SAP Management Console ReadProfile Parameters - Information disclosure

Application: SAP NetWeaver 7.40 Vendor URL:http://www.sap.com **Bugs:**Information disclosure **Reported:**06.11.2014 **Vendor response:**07.11.2014 **Date of Public Advisory:**15.03.2015 **Reference:**SAP Security Note 2091768 Authors: Dmitry Chastukhin (ERPScan)

VULNERABILITY INFORMATION Class: Information disclosure [CWE-200]
Impact: Information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2817

Business Risk
It is possible to get some information from the web interface of CCMS without authentication. An attacker can use the information for subsequent attacks which will lead to illegal access to business-critical information.

Description
An anonymous attacker can send a special POST HTTP request to get information about any SAP profile parameters.

VULNERABLE PACKAGES
SAP NetWeaver 7.40 (sapstartsrv.exe, version v7400.12.21.30308).
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
Install SAP Security Note 2091768 or upgrade kernel to the associated patch level.

TECHNICAL DESCRIPTION
An anonymous attacker can send a special POST HTTP request to get information about any SAP profile parameters.

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services:

• SAP Vulnerability Assessment
• SAP Security Assessment
• SAP Security Trainings
• SAP Custom code security review
• SAP Penetration testing