Lucene search

[email protected]CVE-2014-0984

HistoryApr 17, 2014 - 2:55 p.m.

CVE-2014-0984

2014-04-1714:55:00

CWE-264

[email protected]

web.nvd.nist.gov

sap

router

remote attack

timing side-channel

security

vulnerability

cve-2014-0984

6.5 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.075 Low

EPSS

Percentile

94.1%

JSON

The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.

CPENameOperatorVersion
sap:routersap routereq720
sap:routersap routereq721
sap:routersap routereq710

CPE	Name	Operator	Version
sap:router	sap router	eq	720
sap:router	sap router	eq	721
sap:router	sap router	eq	710

References

scn.sap.com/docs/DOC-8218

www.coresecurity.com/advisories/sap-router-password-timing-attack

www.exploit-db.com/exploits/32919

www.securityfocus.com/archive/1/531854/100/0/threaded

service.sap.com/sap/support/notes/1986895

6.5 Medium

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.075 Low

EPSS

Percentile

94.1%

JSON

Related for CVE-2014-0984

prion1 packetstorm1 coresecurity1 securityvulns2 exploitpack1 seebug1 zdt1 cvelist1 exploitdb1