Layer Seven Security

SAP patches a session hijacking vulnerability in the Netweaver Portal

Imagine a system that provides a single, unified interface to all your SAP applications for not only everyone in your company but customers and suppliers. Imagine also that this system is web-based and uses single-sign-on. Congratulations, you’ve just envisioned the Netweaver Portal, the cornerstone of SAP’s strategy to integrate business information and processes and the fountain of much of the company’s recent success. Given its importance, you would think that any security vulnerability in the Portal would be quickly dealt with by SAP’s security engineers. Yet, if this is the case, why did it take SAP one and a half years to patch a vulnerability that left the Portal open to session hijacking?

Session hijacking is also known as session fixation or broken authentication and ranks consistently high in the OWASP Top Ten web application security risks. In fact, in the most recent survey, its rated as the third most prevalent and dangerous vulnerability in web applications. Hijacking occurs when attackers exploit weak functions in the application layer to assume the identities of legitimate users. Attackers usually target passwords, keys, session tokens and other authentication factors. Its not that difficult to find flaws in most applications since developing secure authentication and session management schemes for custom applications is no walk in the park. SAP applications are no different.

In July 2009, SAP was notified about a session fixation flaw in the J2EE engine that affected versions 6.4-7.2 of the Netweaver platform, which is essentially the technical layer of SAP systems. In the words of SAP itself, this flaw could be exploited to gain access to authenticated user sessions (SAP Note 1310561) through attack vectors such as MITM that provide hackers with access to the session IDs of SAP users which can then be used to logon to target SAP systems. The impact can be very high, especially when you consider that the Portal provides Web-based access to HR, financial, customer relationship management, product lifecycle management, and other critical applications (SAP Solution Brief).

The session hijacking vulnerability was eventually patched by SAP through the introduction of JSESSIONMARKID, a secure (HTTPS) cookie that automatically renews after successful logons. However, the shocker was that it took SAP 18 months to develop and release a patch for the vulnerability. That’s twice the length it took the company to rollout its new database, HANA, from “idea to completion” (Vishal Sikka, SAP AG Board member). Its possible that the existence of this vulnerability was well known within hacking communities long before the much anticipated fix was released by SAP. Disclosure guidelines issued by SAP urge security researchers not to publicize information about vulnerabilities until they are patched. Most researchers, rightfully so, choose to follow SAP’s request. However, given the severity of these and other vulnerabilities, customers shouldn’t accept such a long window for patch management. After all, if SAP can develop and release an entirely new database in a mere 9 months, surely it can fix a critical security flaw in its Portal just as quickly.

A Guide to Rootkits and Trojans in ABAP Programs

If you missed Ertunga Arsal’s presentation on SAP Rootkits and Trojans at the 27th Chaos Communication Congress, you can now watch the entire hour-long session below. Ertunga is an accomplished SAP security expert and an entertaining speaker if you appreciate dry, German humour. In this video, Ertunga demonstrates how attackers can use several paths to compromise weak SAP systems (usually development or test environments), infect clients that connect to the compromised systems and then eventually work their way up to production and even partner systems. These so-called˜Triple Penetration’ attacks can compromise entire SAP landscapes.

Ertunga also demonstrates how attackers can crack hashed SAP passwords and discusses problems with SSO. He makes a great comment about how SSO is really a convenience feature and does nothing to improve security and shows how attackers can create their own SSO certificates to logon to SAP using the IDs of users in the target system.

However, the highlight of the session is the discussion around SAP Rootkits and Trojans. Ertunga walks through several injection attacks that can be used to infect ABAP programs. Rootkits can be used to execute commands that, for example, automatically donate part of a company’s profit to charity (the so-called ‘Robin Hood’ worm) or publish salary information online. He points out that development activities should be tightly controlled and monitored, especially if you’re using third party developers with SAP_ALL rights. If your developers are internal, Ertunga warns against hiring developers from competitors since this can open the door to commercial espionage and sabotage.