Application: SAP ASE
Versions Affected: SAP ASE 16
Vendor URL: SAP
Bugs: Denial of Service
Reported: 01.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.10.2016
Reference: SAP Security Note 2330422
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Impact: Resource Exhaustion
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

An attacker can trigger a condition in which the process ceases to run. This condition can be intentionally provoked by an attacker to cause denial of service.

Business risk

An attacker can use a Denial of Service vulnerability to terminate a process of the vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime, and business reputation as result.

VULNERABLE PACKAGES

SIQ 16.0
SQL_ANYWHERE_PERSONAL_SERVER 16.0
SYBASE_ASE_SERVER 15.7
SYBASE_ASE_SERVER 16.0
SYBASE_ASE_CE_SERVER 15.7

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2330422

TECHNICAL DESCRIPTION

By sending the special request to the SAP ASE Odata Server (C:\SAP\ODATA-16_0\bin64), you can crash it.