systems within minutes
Standard users with default passwords Default passwords not changed for all users
Client 066 is not considered as customer responsibility
Weak password hashes Usage of weak password hashes
Often display access for most users in the system
Unsecured RFC gateway Very technical topic with high complexity
Elaborate implementation
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9 Public
SAP Business
Suite
SAP HANA Cloud
Platform
SAP NetWeaver
Application Server
SAP Access
Control
SAP Identity
Management
Make it simple for users to do what they are allowed to do
Know your users and what they can do
SAP Single
Sign-On
Ensure corporate compliance to
regulatory requirements
Platform Security Make sure that SAP
solutions run securely
SAP Enterprise
Threat Detection
Counter possible threats and identify attacks
Add-On for Code
Vulnerability
Analysis
Find and correct vulnerabilities in customer
code
identity
authentication
service
identity provisioning
service
access
analysis
service
SAP security and GRC access governance portfolio
Manage access,
users and
compliance in the
cloud
SAP Cloud Identity Access Governance services
SAP HANA
3rd Party Systems
S/4 HANA
SAP Cloud Applications
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10 Public
SAP Runs SAP: What we did to protect our own systems at SAP Standard users with default passwords
2005
2008
2009
2010
…
Standard users with default passwords
Define handling of standard users with default
passwords
Rollout to all critical landscapes
Define monitoring procedure
…
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11 Public
SAP Runs SAP: What we did to protect our own systems at SAP Unsecured RFC gateway
2005
…
2008
2009
2010
…
Standard users with default passwords
Unsecured RFC gateway
Define protection of the RFC gateway for our own
SAP business systems
Run pilot implementation for one system landscape
Rollout to all critical landscapes
Define monitoring procedure
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12 Public
SAP Runs SAP: What we did to protect our own systems at SAP Weak password hashes
2005
…
2008
2009
2010
…
Standard users with default passwords
Unsecured RFC gateway
Weak password hashes
Define approach how to protect password hashes
Run pilot implementation for one system landscape
Rollout to all critical landscapes
Public
Password hashes in
SAP NetWeaver AS ABAP Introduction to the vulnerability
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 14 Public
hours Release notes of the open source password recovery tool oclHashcat v1.20:
https://hashcat.net/forum/thread-3323.html
“In other words, even if you use crazy keycodes in your password, [BCODE] will be cracked in max.
20 hours. It's hopeless.”
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15 Public
What is a password hash?
Some information about password hashes
Passwords are hashed with password hash functions to store them securely
Password hash algorithms are one-way: Original passwords cannot be derived from their hash values
Password hash attacks are always possible, just the speed is different
But password hashes can be generated from potential passwords until password hashes match
Password: Hash:
Thisisastrongpassword 9d6fffda73e361025b92fb702aabf5e0
Password: Hash:
Welcome 83218ac34c1834c26781fe4bde918ee4
Thisisastrongpassword 9d6fffda73e361025b92fb702aabf5e0
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16 Public
SAP NetWeaver Application Server ABAP
How does a user login work?
SAP GUI
User name and password
1
Password Password hash
2
Table USR02
User1 Pwd Hash
User2 Pwd Hash
Calculate password hash
Compare calculated password hash
with stored password hash
3 Successful user login if password hash matches
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 17 Public
What happens during user creation?
User creation in AS ABAP with SU01
User administrator creates a user and enters a clear text password
SAP system generates up to three* password hashes with different strengths for downward compatibility
* Depends on profile parameter login/password_downwards_compatibility
Table USR02
Very Old Pwd Hash BCODE (≤ 6.40)
Old Pwd Hash PASSCODE (7.00-7.01)
Current Pwd Hash PWDSALTEDHASH (≥ 7.02)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 18 Public
Some important details about available SAP NetWeaver AS ABAP
password hashes!
Password hash creation is controlled by a profile parameter (7.00+)
login/password_downwards_compatibility (refer to SAP Note 1458262)
– 0 = Only strongest password hash is calculated
– 1-5 = All three password hashes are calculated
Password Hash Release
Hash Algorithm /
Code Version Security Status
BCODE 3.1i MD5-based
(Code Version A-E)
Broken, full brute force is possible by an open source password cracker with
GPU acceleration within max 20 hours
PASSCODE 7.00-7.01 SHA1-based
(Code Version F)
Limited, duration of attack depends on password length and password
complexity
PWDSALTEDHASH 7.02 Iterated salted SHA-1
(Code Version H)
State of the art, higher number of iterations slows down the hash calculation;
usage of random salts prevents hash pre-calculation; password length and
complexity mitigate dictionary attacks
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 19 Public
Make PWDSALTEDHASH even more secure!
