[ERPSCAN-17-052] Information disclosure in SAP HANA XS classic user self-service

Application: SAP HANA
Versions Affected: SAP HANA SPS12, SPS10, SAP HANA 2.0
Vendor URL: SAP
Bug: Information Disclosure
Reported: 20.06.2017
Vendor response: 21.06.2017
Date of Public Advisory: 12.12.2017
Reference: SAP Security Note 2549983
Author: Mikhail Medvedev (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Impact: loss of information and system configuration confidentiality
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 5.3 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to AvailabilityNone (N)

DESCRIPTION

A remote unauthenticated attacker can get a user list in SAP HANA by abusing the request account functionality provided by the user self-service application.

BUSINESS RISK

An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.), learn about a system and plan other attacks.

VULNERABLE PACKAGES

SAP HANA DATABASE 1.00 SP122
SAP HANA DATABASE 2.0 SP002
SAP HANA DATABASE 2.0 SP012
SAP HANA DATABASE 2.0 SP020

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2549983

TECHNICAL DESCRIPTION

Using error message an attacker can detect a HANA users.