SKIP-TLS/FREAK Vulnerabilities and SAP Systems
A few days ago, an important set of bugs that affect the suites of protocols TLS/SSL were published in https://www.smacktls.com/. These protocols are mainly used as the security layer underlying the HTTP(s) protocol, but many other protocols may be affected. The described vulnerabilities have received specific names: SKIP-TLS and FREAK. These bugs affect different implementations of the TLS/SSL cryptographic algorithms, but they are not vulnerabilities in the protocols themselves. SKIP-TLS can be described as an implementation error in how the client and server manage unexpected messages in the protocol state machine. Different cipher suites require different messages in particular orders. This bug leverages this complexity by sending messages in an specific order to skip all messages related to key exchange and authentication as described in the paper (https://www.smacktls.com/smack.pdf). The FREAK attack to the TLS/SSL protocol implementation attempts to degrade the cipher quality, giving an attacker the possibility of downgrading the cipher suite strength of a TLS/SSL connection. This means that a resourceful attacker performing a man-in-the-middle attack could trick the client to select a weaker cipher suite that could then be broken in during a later stage of the attack (like those marked as EXPORT). In this blog post we will focus on understanding the security impact of SKIP-TLS/FREAK for a group of SAP products.
CommonCryptoLib 8 and SAPCryptoLib 5.5.5pl28+
We found no supporting evidence that these libraries are vulnerable to the aforementioned attacks. Regarding the FREAK attack, the available cipher suites, even the weaker, are strong enough to make this kind of attack non-plausible in a real attack scenario. This depends on the cryptographic library version installed. Kernel version and specific profile parameters as shown below: The cryptographic libraries CommonCryptoLib 8 and SAPCryptoLib 5.5.5pl28+ support a wide range of cipher suites, as described in SAP Note 2004653 and SAP Note 510007. Starting form SAP Netweaver 740, the EXPORT cipher suites are disabled by default, but is possible to control this using the profile parameters as described in SAP Note 510007. For versions older than SAP Netweaver 72x which have the EXPORT cipher suites available, there is no potential mitigation for the FREAK attack by default, but this could be limited by configuration. SAP HANA versions up to SPS08 disable weak cipher suites by default. This behavior can be configured using the parameters mentioned in the SAP HANA Security Guide, Section 188.8.131.52. SAP HANA versions below SPS09 have been shipped with OpenSSL 0.9.8j which is covered by the advisory CVE-2015-0204, in this case the potential vulnerability is already mitigated with the default configuration. Despite which version you are running, it is always recommended to apply all the security patches, especially those related to cryptographic libraries.
Application Server JAVA
As stated in the document “Transport Layer Security on the Netweaver AS JAVA” starting on version 7.1 TLS/SSL connections are handled by the ICM component which uses the above mentioned cryptographic libraries. Versions below 7.1 of this component could be affected, being this analysis out of the scope of this blog post. Moreover, we have to mention that the default Java J2SSE Cryptographic Libraries version is currently known to be affected by the SKIP-TLS vulnerability, which is identified as CVE-2014-6593 fixed in January 2015 critical update.