Value range Options Default Security Tweaking
Encoding RFC2307 RFC2307 None
Algorithm iSSHA-1 | iSSHA-256 | iSSHA-384 | iSSHA-512 iSSHA-1 None
Iterations 1 – 4294967294 (232) 1024 10000
Saltsize 32 – 256 (divisible by 8) 96 None
Tweaking of PWDSALTEDHASH
Iterated salted SHA-1 is currently state of the art, but you can make it even harder for an attacker to perform
brute-force / dictionary attacks by slowing down hash calculation (-> increasing the count of iterations)
Profile parameter login/password_hash_algorithm denotes which password hash algorithm is used for new /
changed passwords.
Refer to SAP note 991968, 2076925, 2140269
Public
Password hashes in SAP
NetWeaver AS ABAP Live hacking demo – exploiting the vulnerability
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 21 Public
Let’s hack an SAP system by exploiting weak password hashes!
Attack scenario
Log on to an SAP system with a user who has table display access to USR02
Username
Password
SAP NetWeaver Application Server ABAP
Display and export password
hash table
Password
Cracker
User1
Password
User2
Password SAP GUI Table USR02
Very Old Pwd Hash BCODE
Old Pwd Hash PASSCODE
Current Pwd Hash PWDSALTEDHASH User1
, …
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 22 Public
SAP GUI
Let’s hack an SAP system by exploiting weak password hashes!
Attack scenario
Log on to an SAP system with a user who has table display access to USR02
User name
Password
SAP NetWeaver Application Server ABAP
Display and export password
hash table
Table USR02
Password
Cracker
User1
Password
User2
Password
User with
cracked password
Very Old Pwd Hash BCODE
Old Pwd Hash PASSCODE
Current Pwd Hash PWDSALTEDHASH User1
, …
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 23 Public
Impact of weak password hashes
Risk and impact
Full control over SAP systems, bypassing any other SAP
security controls
Manipulation of data, which endangers legal compliance
Data theft
No traceability due to missing audit trail
Unavailability of data and systems
Manipulation of business processes in
SAP systems is possible
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24 Public
What are the issues around password hashes in SAP systems?
SAP systems store passwords also with a broken password hash algorithm
Refer to SAP notes 1237762 and 1458262
Password hashes are stored in several tables, and tables are not assigned to special table
authorization groups
Depending on the SAP release, password hashes are stored in up to 6 tables / views
By default, password hash tables are assigned to table authorization group SC (which contains many tables)
Refer to SAP note 1484692
Refer to SAP note 2024431 that provides a report to adjust TDDAT in customer landscapes
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 25 Public
Comparison Table Authorization Group Assignment (Note 2024431)
As part of SAP corrections, adjustments to table authorization group assignments are delivered. However, it is
not possible for SAP to adjust existing table entries.
The report TDDAT_COMPARE compares the table authorization group assignments delivered by SAP in Support
Packages with the data in your system. In addition to the comparison state, the result list displays the relevant
SAP Note number and the corresponding application component
It is recommend that customers use this report after importing a Support Package to check the table
authorization group assignment, set it to the values recommended by SAP and adjust your authorization concept
if necessary Customer
Value
SAP
Value
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 26 Public
What are the issues around password hashes in SAP systems?
Large number of users have display access to the password hash tables
Depending on the authorization concept, usually several hundred to several thousand users have access to
password hash tables
Use SUIM for analysis:
Auth Object S_TABU_DIS
Activity 03 (Display)
- Table Auth Group SC, SPWD - Table Auth Group #*
Also check for:
Auth Object S_TABU_NAM
Activity 03 (Display)
- Tables USR02, …
- All tables #*
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 27 Public
Which password hash is compared during user login?
User login to SAP NetWeaver AS ABAP 7.02 with login/password_downwards_compatibility* = 0/1
Code version per user (field CODVN) controls which password hash is used for a user authentication
login/password_downwards_compatibility >= 2 for additional activation of old BCODE
SAP GUI
User name and Password SAP NetWeaver Application Server ABAP
1
Password Password Hash
2
Calculate password hash
Compare calculated
password hash with
stored password hash
Successful user login
if password hash
matches
Table USR02
Very Old Pwd Hash BCODE
Old Pwd Hash PASSCODE
Current Pwd Hash PWDSALTEDHASH User1
, …
3
Public
Password hashes in SAP
NetWeaver AS ABAP SAP Runs SAP: How do we protect our SAP internal systems?
