Today’s post will be focused on analyzing the inner workings of the SAP CODVN H algorithm.
Before jumping into the algorithm’s details I will highlight the most important features. For more information you can refer to the SAP security note 991968. The algorithm provides the following capabilities:
- Support for multiple hashing algorithms (for the time being only salted SHA-1).
- Supported password length up to 40 characters.
- Upper and lower case passwords supported.
- UTF-8 support.
- Random salt, length can be configured.
This week, SAP AG published a hot news item titled: “SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)”, which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.
To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:
- SAPCRYPTOLIB version 5.555.38
- CommonCryptoLib version 8.4.30
SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version.
Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib
Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.
SAP systems include a reduced set of security features, which cover the SAP authorization concept and user authentication based on passwords. SNC is a software layer in the SAP Netweaver system architecture that provides an interface to an external security product offering stronger authentication methods, by encryption and by single sign-on mechanisms allowing SAP customers to extend SAP system security beyond the built in set of features shipped with SAP.
Keep in mind SNC is not a security product by itself. It only provides an interface to external security products which must implement any desired functionality in a manner defined in the standard interface GSS-API V2 (Generic Security Services Application Programming Interface Version 2). SNC uses this interface to communicate with an external security product (usually a library).