You may have recently had a penetration test and in the report you find that the SSL port for the SAP Hosagent (saphostexec) are listed as allowing weak encryption cipher strength and older SSL protocols.
You want to know how you can remedy this.
In this post I will show how we can appease the Cyber Security penetration testing team, by hardening the SSL ciphers and protocols used for connections to the Hostagent.
What Are Weak Ciphers?
Ciphers, like Triple-DES and Blowfish use 64-bit block sizes (the cipher text is split up into blocks of 64-bit in length) which makes a block cipher more vulnerable to compromise, compared to a cipher that uses a larger 128-bit block size.
The cipher is agreed upon during the setup of the SSL connection between the client and the server (SAP Hostagent in our scenario).
If a server advertises that it supports weaker ciphers, and a client elected to use one of the supported weaker ciphers during the SSL connection negotiation, then the connection could be vulnerable to decryption.
What Are Older SSL Protocols?
Through time the SSL protocol has been improved and strengthened.
The SSL protocol versions go from SSL v1.0 to SSL v3.0, then re-named to TLS and the versions again incremented from TLS 1.0, TLS 1.1, TLS 1.2 and the most recent TLS 1.3 (in 2018).
The old SSL versions of the protocol are deprecated and should not be used. The slightly newer TLS versions 1.0 and 1.1 are also now widely deprecated (do not confuse “deprecated” with “unused”).
It is therefore recommended, generally, to use TLS 1.2 and above.
Why Harden the Hostagent SSL Service?
Now we have an appreciation of our older ciphers and protocols, let’s look at the Hostagent.
Usually the PEN test report will highlight the SSL TCP port 1129, and the report will state two things:
- The SSL ciphers accepted by the Hostagent include weaker ciphers (such as RC4).
- The SSL protocols accepted by the Hostagent include TLS 1.0 and 1.1.
The above issues present opportunities for hackers that may allow them to more easily compromise a SAP Hostagent on a SAP server.
Whilst this may not sound too bad, it is just the Hostagent, when we realise that the Hostagent runs as the Linux root (or Windows SYSTEM user) and there are known vulnerabilities that allow remote exploitation, we can see that the Hostagent could be a window into the SAP system as the highest privileged user on the server!
It is therefore quite important to try and protect the Hostagent as much as possible.
How Can We Harden the Hostagent SSL Service?
To ensure that weak ciphers are not used, the server needs to be configured to not use them. In the context of SAP Hostagents, they are the SSL servers and they need to be configured to only use stronger ciphers.
The SAP Hostagent is really the same as the SAP Instance Agent in disguise.
Because of this, it is possible to find documented parameters that allow us to harden the SSL service of the Hostagent in the same way.
By following SAP note 510007, we can see two SAP recommended parameters and settings that can be used to harden the SSL ciphers used:
- ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
- ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
The SAP note 510007 includes an extremely good description of the SAP cryptographic library’s capabilities, the role of SSL and even some commentary on the probability of an older protocol being abused.
I feel that the note has been written by someone with a lot of experience.
The above two parameters apply a numeric calculation that selects an appropriate strength of cryptographic ciphers to be used for server and client connectivity.
With the Hostagent, we are more concerned with the server side, but the Hostagent can also do client calls, so we apply both parameters in unison.
The values assigned to the two parameters are described by the SAP note as being good, but also allow flexibility for backwards compatibility with the older SAP and non-SAP software. Again the SAP note stresses the importance of compatibility (and having stuff continue to work) versus security.
What is the Impact of the Parameters?
To be able to see the impact to the Hostagent, we first need to see what the Hostagent supports out-of-the-box.
Thanks to a great post here: www.ise.io/using-openssl-determine-ciphers-enabled-server
we can use a super simple shell script (on Unix/Linux) to call the OpenSSL executable, make a connection to the target server (the Hostagent) and check the list of ciphers and protocols that are advertised.
The code from the above site is here:
for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
openssl s_client -connect localhost:1129 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
done
done
You can see that I have placed “localhost” and “1129” in the code.
This is because I am running the script on a Linux host with a SAP Hostagent installed, and the SSL port is 1129 (default).