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 29 Public
SAP Runs SAP: Approach for password hash protection
Restrict display access to password hash tables
All password hash tables have been assigned to the dedicated table authorization group SPWD
Authorization concept was adjusted to minimize number of users with display access to password hash tables
Activate that only new password hashes for users are created
Check that the CUA system generates all three password hashes
Change profile parameter on all systems - login/password_downwards_compatibility = 0
Exclude the CUA system if this system is connected to systems that do not support PWDSALTEDHASH
Enforcement of single sign-on for personal users
Users defined which have an exception for single sign-on in SU01 – Tab SNC
Enforce single sign-on for SAP GUI communication with (snc/accept_insecure_gui = U)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 30 Public
SAP Runs SAP: Approach for password hash protection
Re-enforce / adjust password policies
Removed passwords for all single sign-on users
Changed all technical users to user type SYSTEM to exclude them from password policy
Adjusted password policy by updating profile parameters (e.g. login/min_password_lng)
Enforced password policy by setting profile parameters (login/password_compliance_to_current_policy)
Clean up old password hashes
Execution of report CLEANUP_PASSWORD_HASH_VALUES which deletes redundant password hashes (cross-client)
Table USR02
Very Old Pwd Hash BCODE (≤ 6.40)
Old Pwd Hash PASSCODE (7.00-7.01)
Current Pwd Hash PWDSALTEDHASH (≥ 7.02)
Cleanup Report
CLEANUP_PASSWORD_HASH_VALUES
Table USR02
Current Pwd Hash PWDSALTEDHASH (≥ 7.02)
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 31 Public
SAP Runs SAP: Internal implementation of password hash protection
Scope of our SAP internal implementation
Business-critical systems of SAP
(such as SAP’s own SAP ERP system)
About 40 productive landscapes with roughly 200 single systems
Timelines of our SAP internal implementation
2009: Start with first analysis of password hash issues
2010: First pilot implementation
End of 2010: Rollout to productive landscapes completed
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 32 Public
SAP Runs SAP: Internal implementation of password hash protection
Issues faced during implementation – lessons learned
Even with single sign-on, password hashes might be stored for users
Password policy settings (based on profile parameters) affect all
clients
Clean-up of redundant password hashes did not cause any problems
Hardly possible to remove all BCODE password hashes in systems
that have existed for some years (such as technical user accounts
with only BCODE password hashes)
Setting login/password_downwards_compatibility = 0 after system
installation saves lots of efforts and discussions with operations
Get reasons if login/password_downwards_compatibility has values
>= 2 before changing to 0
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 33 Public
SAP Runs SAP: Monitoring of ABAP password hash generation
Part 1: ABAP password hash generation depends on several independent settings
Profile parameters (e.g. login/password_downwards_compatibility, login/min_password_lng,
login/password_compliance_to_current_policy)
Table authorization groups for password hash tables
Usage of SAP Solution Manager – Configuration Validation at SAP
How to use SAP Security Baseline and
Configuration Validation i NET38927
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 34 Public
SAP Runs SAP: Monitoring of ABAP password hash access
Part 2: ABAP password hash access depends on several independent settings
Percentage of users with weak password hashes (monitoring options currently under evaluation)
– Idea: Percentage of users with weak BCODE password hashes shall be 5% or less per user type
Authorization roles allowing display access to password hash tables (monitoring options currently under
evaluation)
Usage of SAP Solution Manager – Configuration Validation currently under evaluation
How to use SAP Security Baseline and
Configuration Validation i NET38927
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 35 Public
SAP Runs SAP:
Monitoring of ABAP password hash access
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 36 Public
SAP Runs SAP:
Monitoring of ABAP password hash access
Result in Configuration Validation reporting:
Target System ABAP_INSTANCE_PAHI configuration item login/password_downwards_compatibility
Target System USER_PASSWD_HASH_USAGE
:
Public
Summary
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 38 Public
Three key messages to take away!
Give priority to these 3 security topics: Define an approach, start implementation and set up a proper security configuration monitoring
Guard your SAP systems properly, using state-
of-the-art security technology and know-how
Hacking is real – create awareness
and stay alert
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 39 Public
SAP TechEd Online
Continue your SAP TechEd
education after the event!
Access replays of
Keynotes
Demo Jam
SAP TechEd live interviews
Select lecture sessions
Hands-on sessions
…
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 40 Public
Further information
Related SAP TechEd sessions:
SEC204 - Live on Stage: Monthly Security Patch Webinar
SEC200 - Find the Hackers in Your Landscape with SAP Enterprise Threat Detection
NET38927 - How to use SAP Security Baseline and Configuration Validation
SAP Public Web
Why you should really get rid of old password hashes *NOW*
http://scn.sap.com/community/security/blog/2014/05/08/-why-you-should-really-get-rid-of-old-password-hashes--now
SAP Note 1237762 - ABAP systems: Protection against password hash attacks
SAP Note 1458262 - ABAP: recommended settings for password hash algorithms
SAP Note 1484692 - Protect read access to password hash value tables
SAP Education and Certification Opportunities
www.sap.com/education
Watch SAP TechEd Online
www.sapteched.com/online
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 41 Public
Please complete your
session evaluation for
SEC203
Contact information:
Bjoern Brencher SAP Global Security – Secure Operations [email protected] Twitter: @reginfo
Feedback
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 42 Public
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://www.sap.com/corporate-en/about/legal/copyright/index.html for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.