The 7-year itch that lasts forever
It’s been 7 years with this blog on the SAP Developers Network that we tried to raise awareness on the topic of insecure SAP password hashes. This is a real threat to your SAP systems and it might lead to privilege escalations, impersonation or lateral movement within your SAP landscape. Back then it was easy and fast to brute-force old, insecure, backwards-compatible password hashes. This meant that if you had access to the USR02 table and found these old insecure hashes, it could be a matter of minutes of brute-forcing to gain access to the plaintext passwords and use those to gain access to SAP. By modern standards, it is much worse since hardware specs went up and brute-forcing is way faster than before, not to mention the possibilities in the cloud that simplified things further. A demonstration of brute-forcing can be seen below:
The good news is the awareness was there and as close to 10,000 people viewed the blog:
What’s not so good, is that even today, it is common for us to find these insecure SAP passwords hashes when doing SAP Security assessments. It came as no surprise to encounter customers that have these insecure SAP passwords hashes somewhere still in a client or a system.
But solutions are present! SAP provides SAP customers with documentation and reports for cleaning up these old password hashes. Caution: Some connected hardware like hand scanners might give issues when changing these password hashes, but in general, remediation of this issue is quite straightforward. Always make sure to test this first in non-productive systems.
Some countermeasures that can be taken are:
- When making use of Single-Sign-On you can probably delete the password hashes. Delete them from tables USR02 and USH02.
- Set parameter login/password_downwards_compatibility = 0 (this might break communication with systems older than 7.0, check carefully)
- Use a recent password hashing algorithm, see parameter login/password_hash_algorithm
- Delete old hashes, see ABAP report CLEANUP_PASSWORD_HASH_VALUES
- Choose strong passwords (enforce them via policies) via the password parameters
- Limit access to tables with password hashes like USR02, USH02
- Optionally test and brute force the password hashes of your users yourself to test how strong they are (you probably need approval for this!)
Some References to SAP documentation:
- SAP note 1237762 – ABAP systems: Protection against password hash attacks
- SAP note 1458262 – ABAP: recommended settings for password hash algorithms
- SAP note 1023437 – ABAP syst: Downwardly incompatible passwords (since NW2004s)
- Some related items can be found in this SAP guide too.
Protect4S checks for password vulnerabilities.
Protect4S periodically checks your SAP systems for all vulnerabilities described in this article (and many more), making sure that your SAP landscape stays safe by minimizing the risk of exploitation.