SAP Patches DoS Flaw in Netweaver

SAP has released a fix for a remotely exploitable denial-of-service in its Netweaver platform. The bug is confirmed to affect several versions of the platform and may be present in others, as well.

Researchers at Core Security discovered the vulnerability and reported it to SAP in June. Netweaver is a platform that allows users to build and integrate SAP applications.

“A vulnerability has been found in SAP Netweaver that could allow an unauthenticated, remote attacker to create denial of service conditions. The vulnerability is triggered by sending a specially crafted SAP Enqueue Server packet to remote TCP port 32NN (NN being the SAP system number) of a host running the “Standalone Enqueue Server” service, part of SAP Netweaver Application Server ABAP/Java. The “Standalone Enqueue Server” is a critical component of a SAP Netweaver installation in terms of availability, rendering the whole SAP system unresponsive,” the Core advisory says.

Core Security has published proof-of-concept code that allows users to reproduce the bug in Netweaver.

“When the trace level of the service is configured to stop logging when a pattern is found, the service does not properly control the amount of recursion resulting in a stack overflow exception. The vulnerability can be triggered remotely by setting the trace level with a wildcard Trace Pattern. This vulnerability could allow a remote, unauthenticated attacker to conduct a denial of service attack against the vulnerable systems, rendering the Enqueue Server unavailable,” the advisory says.

The DoS vulnerability affects versions 7.01 and 7.20, Core said, and added that other versions likely are affected, as well.

Suggested articles