exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SAP Mobile Platform DataVault Predictable Passwords

SAP Mobile Platform DataVault Predictable Passwords
Posted Aug 12, 2015
Authored by Fernando Russ | Site onapsis.com

The SAP Mobile Platform 3.0 SP5 has an API called DataVault, which is used to securely store data on mobile devices. The SAP DataVault uses a special password derived from well-known values to encrypt some configuration values like the count of invalid attempts to unlock a secure store. This password is a composition of a value which is available in plaintext form inside the secure store container, and a fixed value. Also, the salt used is fixed. Both values are statically defined by the SAP DataVault implementation, and do not depend neither on the installation nor on the usage of the DataVault.

tags | advisory
SHA-256 | ca2a1ef0f9df48466ca59b88143c1cb70baf5e0e78eae224f7995bf13e67bc92

SAP Mobile Platform DataVault Predictable Passwords

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Onapsis Security Advisory 2015-011: SAP Mobile Platform DataVault
Predictable encryption passwordsfor Configuration Values


1. Impact on Business
- ---------------------

By exploiting this vulnerability an attacker with access to a vulnerable
mobile device would be able to decrypt and modify sensitive configuration
values used by SAP business applications.

Risk Level: High

2. Advisory Information
- -----------------------

* Public Release Date: 2015-08-12
* Subscriber Notification Date: 2015-08-12
* Last Revised: 2015-08-12
* Security Advisory ID: ONAPSIS-2015-0011
* Onapsis SVS ID: ONAPSIS-00149
* CVE: Not assigned
* Researcher: Fernando Russ
* Initial Base CVSS v2: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)


3. Vulnerability Information
- ----------------------------

* Vendor: SAP AG
* Affected Components:
* SAP Mobile Platform 3.0 SP05 ClientHub
* Vulnerability Class: Use of Hard-coded Cryptographic Key (CWE-321)
* Remotely Exploitable: No
* Locally Exploitable: Yes
* Authentication Required: No
* Original Advisory:
https://www.onapsis.com/research/security-advisories/SAP-Mobile-Platform-Predictable-Encryption-Password-for-Configuration-Values


4. Affected Components Description
- ----------------------------------

The SAP Mobile Platform 3.0 SP5 has an API called DataVault, which is
used to securely store data on mobile devices. As described by SAP AG
"[...] The DataVault APIs provide a secure way to persist and encrypt
data on the device. The data vault uses AES-256 symmetric encryption of
all its contents. The AES key is computed as a hash of the passcode
provided and a ‘salt’ value that can be supplied by the device
application developer, or automatically generated through the API [...]"


5. Vulnerability Details
- ------------------------

The SAP DataVault uses a special password derived from well-known values
to encrypt some configuration values like the count of invalid attempts
to unlock a secure store.

This password is a composition of a value which is available in
plaintext form inside the secure store container, and a fixed value.
Also, the salt used is fixed. Both values are statically defined by the
SAP DataVault implementation, and do not depend neither on the
installation nor on the usage of the DataVault.


6. Solution
- -----------

Implement SAP Security Note 2094830.


7. Report Timeline
- ------------------

* 11/07/2014: Onapsis provides vulnerability information to SAP AG.
* 11/08/2014: SAP AG confirms having received the information.
* 04/08/2015: SAP AG releases SAP security note 2094830 fixing the
vulnerability
* 08/12/2015: Security Advisory is released.


About Onapsis Research Labs
- ---------------------------

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Onapsis Research Team

iEYEARECAAYFAlXLXXEACgkQz3i6WNVBcDXHzgCdFcY7MtChSCFGXIZHI5E2BZFA
NbQAoLxIogVIwsqLsp9OsXjdlKzOvOpM
=C9yq
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close