SAP R/3 46C/D Brute Force Logins Bypass Account Locking

2003-03-04T16:54:46
ID OSVDB:8202
Type osvdb
Reporter Nicolas Gregoire(ngregoire@exaprobe.com)
Modified 2003-03-04T16:54:46

Description

Vulnerability Description

SAP server-side Remote Function Call (aka RFC) API contains a flaw that may allow a malicious user to undertake a brute-force attack against accounts without inducing a lock-out. The issue is due to insufficient checking placed on the Remote Function Call API which can be used in place of the GUI for authentication. It is possible that the flaw may allow account compromise, resulting in a loss of confidentiality.

Solution Description

Upgrade to SAP AP version 4.6e or higher (RFC Patch Collection 02 2003), as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

SAP server-side Remote Function Call (aka RFC) API contains a flaw that may allow a malicious user to undertake a brute-force attack against accounts without inducing a lock-out. The issue is due to insufficient checking placed on the Remote Function Call API which can be used in place of the GUI for authentication. It is possible that the flaw may allow account compromise, resulting in a loss of confidentiality.

References:

Mail List Post: http://lists.netsys.com/pipermail/full-disclosure/2003-March/004039.html Keyword: SAP note #617549 ISS X-Force ID: 11487 CVE-2003-1035 Bugtraq ID: 7007