[ERPSCAN-18-006] SAP Redwood BPA Message Service crypto secret information disclosure

Application: SAP Redwood BPA
Vendor URL: SAP
Bugs: Information Disclosure
Reported: 09.11.2017
Vendor response: 10.11.2017
Date of Public Advisory: 13.03.2018
Reference: SAP Security Note 2596535
Author: Mathieu Geli (ERPScan)

DESCRIPTION

An anonymous network attacker can forge valid packets that are accepted by the Redwood Cluster Message Service without prior knowledge of the secret communication key.

BUSINESS RISK

An attacker can use an Information Disclosure vulnerability for revealing additional information (system data, debugging information, etc.) that helps learn about a system and plan further attacks.