Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-15-015] SAP NetWeaver – Hardcoded Credentials

Application: SAP NetWeaver
Vendor URL: http://www.sap.com
Bugs: Hardcoded credentials
Reported: 06.03.2014
Vendor response: 07.03.2014
Date of Public Advisory: 15.06.2015
Reference: SAP Security Note 2057982
Authors: Rustem Gazizov, Diana Grigorieva (ERPScan)

VULNERABILITY INFORMATION
Class: hardcoded credentials [CWE-798]
Impact: read application data; gain privileges / assume identity
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS Base Score: 2.1 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) High (H)
Au : Authentication (Level of authentication needed to exploit) Single (S)
C : Impact to Confidentiality Partial (P)
I : Impact to Integrity None (N)
A : Impact to Availability None (N)

Business Risk
An attacker can use hardcoded credentials to get unauthorized access and perform various actions in the system. In addition, it is likely that the code will be implemented into the system as a backdoor.

Description
Hardcoded credentials in an SAP NetWeaver program.

VULNERABLE PACKAGES
SAP NetWeaver AS ABAP
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2057982

TECHNICAL DESCRIPTION
An attacker can use hardcoded credentials to get unauthorized access and perform various actions in the system. In addition, it is likely that the code will be implemented into the system as a backdoor.

The vulnerability is in the FKCDBFTRACE ABAP program.