[ERPSCAN-17-050] HANA DB credentials exposed to XSA applications

Application: SAP HANA
Versions Affected: 1.0 SPS11, SPS12 and 2.0 with XS Advanced
Vendor URL: SAP
Bug: Information Disclosure
Reported: 20.06.2017
Vendor response: 21.06.2017
Date of Public Advisory: 14.11.2017
Reference: SAP Security Note 2508673
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Impact: Provides an attacker with the privilege to read sensitive data
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS v3 Base Score: 5 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) High (H)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

DESCRIPTION

An attacker with application privileges can gain access to several HANA DB user+password accounts by reading environment variables of other processes without having the need to access the database.

BUSINESS RISK

An attacker can use an Information Disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and plan other attacks.

VULNERABLE PACKAGES

SAP HANA 1.0 SPS11, SPS12 and 2.0 with XS Advanced

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2508673

TECHNICAL DESCRIPTION

All applications running with xsa user sapxsa can spy on processes of other sapxsa and find in their environment variables clear-text password and user for HANA DB access.

Environ is accessed through /proc//environ and variables of interest is VCAP_SERVICES.