Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

[ERPSCAN-15-001] SAP NetWeaver ECATT_DISPLAY_XMLSTRING_REMOTE – XXE

Application: SAP NetWeaver AS ABAP
Versions Affected: SAP NetWeaver AS ABAP 7.31, probably others
Vendor URL: http://www.sap.com
Bugs: XML External Entity
Reported: 09.07.2013
Vendor response: 10.07.2013
Date of Public Advisory: 20.01.2015
Reference: SAP Security Note 2016638
Authors: Nikolay Mescherin (ERPScan)

VULNERABILITY INFORMATION
Class: XML External Entity [CWE-611]
Impact: SAP NetWeaver AS ABAP 7.31
Remotely Exploitable: Yes
Locally Exploitable: No

Business Risk
It is possible for attackers to send any packet to any port of any system including localhost.
It means that it is possible, for example, to send any administrative command to Gateway or Message Server because the source of the packet will be localhost, and there are no restrictions for localhost. Another example is an attack on other interfaces.

Description
SAP XML parser validates all incoming XML requests with user specified DTD.

VULNERABLE PACKAGES
SAP NetWeaver AS ABAP 7.31
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
Apply the corrections in SAP Security Note 2016638 or upgrade to the following SPs:

  • SAP_BASIS 7.40: SP08
  • SAP_BASIS 7.31: SP13
  • SAP_BASIS 7.30: SP12
  • SAP_BASIS 7.11: SP14
  • SAP_BASIS 7.10: SP19

TECHNICAL DESCRIPTION
SAP XML parser in the function ECATT_DISPLAY_XMLSTRING_REMOTE (IM_STRING parameter) validates all incoming XML requests with a user-specified DTD.

Defense
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: