[ERPSCAN-17-034] SAP Hostcontrol unprotected web method / DOS

Application: SAP Host Agent
Versions Affected: SAP Host Agent 7.21
Vendor URL: SAP
Bugs: Missing Authentication
Reported: 27.02.2017
Vendor response: 28.02.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2442993
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication Check
Impact: broken authentication
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 7.5 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to AvailabilityHigh (H)

Description

An anonymous attacker can send a request to the SAP Hostcontrol to stop the service by calling a web method for the SOAP SAPControl endpoint.

Business risk

An attacker can use a Missing Authorization Check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks.

VULNERABLE PACKAGES

HDB 1.00
HDB 2.00
SAP Host Agent 7.21

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2442993

TECHNICAL DESCRIPTION