[ERPSCAN-17-013] SAP NetWeaver disp+work anonymous denial of service with crafted DIAG request

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver disp+work 7.4
Vendor URL: SAP
Bugs: DoS
Reported: 13.12.2016
Vendor response: 14.12.2016
Date of Public Advisory: 14.03.2017
Reference: SAP Security Note 2405918
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: yes

CVSS Information

CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

When we send a crafted DIAG request to the disp+work process port, the server will consume all available resources.

Business risk

An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. For this time nobody can use this service. This fact negatively influences business processes, system downtime, and business reputation as a result.

VULNERABLE PACKAGES

disp+work service 7400.12.21.30308

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2405918

TECHNICAL DESCRIPTION

Proof of Concept