SAP password hashes security

With this article I continue to talk about my project SAPSEC (SAP security with GUI scripting and Python). You can read a bit more about the project here. Today the story will be about the first security pack (set of automated security checks). The security pack is devoted to the problem of SAP password hashes security. We will solve the following tasks:

  • Disabling weak password hashes generation.
  • Cleaning SAP systems from weak password hashes.
  • Restricting read access to tables containing password hashes.

More about variety of password hash algorithms here. Of course, I suppose you are familiar with this topic, read some articles about such problems (for example like this) and countermeasures. I will try to summarize all information one more time and talk how you can quickly check your SAP systems without much effort.

What does the security pack consist of?

  1. First of all, it should be ensured that the SAP system don’t generate weak password hashes for new users. We should check the login/password_downwards_compatibility parameter is set to 0. About possible values of this parameter you can read here.
  2. The group of checks that responsible for weak password hashes searching in SAP tables. As you may know weak password hashes are stored in BCODE and PASSCODE table fields. Hacker can achieve password by password hash with bruteforce password attack. For example, If the hacker got access to BCODE value, he needs less than a day to get real user password (using modern computers).

So we should delete all not empty BCODE and PASSCODE entries in SAP tables. As we know SAP systems contains hashes in four tables: USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP (see SAP note 1484692). By the way you can independently find such tables in your SAP system with SE15 transaction (by BCODE, PASSCODE field names).

If weak password hashes were found. You need to run the report CLEANUP_PASSWORD_HASH_VALUE to clean SAP tables.

  1. Move on and let’s check that all tables containing password hashes assigned to special class SPWD (see note 1484692). Do not forget about views VUSER001 and VPWD_USR02 containing password hashes too.
  2. To restrict read access to hashes let’s control how many users and roles have such privileges to read mentioned above SAP tables and views. Secure state is when only sap basis administrators, sap security experts and auditors have such access. Otherwise we should correct user privileges and roles content. S_TABU_DIS and S_TABU_NAM authority objects are granted access to tables. We should check these both possibilities. To find out the users with specific right we run the RSUSR002 report, to find out the roles – the RSUSR007 report.
  3. What else? Check the login/password_hash_algorithm parameter to ensure that desired hash algorithm is selected (see  SAP notes 2076925, 2140269, 991968). Check the login/password_charset is set to 1 or 2 (deprecated parameter).

Do not forget you can modify existed security checks and create new ones in the security pack. To do it you should modify rules_config.yaml file.

This security pack is enabled by default. You just need to follow installation and usage instructions in README file. And in few minutes you’ll get the result. Read the report and fix noncompliances.

Additional links:

SAP note 1237762 – ABAP systems: Protection against password hash attacks

SAP note 1458262 – ABAP: recommended settings for password hash algorithms