[ERPSCAN-15-012] SAP Afaria 7 XComms – BoF

Application: SAP Afaria 7.00.6620.2 SP5
Vendor URL: http://www.sap.com
Bugs: BoF
Reported: 13.03.2015
Vendor response: 14.03.2015
Date of Public Advisory: 18.05.2015
Reference: SAP Security Note 2153690
Authors: Dmitry Chastukhin (ERPScan)

Vulnerability information
Class: XML External Entity [CWE-121]
Impact: Information disclosure, DoS
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-4092

Business Risk
An attacker can use Buffer Overflow to inject specially crafted code into working memory. The code will be executed by the vulnerable application under the same privileges that the application has. This can lead to the attacker taking complete control over the application, denial of service, command execution, and other attacks. In case of command execution, the attacker can obtain critical technical and business-related information stored in the vulnerable SAP system or escalate their privileges. As for denial of service, it can terminate the process of a vulnerable component. Nobody will be able to use this service, which has a negative impact on business processes, system downtime, and business reputation.

An anonymous attacker can use a special request to crash the XComms process on the server.

Vulnerable packages
SAP Afaria 7
Other versions are probably affected too, but they were not checked.

Solutions and workarounds
Multiple vulnerabilities have been discovered in certain landscape configurations of SAP Afaria. SAP has released a security patch to address the vulnerabilities. SAP strongly recommends that customers update their landscapes.
Patch Instructions:
1) Download hotfix.
SAP Afaria 7 SP5: Download Hotfix 11
2) Apply server hotfix ( SAP Security Note 2153690)
SAP takes any security-related reports very seriously, and we will notify our customers as relevant new information on this topic becomes available. Customers may also contact SAP support by raising a customer incident on the component MOB-AFA.

Technical description
An attacker can generate and send a special request to the server to exploit a buffer overflow vulnerability.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: