Tried, Tested and Proven

Vulnerability title: Denial Of Service Via Names Pipes In SAP ECC

CVE: CVE-2016-1921
Vendor: SAP
Product: ECC
Affected version: 7.x
Fixed version: 7.21 HOST Agent Support Package SP007 Patch Level 00007
Reported by: Sam Barltrop

Details:

If you check the permissions for named pipes on a system running SAP, the sap services will end up in an infinite loop and will start using up resources. Initially, the processes will reach 100% and start to consume memory. Once the memory has been filled, the disk will start to be filled up. It can take some time for a DoS to become apparent, but the processes taking up a lot of CPU is instant.

Due to restrictions encountered during testing, Portcullis were unable to perform a detailed analysis of this issue before reporting it to SAP. Portcullis would therefore like to thank SAP for working with us to successfully identify the root cause and an appropriate resolution.

Impact:

An attacker with access to the underlying operating system could cause a Denial of Service by checking the ACLs of named pipes on the system.

Exploit:

accesschk.exe -q -s -w everyone \pipe\*

Remediation:

Restrict local user access.

Vendor status:

17/07/2015 Initial vendor contact established
20/07/2015 Vendor responded
08/12/2015 SAP released a patch and accompanying SAP Security Note (2220064) for the issue
18/01/2016 MITRE assigned CVE-2016-1921
18/01/2016 Published
Copyright:

Copyright @ Portcullis Computer Security Limited 2016, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.