Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-16-028] SAP Adaptive Server Enterprise – DoS vulnerability

Application: SAP Adaptive Server Enterprise
Versions Affected: SAP Adaptive Server Enterprise 16
Vendor URL: SAP
Bug: Denial of Service
Reported: 01.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2330839
Author: Vahgan Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged(U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

Anonymous attacker can send a special request to the SAP Adaptive Server Enterprise and crash the server.

Business risk

An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component. For this time nobody can use this service that negatively influences business processes, system downtime and, as a result, business reputation.

VULNERABLE PACKAGES

SAP Open Server 16.0 SP01, SP02 SAP ASE 16.0 SP01, SP02 SAP Replication Server SP207, SP209, SP210, SP3XX

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2330839.

TECHNICAL DESCRIPTION

Proof of Concept