SAP Security Note 2067859 Potential Exposure to Digital Signature Spoofing
This week, SAP AG published a hot news item titled: "SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)", which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems. To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:
- SAPCRYPTOLIB version 5.555.38
- CommonCryptoLib version 8.4.30
Furthermore: SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version. Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.
Digital signatures are mathematical methods to assure the integrity and authenticity of specific data (documents, portion of information, etc). When a digital signature is used, the receiver has enough reasons to believe in the authenticity and integrity of the received information. Usually, Digital Sign methods are based on two separated parts (mathematically related). These parts are often called Private Key and Public Key; the Private Key is secret (and must never be disclosed) and the Public Key is assumed known by at least the receivers. The Private Key is used to sign the information, and the Public Key is used to verify the digital signature.
SAP Security Note 2067859 further states that an attacker may potentially misuse certain versions of the SAP components SAPCRYPTOLIB, SAPSECULIB and CommonCryptoLib in SAP Netweaver AS ABAP and SAP HANA, to spoof digital signatures based on the Digital Signature Algorithm (DSA). The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard (FIPS) for digital signatures. The National Institute of Standards and Technology (NIST) standardized this method in the document FIPS 186. And the latest version was released in 2013, as version 4. FIPS 186-4. All the documents describing these standards can be found here. For more information related to SAP Cryptographic Libraries, please review this highly recommended post. BUSINESS IMPACT Many SAP applications use Digital Signatures relying on the vulnerable library. Based on our analysis so far, any attack leading to spoofing this Cryptographic Mechanism abusing this vulnerability would allow an attacker to compromise different kinds of SAP Systems and Products. A critical scenario, would be the Single Sign-On (SSO) mechanism being compromised. Many companies are using this feature to avoid users typing their passwords every time they need to log into an SAP system, so they will just click on the SAP logon pad and the SAP instance will open with their credentials. Behind the curtains, this functionality is using the digital signature mechanism to create the SSO logon ticket. Therefore, if an attacker could spoof the digital signature by exploiting a vulnerability inside the cryptographic library that generated the certificate, the attacker could log into any system impersonating any user credentials thus escalating privileges. Moreover, there is a whole subject about signing and approving documents and processes using Digital Signatures. There are federal regulations talking about this issue, e.g., Food and Drug Industries within the US are under Federal Regulations as well as the CFR 21, part 11, which specifically speaks about protecting digital data by signing documents digitally. Every time this security mechanism has to be used, the SAP Cryptographic Libraries (using the DSA Algorithm for signing) come into play (see for example this article and this other one.) Banking Communication Management (BCM) is another SAP Product that requires Digital Signatures. It is used for managing multiple bank communication interfaces. Using this SAP application, organizations can connect to the bank and perform payments. Additionally, this application supports Digital Signature to manage outgoing payment approvals. This process is highly critical since once the payments are approved inside SAP, they do not need an approval from the Bank system. If the Digital Signature could be spoofed (if a company is using BCM) the payment approval process could be potentially compromised. SAP GRC (Governance, Risk and Compliance) is the module that companies use to maintain their Controls Framework, and it’s especially important for those organizations under the SOX regulation, who are required to certify their Internal Control structure. GRC is a web application which can be opened by executing transaction NWBC. This automatically opens the browser with the user credentials and access rights that belong to the original user. In order to perform the authentication through the web browser, the application server sends an Authentication Assertion Ticket (again, using Digital Signatures). If the library generating these tickets is compromised, an attacker could open the GRC application impersonating high privileged users and changing sensitive information such as Segregation of Duties matrices, Process control rules, etc. It would compromise the control framework of a company, potentially affecting the SOX certification. Any other SAP Product or Application (e.g., SAP Solution Manager) that opens a Web Browser after executing a transaction within SAP GUI, will use this Authentication Assertion Tickets falling into the same case we described above with GRC. Inside Supply Change Management process, Digital Signatures can be used in different sub-processes:
- Production Planning: the digital signature validates and confirms individual entries made in the process instruction.
- Plant Maintenance: shift change report, when a supervisor ends his shift, he has to present the shift report with the activities of its shift, Digital Signature avoids having hard copies.
- Quality Management: Digital signature can be used to validate whether a material is usable or not, to record quality control results, and for sample drawing.
Digital Signatures can be used inside a wide variety of processes in SAP, from user log-in to approval of payments, these being only some examples. Digital Signatures can be related to almost every sensitive process through the SAP Work-flow structure, meaning that any process using Digital Signatures could be potentially compromised by this vulnerability. Onapsis X1 and the Onapsis Security Platform have already been updated with specific checks to determine if your current SAP Cryptographic Libraries are vulnerable to this issue. We are further working to understand practical attack scenarios. Stay tuned for more information by following us on twitter at @Onapsis, or checking back on our blog.