SEC203 SAP Runs SAP: How to Protect ABAP …...Add-On for Code Vulnerability Analysis Find and correct vulnerabilities in customer code identity authentication service identity provisioning

Public

SEC203 – SAP Runs SAP: How to Protect

ABAP Applications Against Password Cracking

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2 Public

Speakers

Bangalore, October 5 - 7

Chandan Veerabhadra Setty

Las Vegas, Sept 19 - 23

Frank Buchholz

Barcelona, Nov 8 - 10

Bjoern Brencher


Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of

SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or

any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

presentation or any related document, or to develop or release any functionality mentioned therein.

This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms

directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.

The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality.

This presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational

purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this

presentation, except if such damages were caused by SAP’s intentional or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially

from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only

as of their dates, and they should not be relied upon in making purchasing decisions.


Abstract

Still struggling with the challenge of configuring your ABAP-based SAP solutions securely?

For user authentication purposes, ABAP applications have to store user passwords in a hashed

version. After demonstrating how to steal and crack password hashes in an ABAP application on the

SAP NetWeaver technology platform, SAP’s own internal security experts will explain suitable

protection mechanisms.


Agenda

Common attack points for SAP NetWeaver Application Server ABAP

Password hashes in SAP NetWeaver Application Server ABAP

Introduction to the vulnerability

Live hacking demo – exploiting the vulnerability

SAP Runs SAP: How do we protect our SAP internal systems?

Summary

Public

Common attack points for

SAP NetWeaver AS ABAP


SAP Runs SAP: Common attack points to SAP ABAP systems

* RFC gateway is a technical component in the SAP kernel. It is not the product SAP NetWeaver Gateway.

Firewalls

Security

Notes

Standard Users

Authorizations

RFC

Gateway*

Encryption

Password Hashes


SAP Runs SAP: Common attack points to SAP ABAP systems

Each of the three vulnerabilities allows easy full

access to SAP systems within minutes

Standard users with default passwords Default passwords not changed for all users

Client 066 is not considered as customer responsibility

Weak password hashes Usage of weak password hashes

Often display access for most users in the system

Unsecured RFC gateway Very technical topic with high complexity

Elaborate implementation


SAP Business

Suite

SAP HANA Cloud

Platform

SAP NetWeaver

Application Server

SAP Access

Control

SAP Identity

Management

Make it simple for users to do what they are allowed to do

Know your users and what they can do

SAP Single

Sign-On

Ensure corporate compliance to

regulatory requirements

Platform Security Make sure that SAP

solutions run securely

SAP Enterprise

Threat Detection

Counter possible threats and identify attacks

Add-On for Code

Vulnerability

Analysis

Find and correct vulnerabilities in customer

code

identity

authentication

service

identity provisioning

service

access

analysis

service

SAP security and GRC access governance portfolio

Manage access,

users and

compliance in the

cloud

SAP Cloud Identity Access Governance services

SAP HANA

3rd Party Systems

S/4 HANA

SAP Cloud Applications


SAP Runs SAP: What we did to protect our own systems at SAP Standard users with default passwords

2005

2008

2009

2010

…

Standard users with default passwords

Define handling of standard users with default

passwords

Rollout to all critical landscapes

Define monitoring procedure

…


SAP Runs SAP: What we did to protect our own systems at SAP Unsecured RFC gateway

2005

…

2008

2009

2010

…


Unsecured RFC gateway

Define protection of the RFC gateway for our own

SAP business systems

Run pilot implementation for one system landscape


Define monitoring procedure


SAP Runs SAP: What we did to protect our own systems at SAP Weak password hashes

2005

…

2008

2009

2010

…


Unsecured RFC gateway

Weak password hashes

Define approach how to protect password hashes

Run pilot implementation for one system landscape


Public

Password hashes in

SAP NetWeaver AS ABAP Introduction to the vulnerability


hours Release notes of the open source password recovery tool oclHashcat v1.20:

https://hashcat.net/forum/thread-3323.html

“In other words, even if you use crazy keycodes in your password, [BCODE] will be cracked in max.

