ERPScanERPSCAN-17-014SAP Netweaver Java deserialization of untrusted user value in metadatauploader
0.013 Low
EPSS
Percentile
86.1%
Application: SAP NetWeaver **Versions Affected:**SAP NetWeaver 7400.12.21.30308 **Vendor URL: ** SAP **Bugs:**DoS **Reported:**01.11.2016 **Vendor response:**02.11.2016 **Date of Public Advisory:**14.03.2017 **Reference:**SAP Security Note 2399804 Author: Vahagn Vardanyan(ERPScan) & Mathieu Geli (ERPScan)
VULNERABILITY INFORMATION
Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-9844
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | High (H) |
Description
An attacker can use a special HTTP request in order to force the server to deserialize evil objects and get at least DoS and at best RCE.
Business risk
An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. For this time nobody can use this service. This fact negatively influences business processes, system downtime, and business reputation as a result.
VULNERABLE PACKAGES
SAP NetWeaver 7400.12.21.30308
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2399804
TECHNICAL DESCRIPTION
Proof of Concept
If we send the serialized data to the SAP server, we use this request: curl -v -XPOST http://:/developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=admin --data-binary @PoC.zip
We can see opened calc.exe
Related
