Tuesday, August 5, 2014

SAP HANA XS Missing encryption in form-based authentication

Onapsis Security Advisory 2014-021: SAP HANA XS Missing encryption in
form-based authentication

This advisory can be downloaded in PDF format from
http://www.onapsis.com/.

1. Impact on Business

SAP HANA XS does not enforce any encryption in the form based
authentication. It
could allow an anonymous user to get information such as valid
credentials from
network traffic, gaining access into the system.

Risk Level: Low

2. Advisory Information

- Public Release Date: 2014-07-29
- Subscriber Notification Date: 2014-07-29
- Last Revised: 2014-07-25
- Security Advisory ID: ONAPSIS-2014-021
- Onapsis SVS ID: ONAPSIS-0094
- Researcher: Sergio Abraham, Manuel Muradas
- Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)

3. Vulnerability Information

- Vendor: SAP
- Affected Components:
- SAP HANA Extended Application Services (Check SAP Note 1963932 for
detailed information on affected releases)
- Vulnerability Class: Cleartext Transmission of Sensitive Information
(CWE-319)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: No
- Detection Module available in Onapsis X1: Yes
- Original Advisory:
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-021

4. Affected Components Description

SAP HANA Extended Application Services (XS) is an application server,
web server and development environment for web applications within the SAP HANA System.
SAP HANA XS is fully integrated with the SAP HANA Database.

5. Vulnerability Details

SAP HANA Extend Application Services (XS) based applications can be set to be ?form based
authentication? access using SSL. When this configuration is set, the authentication
mechanism does not properly enforce the required level of encryption.

Technical details about this issue are not disclosed at this moment with
the purpose of providing enough time to affected customers to patch their systems and
protect against the exploitation of the described vulnerability.

6. Solution

SAP has released SAP Note 1963932 which provides patched versions of the
affected components.
The patches can be downloaded from
https://service.sap.com/sap/support/notes/1963932.
Onapsis strongly recommends SAP customers to download the related security fixes and
apply them to the affected components in order to reduce business risks.
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)