Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-15-009] SAP Afaria 7 XcListener – Missing authorization check

Application: SAP Afaria 7.0.6001.5
Vendor URL: http://www.sap.com
Bugs: Missing authorization check
Reported: 09.12.2014
Vendor response: 10.12.2014
Date of Public Advisory: 15.03.2015
Reference: SAP Security Note 2134905
Authors: Vahagn Vardanyan (ERPScan)

Vulnerability information
Class: DoS [CWE-862]
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2816

Business Risk
An attacker can use a missing authorization check to access the service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.

Description
An anonymous attacker can use a special request to connect to an Afaria server from any IP address.

Vulnerable packages
SAP Afaria 7
Other versions are probably affected too, but they were not checked.

Solutions and workarounds
A vulnerability has been discovered in certain landscape configurations of SAP Afaria that utilize XcListener for initiating client-to-server communications. SAP has released security patches for the vulnerable clients, Windows Mobile, Windows CE, and Windows. Windows Phone is not affected. SAP strongly recommends that customers patch their servers.
To be vulnerable, XcListener must be an active process. The Windows client enrollment policy allows administrators to enable/disable XcListener with the advanced option “Outbound listener and firewall”. XCListener listens to the port 3005. If the port 3005 is not exposed externally, then the vulnerability is only accessible locally on the machine.
Patching instructions:
1) Download hotfix

  • SAP Afaria 7 SP5 Hotfix 8
  • SAP Afaria 7 SP4 Hotfix 16

2) Apply server hotfix
The server version of XcListener will be patched when the hotfix is applied. The clients will be updated through the Afaria ESD process as they connect to the server.

Technical description
An anonymous attacker can use a special request to crash the Sybase SQL Anywhere process on the server.

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: