Weak encryption vulnerability in SAP Download Manager leaks passwords

A Core Security Consulting researcher found that the SAP Download Manager program stores credentials using weak encryption that can leak passwords.

The encryption key on Windows and Mac OS systems is composed by the computer's BIOS serial number concatenated with a fixed key hard-coded in the programme's code, according to a Thursday Core Security advisory.

Researchers said the key on other platforms such as Linux is only composed of a fixed key hard-coded in the program's code.

“An attacker who manages to get access to a user's configuration file might be able to obtain the stored proxy password,” the advisory said.

Researcher Martin Gallo, who discovered the vulnerability, told The Register that proxy authentication information is kept on the program's configuration file which could pose a risk in the enterprise environment if the configuration file is compromised.

Gallo said this is because proxy authentication is integrated with other systems.

Core Security researchers said the vulnerability exists in SAP Download Manager version up to 2.1.142, and other products may be affected but weren't tested.

SAP has released an updated version of Download Manager that patches the vulnerability and no longer stores user portal password in the tool's settings. 

Sign up to our newsletters