[ERPSCAN-17-036] CSRF in SAP Java CRM

Application: SAP CRM
Versions Affected: SAP Java CRM 700-754
Vendor URL: SAP
Bug: CSRF
Reported: 20.06.2017
Vendor response: 21.06.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2478964
Author: Vladimir Egorov (ERPScan)

VULNERABILITY INFORMATION

Class: CSRF
Risk: Medium
Impact: account hijacking
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 6.1 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

Description

An attacker can use a special HTTP request to hijack the session data of administrators of the web resource.

Business risk

An attacker can use a Cross-Site Request Forgery vulnerability for exploiting an authenticated user’s session with a help of making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user’s rights. The attacker may use a Cross-Site Scripting vulnerability to do this or can present a specially crafted link to an attacked user.

VULNERABLE PACKAGES

SAP-CRMJAV 700
SAP-CRMJAV 701
SAP-CRMJAV 702
SAP-CRMJAV 731
SAP-CRMJAV 730
SAP-CRMJAV 732
SAP-CRMJAV 733
SAP-CRMJAV 754

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2478964

TECHNICAL DESCRIPTION

Proof of Concept

SAP CRM b2b_2

SAP CRM cr_b2b

SAP CRM cviews

SAP CRM entitlementinquiry

SAP CRM icss_b2b

SAP CRM icss_b2c

SAP CRM partnerregistration

SAP CRM sharedcatalog

SAP CRM lwc