[ERPSCAN-17-008] SAP HANA XS Sinopia – DoS vulnerability

Application: SAP HANA
Versions Affected: SAP HANA 1 and SAP HANA 2
Vendor URL: SAP
Bug: DoS
Reported: 13.12.2016
Vendor response: 14.12.2016
Date of Public Advisory: 14.02.2017
Reference: SAP Security Note 2407694
Authors: Mikhail Medvedev (ERPScan), Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVE Name: CVE-2017-8915
CVSS Base Score v3: 8.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to Availability Low (L)

Description

An authenticated user to the SAP HANA XS sinopia npm registry service can crash the service by pushing a specific package.

Business risk

An attacker can use a Denial of service vulnerability for terminating the process of the Sinopia component. For this time, nobody can use this Sinopia service, which impacts some WebIDE capabilities like build features.

VULNERABLE PACKAGES

HDB 1.00
HDB 2.00

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2407694.

TECHNICAL DESCRIPTION

SAP HANA npm registry sinopia is crashing when a user is pushing package with filenames containing ‘$’ or ‘%’ (other special chars were not tested).

Proof of Concept