Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

[ERPSCAN-16-038] SAP Message Server HTTP remote DoS

Application: SAP KERNEL
Versions Affected: SAP KERNEL 7.21-7.49
Vendor URL: SAP
Bugs: Denial of Service
Reported: 18.08.2016
Vendor response: 19.08.2016
Date of Public Advisory: 08.11.2016
Reference: SAP Security Note 2358972
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of service
Impact: direct impact on availability
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVE-2017-5997
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

The SAP Message Server HTTP daemon doesn’t clean its memory upon client connections in a certain case.

Business risk

An attacker can exploit a Denial of Service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.

VULNERABLE PACKAGES

KERNEL 7.21
KERNEL 7.42
KRNL32NUC 7.21
KRNL32NUC 7.21EXT
KRNL32NUC 7.22
KRNL32NUC 7.22EXT
KRNL32UC 7.21
KRNL32UC 7.21EXT
KRNL32UC 7.22
KRNL32UC 7.22EXT
KRNL64NUC 7.21
KRNL64NUC 7.21EXT
KRNL64NUC 7.22
KRNL64NUC 7.22EXT
KRNL64NUC 7.42
KRNL64UC 7.21
KRNL64UC 7.21EXT
KRNL64UC 7.22
KRNL64UC 7.22EXT
KRNL64UC 7.42

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2358972.

TECHNICAL DESCRIPTION

The message server doesn’t free properly the resources allocation for handling the clients request in the case where the requests size is between 4k and 65k. In this special case, the server answers with an empty reply as opposed to the case where the request is greater than 65k, then the server will reset the connection. The following shows log of the msgserver process being killed because of too much memory allocated:

Proof of Concept