Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

[ERPSCAN-16-002] SAP HANA – log injection and no size restriction

Application: SAP HANA
Versions Affected: SAP HANA
Vendor URL: http://www.sap.com
Bugs: Log injection
Reported: 28.09.2015
Vendor response: 29.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2241978
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION
Class: Log injection
Impact: fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS Base Score: 5.0 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Partial (P)
A : Impact to Availability None (N)

Business risk
An unauthenticated attacker can create specially crafted HTTP requests to SAP HANA Extended Application Services Classic debug function. This allows forging additional entries in the trace files of the XS process and thus consuming disk space of the HANA system.

Description
Anonymous attacker can use a special HTTP request to inject new entry to log in the HANA XS Engine.

VULNERABLE PACKAGES
SAP HANA 1.00.095.00.1429086950
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2241978

TECHNICAL DESCRIPTION
Anonymous attacker can use a special HTTP request to inject logs in the xsengine trace file without size restriction.The vulnerability is triggered when the username sent to the /sap/hana/xs/debugger/grantAccess.xscfunc page is longer than 256 characters.

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: