[ERPSCAN-17-049] Denial of Service in Enqueue server

Application: SAP Enqueue
Versions Affected: 7490.17.26.5735
Vendor URL: SAP
Bug: DoS
Reported: 16.05.2017
Vendor response: 17.05.2017
Date of Public Advisory: 10.10.2017
Reference: SAP Security Note 2476937
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Risk: high priority
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS v3 Base Score: 7.5 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to AvailabilityHigh (H)

DESCRIPTION

An anonymous attacker can use a special request for crash enserver.exe process on the server.

BUSINESS RISK

A Denial of Service vulnerability can be used to terminate the process of a vulnerable component. For this time, nobody can use this service. This fact negatively influences business processes, system downtime, and business reputation as a result.

VULNERABLE PACKAGES

SAP KERNEL 7.53 64-BIT
SAP KERNEL 7.52 64-BIT
SAP KERNEL 7.51 64-BIT
SAP KERNEL 7.50 64-BIT
SAP KERNEL 7.49 64-BIT
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 32-BIT

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2476937

TECHNICAL DESCRIPTION

Proof of Concept