20 hours. It's hopeless.”






What is a password hash?

Some information about password hashes

Passwords are hashed with password hash functions to store them securely

Password hash algorithms are one-way: Original passwords cannot be derived from their hash values

Password hash attacks are always possible, just the speed is different

But password hashes can be generated from potential passwords until password hashes match

Password: Hash:

Thisisastrongpassword 9d6fffda73e361025b92fb702aabf5e0

Password: Hash:

Welcome 83218ac34c1834c26781fe4bde918ee4

Thisisastrongpassword 9d6fffda73e361025b92fb702aabf5e0


SAP NetWeaver Application Server ABAP

How does a user login work?

SAP GUI

User name and password

1

Password Password hash

2

Table USR02

User1 Pwd Hash

User2 Pwd Hash

Calculate password hash

Compare calculated password hash

with stored password hash

3 Successful user login if password hash matches


What happens during user creation?

User creation in AS ABAP with SU01

User administrator creates a user and enters a clear text password

SAP system generates up to three* password hashes with different strengths for downward compatibility

* Depends on profile parameter login/password_downwards_compatibility

Table USR02

Very Old Pwd Hash BCODE (≤ 6.40)

Old Pwd Hash PASSCODE (7.00-7.01)

Current Pwd Hash PWDSALTEDHASH (≥ 7.02)


Some important details about available SAP NetWeaver AS ABAP

password hashes!

Password hash creation is controlled by a profile parameter (7.00+)

login/password_downwards_compatibility (refer to SAP Note 1458262)

– 0 = Only strongest password hash is calculated

– 1-5 = All three password hashes are calculated

Password Hash Release

Hash Algorithm /

Code Version Security Status

BCODE 3.1i MD5-based

(Code Version A-E)

Broken, full brute force is possible by an open source password cracker with

GPU acceleration within max 20 hours

PASSCODE 7.00-7.01 SHA1-based

(Code Version F)

Limited, duration of attack depends on password length and password

complexity

PWDSALTEDHASH 7.02 Iterated salted SHA-1

(Code Version H)

State of the art, higher number of iterations slows down the hash calculation;

usage of random salts prevents hash pre-calculation; password length and

complexity mitigate dictionary attacks


Make PWDSALTEDHASH even more secure!

Value range Options Default Security Tweaking

Encoding RFC2307 RFC2307 None

Algorithm iSSHA-1 | iSSHA-256 | iSSHA-384 | iSSHA-512 iSSHA-1 None

Iterations 1 – 4294967294 (232) 1024 10000

Saltsize 32 – 256 (divisible by 8) 96 None

Tweaking of PWDSALTEDHASH

Iterated salted SHA-1 is currently state of the art, but you can make it even harder for an attacker to perform

brute-force / dictionary attacks by slowing down hash calculation (-> increasing the count of iterations)

Profile parameter login/password_hash_algorithm denotes which password hash algorithm is used for new /

changed passwords.

Refer to SAP note 991968, 2076925, 2140269

https://service.sap.com/sap/support/notes/991968



Public

Password hashes in SAP

NetWeaver AS ABAP Live hacking demo – exploiting the vulnerability


Let’s hack an SAP system by exploiting weak password hashes!

Attack scenario

Log on to an SAP system with a user who has table display access to USR02

Username

Password


Display and export password

hash table

Password

Cracker

User1

Password

User2

Password SAP GUI Table USR02

Very Old Pwd Hash BCODE

Old Pwd Hash PASSCODE

Current Pwd Hash PWDSALTEDHASH User1

, …


SAP GUI

Let’s hack an SAP system by exploiting weak password hashes!