The output is something like this (depending on your version of the Hostagent):
tls1: ECDHE-RSA-AES256-SHA
tls1: AES256-SHA
tls1: ECDHE-RSA-AES128-SHA
tls1: AES128-SHA
tls1: RC4-SHA
tls1: RC4-MD5
tls1: DES-CBC3-SHA
tls1_1: ECDHE-RSA-AES256-SHA
tls1_1: AES256-SHA
tls1_1: ECDHE-RSA-AES128-SHA
tls1_1: AES128-SHA
tls1_1: RC4-SHA
tls1_1: RC4-MD5
tls1_1: DES-CBC3-SHA
tls1_2: ECDHE-RSA-AES256-GCM-SHA384
tls1_2: ECDHE-RSA-AES256-SHA384
tls1_2: ECDHE-RSA-AES256-SHA
tls1_2: AES256-GCM-SHA384
tls1_2: AES256-SHA
tls1_2: ECDHE-RSA-AES128-GCM-SHA256
tls1_2: ECDHE-RSA-AES128-SHA
tls1_2: AES128-GCM-SHA256
tls1_2: AES128-SHA
tls1_2: RC4-SHA
tls1_2: RC4-MD5
tls1_2: DES-CBC3-SHA
You can see that we have some RC4 and some DES ciphers listed in the TLS 1.0, TLS 1.1 and TLS 1.2 sections.
We now use SAP note 510007 to decide that we want to use the more secure settings that remove these weaker ciphers.
In the case of SAP Host Agents, we adjust the profile file /usr/sap/hostctrl/exe/host_profile (as root), and add our two SAP recommended parameters (mentioned previously):
ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
NOTE: You should be running the latest SAP Hostagent, this is very important for security of your system. There are known vulnerabilities in older versions that allow remote compromise.
Once set, we need to restart the agent:
/usr/sap/hostctrl/exe/saphostexec -restart
We can re-execute our check script to see that we have a more secure configuration:
tls1: ECDHE-RSA-AES256-SHA
tls1: AES256-SHA
tls1: ECDHE-RSA-AES128-SHA
tls1: AES128-SHA
tls1_1: ECDHE-RSA-AES256-SHA
tls1_1: AES256-SHA
tls1_1: ECDHE-RSA-AES128-SHA
tls1_1: AES128-SHA
tls1_2: ECDHE-RSA-AES256-GCM-SHA384
tls1_2: ECDHE-RSA-AES256-SHA384
tls1_2: ECDHE-RSA-AES256-SHA
tls1_2: AES256-GCM-SHA384
tls1_2: AES256-SHA
tls1_2: ECDHE-RSA-AES128-GCM-SHA256
tls1_2: ECDHE-RSA-AES128-SHA
tls1_2: AES128-GCM-SHA256
tls1_2: AES128-SHA
The more insecure ciphers are removed, but we still see those older protocols (TLS 1.0 and TLS 1.1) in the list.
We decide that we would like to further harden the setup by removing those protocols.
If we look at SAP note 2384290, we can see that an alternate set of parameter values are provided:
- ssl/ciphersuites = 545:PFS:HIGH::EC_P256:EC_HIGH
- ssl/client_ciphersuites = 560:PFS:HIGH::EC_P256:EC_HIGH
Let’s apply these and re-run the test for a final time.
We can see that we get a super refined list of protocols and ciphers:
tls1_2: ECDHE-RSA-AES256-GCM-SHA384
tls1_2: ECDHE-RSA-AES256-SHA384
tls1_2: ECDHE-RSA-AES256-SHA
tls1_2: AES256-GCM-SHA384
tls1_2: AES256-SHA
tls1_2: ECDHE-RSA-AES128-GCM-SHA256
tls1_2: ECDHE-RSA-AES128-SHA
tls1_2: AES128-GCM-SHA256
tls1_2: AES128-SHA
Our Hostagent SSL service is now as secure as it can be at this point in time, within reason. If we try and adjust the ciphers any further, we may end up breaking compatibility with other SAP systems in your landscape.
Summary
We’ve seen how applying two SAP standard parameters to the SAP Hostagent and restarting it, can significantly strengthen the posture of the Hostagent’s SSL service.
However, we need to be cautious of compatibility with other SAP and non-SAP software in the landscape, which may talk to the Hostagent only with older protocols.
As a final note, you may be wondering if we can remove the HTTP service from the Hostagent? At this point in time I have not found a SAP note that would indicate this is possible or recommended. However, since the HTTP protocol is known to be insecure, just don’t use it. This is in comparison with SSL which should be secure, but might not be as secure as it could be.
You may also be interested in: