About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).

Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).

What I did

First I had a look at table USR02, in client 001:

/wp-content/uploads/2015/10/001_817017.jpg

For testing purposes, I disabled the password for the last user ID in the list:

/wp-content/uploads/2015/10/002_817018.jpg

Then I executed report CLEANUP_PASSWORD_HASH_VALUES:

/wp-content/uploads/2015/10/003_817049.jpg

USR02 after report’s execution:

/wp-content/uploads/2015/10/004_817050.jpg

After setting an initial password for the third user (bottom to top of the list):

/wp-content/uploads/2015/10/005_817051.jpg

And after the password was changed by the user:

/wp-content/uploads/2015/10/006_817052.jpg


Conclusions

My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.

The report is very useful, making your system more secure – note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).

After executing the report, you can find at least 3 “categories” in USR02:

  • Password disabled users, with the following entries:

BCODE = 0000000000000000

CODVN = X

PASSCODE = 0000000000000000000000000000000000000000

PWDSALTEDHASH = blank


  • Users with PWDSALTEDHASH filled:

BCODE and PASSCODE as above

  • Users with PASSCODE filled:

BCODE as above, PWDSALTEDHASH blank and CODVN = F.

For the last case, the code version F means:

suboptimal, records with 7.00/7.01 hash value found

so a hash password is already in place.

It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.

In case the “strongest” password hash of some users are passcode then this is because of the time when they were entered the system created those.

If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.

There is no automated change for this, as the password is unknown.

References


SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect

SAP note 2467 – Password rules and preventing incorrect logons

SAP note 495911 – Logon problem trace analysis

SAP note 862989 – New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)

SAP note 1023437 – ABAP syst: Downwardly incompatible passwords (since NW2004s)

SAP note 1237762 – ABAP systems: Protection against password hash attacks

SAP note 1458262 – ABAP: recommended settings for password hash algorithms

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Venu Katamneni

    I ran the report on my 7.40 system based on HANA but it recommend to change the CODVN value from F to H. Is there another version of this program that can work correctly for 7.40?

    (0) 
      1. Venu Katamneni

        Hi Cristiano,

        Thanks for the quick reply. Nothing went wrong with the report. We are looking to update the CODVN flag from F (existing on USR01) to H. Running this report identified that they are sub-optimal but not critical.

        Was wondering if there is a way (or this report aside) that can identify the ‘F’ and present a way to convert to ‘H’.

        (0) 
        1. Cristiano Hansen Post author

          Hi Venu,

          Only changing the password should work. You can test with a case where “F” is being used. There is no automated tool to have this accomplished, as passwords are not known. 🙂

          Cheers,

          Cris

          (0) 

Leave a Reply