Attack scenario

Log on to an SAP system with a user who has table display access to USR02

User name

Password


Display and export password

hash table

Table USR02

Password

Cracker

User1

Password

User2

Password

User with

cracked password




, …


Impact of weak password hashes

Risk and impact

Full control over SAP systems, bypassing any other SAP

security controls

Manipulation of data, which endangers legal compliance

Data theft

No traceability due to missing audit trail

Unavailability of data and systems

Manipulation of business processes in

SAP systems is possible


What are the issues around password hashes in SAP systems?

SAP systems store passwords also with a broken password hash algorithm

Refer to SAP notes 1237762 and 1458262

Password hashes are stored in several tables, and tables are not assigned to special table

authorization groups

Depending on the SAP release, password hashes are stored in up to 6 tables / views

By default, password hash tables are assigned to table authorization group SC (which contains many tables)

Refer to SAP note 1484692

Refer to SAP note 2024431 that provides a report to adjust TDDAT in customer landscapes


Comparison Table Authorization Group Assignment (Note 2024431)

As part of SAP corrections, adjustments to table authorization group assignments are delivered. However, it is

not possible for SAP to adjust existing table entries.

The report TDDAT_COMPARE compares the table authorization group assignments delivered by SAP in Support

Packages with the data in your system. In addition to the comparison state, the result list displays the relevant

SAP Note number and the corresponding application component

It is recommend that customers use this report after importing a Support Package to check the table

authorization group assignment, set it to the values recommended by SAP and adjust your authorization concept

if necessary Customer

Value

SAP

Value


What are the issues around password hashes in SAP systems?

Large number of users have display access to the password hash tables

Depending on the authorization concept, usually several hundred to several thousand users have access to

password hash tables

Use SUIM for analysis:

Auth Object S_TABU_DIS

Activity 03 (Display)

- Table Auth Group SC, SPWD - Table Auth Group #*

Also check for:

Auth Object S_TABU_NAM

Activity 03 (Display)

- Tables USR02, …

- All tables #*


Which password hash is compared during user login?

User login to SAP NetWeaver AS ABAP 7.02 with login/password_downwards_compatibility* = 0/1

Code version per user (field CODVN) controls which password hash is used for a user authentication

login/password_downwards_compatibility >= 2 for additional activation of old BCODE

SAP GUI

User name and Password SAP NetWeaver Application Server ABAP

1

Password Password Hash

2

Calculate password hash

Compare calculated

password hash with

stored password hash

Successful user login

if password hash

matches

Table USR02




, …

3

Public

Password hashes in SAP

NetWeaver AS ABAP SAP Runs SAP: How do we protect our SAP internal systems?


SAP Runs SAP: Approach for password hash protection

Restrict display access to password hash tables

All password hash tables have been assigned to the dedicated table authorization group SPWD

Authorization concept was adjusted to minimize number of users with display access to password hash tables

Activate that only new password hashes for users are created

Check that the CUA system generates all three password hashes

Change profile parameter on all systems - login/password_downwards_compatibility = 0

Exclude the CUA system if this system is connected to systems that do not support PWDSALTEDHASH

Enforcement of single sign-on for personal users

Users defined which have an exception for single sign-on in SU01 – Tab SNC

Enforce single sign-on for SAP GUI communication with (snc/accept_insecure_gui = U)


SAP Runs SAP: Approach for password hash protection

Re-enforce / adjust password policies

Removed passwords for all single sign-on users

Changed all technical users to user type SYSTEM to exclude them from password policy

Adjusted password policy by updating profile parameters (e.g. login/min_password_lng)

Enforced password policy by setting profile parameters (login/password_compliance_to_current_policy)

Clean up old password hashes

Execution of report CLEANUP_PASSWORD_HASH_VALUES which deletes redundant password hashes (cross-client)

Table USR02

Very Old Pwd Hash BCODE (≤ 6.40)

Old Pwd Hash PASSCODE (7.00-7.01)


Cleanup Report

CLEANUP_PASSWORD_HASH_VALUES

Table USR02



SAP Runs SAP: Internal implementation of password hash protection

Scope of our SAP internal implementation

Business-critical systems of SAP

(such as SAP’s own SAP ERP system)

