![]() The password history table USRPWDHISTORY, the change document table USH02, and the archive table USH02_ARC_TMP should also be protected otherwise, an attacker may be able to use former passwords to make conclusions about the current password. Restrict the access to the affected tables Details about the report can be found in our blog post How Do You Check Old Hashes in Your ABAP System? 3. SAP provides the cleanup program CLEANUP_PASSWORD_HASH_VALUES that can be used after the parameter change to remove all redundant weak hash values. The generation of redundant passwords can be avoided by setting SAP profile parameter login/password_downwards_compatibility to 0. Don’t generate weak hash values if not needed A login to the local system with the downwards-compatible, eight character password is usually not possible (except SAP profile parameter login/password_downwards_compatibility is set to 3 which is not recommended). Since they contain the first eight characters of the full password, this information can be used by the cracking tools to reduce the test candidates in the dictionary significantly and decrease the time to crack a password. These additionally, weaker hash values represent a risk as they can be cracked much faster for all users at once. This means that every password is additionally stored as a downwards-compatible password (cut after eight characters and converted to uppercase) with two older (and weak) hash algorithms ( MD5, SHA-1). In order not to break communication with legacy SAP systems or middleware components, SAP systems on SAP NetWeaver 7.02 or higher, by default, store every password redundantly. Thus, using a random salt does not protect against password cracking, but it prevents mass comparison of the password dictionary against all user passwords at once, as there is a different salt used for each password. The same applies to the salt, which can easily be extracted from the end of the hash values after decoding the base64 encoded hash string. The tools take advantage of the fact that the SAP hash algorithm and the number of iterations are prepended to the final hash value. If the final hash value matches with the one stored in the SAP table, the password is cracked. These tools start a brute force attack by applying the hash algorithm that was used by SAP to a dictionary of hundreds of thousands of typically used passwords. Tools like hashcat or John the Ripper can be used to find a password. ![]() A list of supported hash algorithms and current limitations for the salt size and the maximum number of iterations can be found in SAP Note #991968.Ī salted hash value cannot be decrypted. The hash value calculation can also be performed more than once successively, that is, it can be iterated. This procedure uses a randomly-generated value ("salt"), in addition to the password, to calculate the password hash value. Starting with SAP NetWeaver 7.02, the password hash values are calculated with a standardized hash procedure. USH02_ARC_TMP: Used temporarily during archiving of user change documents.USRPWDHISTORY: Contains the user password history of every user.USH02: Contains the change documents for the user master records including the hash value(s) of former SAP passwords.USR02: Contains the current user master record including the hash value(s) of the active password.The passwords of all SAP users are stored encrypted as hash values in transparent tables on the database. However, there are other methods of getting user credentials that exploit SAP NetWeaver architecture specific weaknesses, specifically tailored to hash values. It does this by using a manipulated URL that injects the redirects to a malicious server in the links provided by the original login form. ![]() ![]() The vulnerability is tagged with a CVSS score of 9.6 and allows attackers to direct a user to the original SAP Commerce login page. The most recent one was patched with SAP Security Note #3239152 in SAP’s October 2022 Patch Day. However, there are some past attempts where attackers could also have used phishing attacks to exploit SAP vulnerabilities. Phishing attacks are mostly triggered by emails containing links that direct users to malicious servers. Some of them, like keyloggers and credential stuffing, do not exploit SAP specific vulnerabilities. There are different known types of attack modes to gain user credentials. ![]() Phishing attacks are the second most common cause of a breach, as well as the costliest. These types of breaches can take more than 200 days to identify and more than 80 days to contain 2. According to a recent report, breaches that are caused by stolen or compromised credentials are not only responsible for nearly 20% of breaches 1, they are also the most challenging to identify and contain. The easiest (and a significantly profitable) way for attackers to get into a system is logging in with valid user credentials. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |