[ERPSCAN-17-009] SAP HANA Sinopia – default user creation policy insecure

Application: SAP HANA
Versions Affected: SAP HANA SPS12
Vendor URL: SAP
Bug: Insecure default configuration
Reported: 13.12.2016
Vendor response: 14.12.2016
Date of Public Advisory: 14.02.2017
Reference: SAP Security Note 2407694
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Insecure default configuration
Impact: Hijacking npm packages, using SAP server for hosting malicious files
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVE Name: CVE-2017-8914
CVSS Base Score v3: 8.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to Availability Low (L)

Description

By default, npm service sinopia in SAP HANA XS allows default user creation. A malicious user can abuse this default behavior by different means.

Business risk

Local user creation in Sinopia is a not needed function in WebIDE for HANA XS. Administrators should deploy a WebIDE update to avoid potential integrity challenges by attackers creating content, which might be used in customer developed applications.

VULNERABLE PACKAGES

HDB 1.00
HDB 2.00

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2407694.

TECHNICAL DESCRIPTION

Proof of Concept