About 40 productive landscapes with roughly 200 single systems

Timelines of our SAP internal implementation

2009: Start with first analysis of password hash issues

2010: First pilot implementation

End of 2010: Rollout to productive landscapes completed


SAP Runs SAP: Internal implementation of password hash protection

Issues faced during implementation – lessons learned

Even with single sign-on, password hashes might be stored for users

Password policy settings (based on profile parameters) affect all

clients

Clean-up of redundant password hashes did not cause any problems

Hardly possible to remove all BCODE password hashes in systems

that have existed for some years (such as technical user accounts

with only BCODE password hashes)

Setting login/password_downwards_compatibility = 0 after system

installation saves lots of efforts and discussions with operations

Get reasons if login/password_downwards_compatibility has values

>= 2 before changing to 0


SAP Runs SAP: Monitoring of ABAP password hash generation

Part 1: ABAP password hash generation depends on several independent settings

Profile parameters (e.g. login/password_downwards_compatibility, login/min_password_lng,

login/password_compliance_to_current_policy)

Table authorization groups for password hash tables

Usage of SAP Solution Manager – Configuration Validation at SAP

How to use SAP Security Baseline and

Configuration Validation i NET38927


SAP Runs SAP: Monitoring of ABAP password hash access

Part 2: ABAP password hash access depends on several independent settings

Percentage of users with weak password hashes (monitoring options currently under evaluation)

– Idea: Percentage of users with weak BCODE password hashes shall be 5% or less per user type

Authorization roles allowing display access to password hash tables (monitoring options currently under

evaluation)

Usage of SAP Solution Manager – Configuration Validation currently under evaluation

How to use SAP Security Baseline and

Configuration Validation i NET38927


SAP Runs SAP:

Monitoring of ABAP password hash access


SAP Runs SAP:

Monitoring of ABAP password hash access

Result in Configuration Validation reporting:

Target System ABAP_INSTANCE_PAHI configuration item login/password_downwards_compatibility

Target System USER_PASSWD_HASH_USAGE

:

Public

Summary


Three key messages to take away!

Give priority to these 3 security topics: Define an approach, start implementation and set up a proper security configuration monitoring

Guard your SAP systems properly, using state-

of-the-art security technology and know-how

Hacking is real – create awareness

and stay alert


SAP TechEd Online

Continue your SAP TechEd

education after the event!

Access replays of

Keynotes

Demo Jam

SAP TechEd live interviews

Select lecture sessions

Hands-on sessions

…

http://sapteched.com/online


Further information

Related SAP TechEd sessions:

SEC204 - Live on Stage: Monthly Security Patch Webinar

SEC200 - Find the Hackers in Your Landscape with SAP Enterprise Threat Detection

NET38927 - How to use SAP Security Baseline and Configuration Validation

SAP Public Web

Why you should really get rid of old password hashes *NOW*

http://scn.sap.com/community/security/blog/2014/05/08/-why-you-should-really-get-rid-of-old-password-hashes--now

SAP Note 1237762 - ABAP systems: Protection against password hash attacks

SAP Note 1458262 - ABAP: recommended settings for password hash algorithms

SAP Note 1484692 - Protect read access to password hash value tables

SAP Education and Certification Opportunities

www.sap.com/education

Watch SAP TechEd Online

www.sapteched.com/online



























http://www.sap.com/education

http://www.sapteched.com/online


Please complete your

session evaluation for

SEC203

Contact information:

Bjoern Brencher SAP Global Security – Secure Operations [email protected] Twitter: @reginfo

Feedback

mailto:[email protected]


© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate

company) in Germany and other countries. Please see http://www.sap.com/corporate-en/about/legal/copyright/index.html for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and

services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop

or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future

developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time

for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://www.sap.com/corporate-en/about/legal/copyright/index.html



Documents

SEC203 SAP Runs SAP: How to Protect ABAP …...Add-On for Code Vulnerability Analysis Find and correct vulnerabilities in customer code identity authentication service identity provisioning