Dear All,

I recently completed a Vulnerability Assessment for a SAS 9.4 M8 environment that includes SAS Visual Analytics and SAS Data Management components.

The security team used Burp Suite to perform the scan and reported a vulnerability titled “Cleartext Submission of Password” on the SAS VA login page (SASLogon) with High severity.

The recommendation provided by the security team is:

Implement salted SHA-256 or salted SHA-512 hashing algorithms on password fields, while using plain SHA-256 or SHA-512 hashing on new password fields.

I reviewed the available SAS documentation but could not find any configuration changes within SAS 9.4 M8 that would allow modification of how passwords are transmitted from the SASLogon login form.

Has anyone encountered a similar finding during a security assessment of a SAS environment? If so, I would appreciate any guidance or recommendations on how this vulnerability can be mitigated or addressed.

Any assistance or insights would be greatly appreciated.

@AllanBowe   @CVitron @Mark_sas @ronan @kimberlymay @RyanKing  : Any help from you experts will make a huge impact.

Thanks & Regards,

Abhishek Pathak