[ERPSCAN-16-002] SAP HANA – log injection and no size restriction
Application: SAP HANA
Versions Affected: SAP HANA
Vendor URL: http://www.sap.com
Bugs: Log injection
Vendor response: 29.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2241978
Author: Mathieu Geli (ERPScan)
Class: Log injection
Impact: fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score: 5.0 / 10
CVSS Base Vector:
|AV : Access Vector (Related exploit range)||Network (N)|
|AC : Access Complexity (Required attack complexity)||Medium (M)|
|Au : Authentication (Level of authentication needed to exploit)||None (N)|
|C : Impact to Confidentiality||None (N)|
|I : Impact to Integrity||Partial (P)|
|A : Impact to Availability||None (N)|
An unauthenticated attacker can create specially crafted HTTP requests to SAP HANA Extended Application Services Classic debug function. This allows forging additional entries in the trace files of the XS process and thus consuming disk space of the HANA system.
Anonymous attacker can use a special HTTP request to inject new entry to log in the HANA XS Engine.
SAP HANA 1.00.095.00.1429086950
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2241978
Anonymous attacker can use a special HTTP request to inject logs in the xsengine trace file without size restriction.The vulnerability is triggered when the username sent to the /sap/hana/xs/debugger/grantAccess.xscfunc page is longer than 256 characters.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: