Title: Session fixation vulnerability in the SAP J2EE Engine affecting the core SAP NetWeaver platform
Vulnerability ID: TAD-2011-002
Credits: This vulnerability was discovered by Raul Siles, Founder and Senior Security Analyst with Taddong (www.taddong.com)
Publication date: March 18, 2011
Vendors contacted: SAP AG
SAP's NetWeaver platform is vulnerable to a (web based) session fixation vulnerability. An initial HTTP connection to the J2EE Engine gets assigned a standard Java cookie, named JSESSIONID, that contains the user session ID pre-authentication. Once the user successfully authenticates through any SAP web application or module, hence using the SAP NetWeaver platform and the SAP J2EE Engine, the session ID is not renewed post-authentication, therefore, the platform is vulnerable to session fixation.
SAP NetWeaver is SAP’s integrated technology platform and technical foundation for all SAP applications and modules:
This session fixation vulnerability can be used to selectively attack targeted key business SAP users (regular or administrator), as well as any SAP user indiscriminately. As a result of the attack, the attacker will get unauthorized access to SAP by hijacking the victim user session and fully impersonating the user within the SAP environment.
Session fixation vulnerabilities can be leveraged to bypass the most advanced authentication mechanisms, including passphrases, client-based digital certificates, smart cards, and biometrics.
Considering SAP industry presence as the world’s leader in business software, and its current numbers (+100K customers in 120 countries, +140K installations, and +2,4K certified partners), the impact of this specific vulnerability is extremely high worldwide, affecting thousands of critical business environments and their daily activities.
All the vulnerability details, how it was discovered, worldwide impact, and additional protections mechanisms (apart from the ones detailed in this advisory) are available on the associated presentation and whitepaper , and specifically on case study #3.
Security solutions, workarounds, and countermeasures:
Companies and organizations using SAP products and solutions, therefore the SAP NetWeaver platform, must apply the recommendations detailed on the associated SAP Security Note, 1310561 , and ensure that the newly added "SessionIdRegenerationEnabled" Web Container Service property is enabled. Turning on this property adds a new secure (HTTPS) cookie to sessions, called JSESSIONMARKID, that gets renewed after a successful login, thus mitigating session fixation attacks.
By default, this property is disabled in previous/legacy versions (6.x), and it is enabled since version +7.11 SP06 and all SPs for 7.20 and 7.30.
Taddong's Black Hat Europe 2011 presentation and whitepaper associated to this advisory  contain considerations for specific deployment scenarios, additional SAP security-related properties, and other recommended security best practices to mitigate session fixation (as well as other session management) attacks.
SAP has confirmed that multiple SAP NetWeaver versions are vulnerable, including 6.40 up to 7.20. See the associated SAP Security Note for details .
The vulnerability was discovered on SAP NetWeaver Portal version 6.4.200607310245.
SAP confirmed the existence of this vulnerability on July 2009 and released an associated SAP Security Note, number 1310561, on December 2010 , acknowledging proper security researcher credit .
We at Taddong honestly believe this finding must be publicly known by the information security community in order to take appropriate countermeasures and mitigate the vulnerable behavior. Therefore, we have tried to coordinate the release of this security advisory together with the vendor, following responsible disclosure principles. This vulnerability is extremely relevant considering the extensive number of SAP-based business environments available in the industry and the potential impact of the associated attacks.
Vulnerability report timeline: (Summary)
2009-07-02: Taddong contacts SAP to provide details about this vulnerability.
2009-07-14: SAP ratifies the vulnerability and provides the temporary available countermeasures ("SessionIdRegenerationEnabled"). The disclosure plans and estimated timeframe for a fix started to get discussed.
2009-07-23: The initial estimated timeframe is set in two months (end of September), being both parties aware that most probably this is a best case scenario.
2009-09-18: A few difficulties and stability issues associated to fixing the vulnerability started to arise, so a new fix estimate is set for January 2010. During the next couple of weeks different options are evaluated to reduce the newly estimated deadline, and to analyze the real impact worldwide.
2009-11-24: An status update is requested by Taddong, and the January estimation is confirmed to be still valid. An initial technical solution was being tested by that time. Besides that, the disclosure plans and models of both parties continued being evaluated. SAP clarifies is in the process of evaluating its externally facing security program.
2010-01-26: A solution is still not available, the issue was escalated internally, and several months were required to be able to fix the vulnerability for all the different releases affected (7 months after initial notification). During the process, responsible disclosure and impact are reevaluated.
2010-03-08: A new deadline is established for September 2010 trying to cover all releases, as a few issues were found on legacy versions. In parallel, the option of providing partial fixes for specific customers is under evaluation (9 months after initial notification).
2010-08-06: A meeting is scheduled for November 2010 with the goal of discussing in-depth the vulnerability details and conclusions, plus collaborating and agreeing on the final disclosure actions and release deadline (13 months after initial notification).
2010-12-14: The vulnerability is privately released by SAP in the SAP Service Marketplace as Security Note 1310561  to its customers and partners (18 months after initial notification).
2011-03-17: The vulnerability and lessons learned are publicly released by Taddong during the Black Hat Europe 2011 conference in Barcelona  after an implementation time of three months (21 months after initial notification).
2011-03-18: Taddong publishes this security advisory.
 "SAP: Session (Fixation) Attacks and Protections (in Web Applications)". Raul Siles. Taddong. Black Hat Europe 2011. March 2011.
URL (presentation): http://www.taddong.com/docs/BlackHat_EU_2011_Siles_SAP_Session-Slides.pdf
URL (whitepaper): http://www.taddong.com/docs/BlackHat_EU_2011_Siles_SAP_Session-WP.pdf
 SAP Security Note 1310561. SAP. December 2010. (Registration on the SAP Service Marketplace, SMP, is required).
 SAP acknowledgements to security researchers. SAP. December 2010.
Taddong (www.taddong.com) is a company established in Spain in 2010 with the purpose of improving customer's information security, by discovering and eliminating or mitigating the real risks that threaten their networking and information technology infrastructures. To achieve this goal, Taddong's portfolio includes specialized information security services, requiring an in-depth technical knowledge and broad understanding of the information technology market, as well as training services, focused on providing customers with auto-defense skills. Taddong remains at the forefront of the security market through continuous research and education activities.
The contents of this security advisory are copyright (c) 2011 Taddong S.L., and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.