VARIoT IoT vulnerabilities database

TP-LINK Technology Co., Ltd. (hereinafter referred to as "TP-LINK") is the world's leading supplier of network communication equipment. TP-LINK TD-W8968 has a weak password vulnerability. Attackers can use this vulnerability to obtain sensitive information.

TP-LINK Technology Co., Ltd. (hereinafter referred to as "TP-LINK") is the world's leading supplier of network communication equipment. TP-LINK TD-8816 has a weak password vulnerability. Attackers can use this vulnerability to obtain sensitive information.

TP-LINK Technology Co., Ltd. (hereinafter referred to as "TP-LINK") is the world's leading supplier of network communication equipment. TP-LINK TD-8817 has a weak password vulnerability. Attackers can use this vulnerability to obtain sensitive information.

HP ENVY 5530 is an A4 inkjet all-in-one printer from HP. HP ENVY 5530 has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.

Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located. Circutor SGE-PLC1000 There is an authentication vulnerability in the firmware.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Circutor SGE-PLC1000 is a smart metering system equipment. The main function is to manage the mains power through CIRWATT meters or other meters using PRIME technology. The Circutor SGE-PLC1000 firmware version 0.9.2b has an authorization issue vulnerability

SGE-PLC1000 device, in its 0.9.2b firmware version, does not handle some requests correctly, allowing a remote attacker to inject code into the operating system with maximum privileges. SGE-PLC1000 The device has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Circutor SGE-PLC1000 is a smart metering system equipment. The main function is to manage the mains power through CIRWATT meters or other meters using PRIME technology. There is an operating system command injection vulnerability in the Circutor SGE-PLC1000 0.9.2b firmware version

Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-of-service from within the same Layer 2 network segment. Note that the attacker must be in the same Layer 2 network segment as the vulnerable appliance. plural Citrix The product contains a resource depletion vulnerability.Denial of service (DoS) It may be put into a state. Citrix Application Delivery Controller (ADC) is an application delivery controller. Nim, etc. are all products of the Nim (Nim) community. Nim is a statically typed programming language. There are resource management error vulnerabilities in many Citix products. This vulnerability originates from improper management of system resources by network systems or products. Attackers can use this vulnerability to cause denial of service

Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible

Domain-bypass transient execution vulnerability in some Intel Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Intel Processors (Intel processors) are Intel Corporation's processors that interpret computer instructions and process data in computer software. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1. Note that there are two reported regressions; for some CoffeeLake CPUs this update may break iwlwifi (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56) and some for Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot: (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31) If you are affected by those issues, you can recover by disabling microcode loading on boot (as documented in README.Debian (also available online at https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)) We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDXan0ACgkQEMKTtsN8 Tja9aQ//f1dHsEghQsedGnkMCIa2qLi12UFtb4yW7TYV6uwloqbYZMbymvoXYOAB haasn+yCaGUkXuAHxcGvZuN41EkRhdG4LfS5qoZxPMsw84ETjpV2Ohwhuqwf9P20 9pqV1QLjVPCMiCqvHatkzyRNPtRhIh0uCRx5HtIeOEyKTwhVnUJrrljUXCzMDviD 3As0n0yVUPDIcJdaVxp5mxyebf1NyIYMR+7wmzTBOhK6i+rEE4NkKGkcsYBIM1ch AdTQNHv78QZld6ixL8iCUe1NsSugZ2QjbVL1BLW45fJv3f0BIF5uo6LBzbiJlN/6 xWwOdFTfqW1ORyr0k6JQ+yKz3oSE+jfUStwf+zegWOjYes5gGaA/nATzzNwwFfCQ qDqMmnN26qMI3MswP50ESkNs2JTK3955cIJjnscp5DeFArDuCFKh9wcqSZ46/QCE GVRi+F/Dh3JQxv/jP8jfLhCvkBptuendGo9qK5v22QoeCRoHS16dLu7HHP34hRrw k//EgtP35pD9eTNiIsxhmx3qTPD0gbQbcMG/5NTVtpNqsffAxYtqTy8+/4lfPkNn AYtYrrG6tjEHe1gasLkjthB7c0YLzPLdNyZkNIk6XZ2YIhx18N80c7gTBERSJ1Sh 9lmsnX3+5GWM7Fx2NN2vL5xIEo0einMJCyTlNMRDLim2ix1vpZg= =RVf2 -----END PGP SIGNATURE----- . 6 ELS) - i386, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: microcode_ctl security, bug fix and enhancement update Advisory ID: RHSA-2021:2305-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:2305 Issue date: 2021-06-08 CVE Names: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 ==================================================================== 1. Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es) and Enhancement(s): * Update Intel CPU microcode to microcode-20210525 release 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: microcode_ctl-2.1-73.9.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.9.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.9.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/cve/CVE-2020-24513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMAkjNzjgjWX9erEAQj9Rw//aAXwJWN2Q/e3KJ6n+bdhBXSWxMI+ro7r 86Elrmw3BY2uTNbkjEorxQfON15ZawMJn0eNprNGA4gxRJ1/OlV+bMXcXsHcxdwt 2ndTxSL9G3xd+B3j6L8N2YQAXzCSzJT2ohbFPntZeMDpd6hILbNO+XDmnPu0uEsh E1Rl1BNsQJGoJ9yrrk9hqae2erlB2nTuDwYcNN6YWANkpWxPnzrJBRt115hBL/Xm Gh9vsxTC98/V+TWn0o0gLDUr0sM21KhD2U8F3byxBQB4Kr4Y0X34U12whwHkG95b m+HKj38OHmwhm+JZV68AsVBbnaa4TM3ilccuAVujxcW10IyXZBsmBFoEnIQ5Y7mm X8Bc5goFlKet/cDqwwUDBvjFfXfC61+2N4gRnWp48b8+vojs+T6JsurrCJbRhXjL gy8adoRwG3zNj+0xh7sHjX7XkIYFwrWMxiFHUaJWMV8pfx6NvGJJTiRR6n1+nKJt scM4MX7RUnLlcmRMbN4HpU4Kg7CLqI3dgiJ1XAgIUyB4Xvsb+Ckp/M8EB9I+GLDP Z4feYJ/cplYpSCcRG0xxHsnqrDFgAI0P/KVy9GQeAaXWWVwQzP5vHr+tauLSaEae q4MCBAMQQ69TX2rSLhnwtH1fpVuBsZibIN3QAikZM///peIXrNcmR4jPBVRPU6p+ ulH8AIb5GRA=sYI9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Shenzhen Wangxin Technology Co., Ltd. is a sharing economy cloud computing company focusing on technological innovation. Shenzhen Wangxin Technology Co., Ltd. Wangxin Cloud equipment has an unauthorized access vulnerability. Attackers can use this vulnerability to obtain sensitive information.

Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage. plural CPU The product contains a vulnerability related to the leakage of resources to the wrong area.Information may be obtained. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Xen: Multiple vulnerabilities Date: July 12, 2021 Bugs: #760144, #766474, #783456, #795054 ID: 202107-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Xen, the worst of which could result in privilege escalation. Background ========== Xen is a bare-metal hypervisor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/xen < 4.15.0-r1 >= 4.14.2-r1 >= 4.15.0-r1 Description =========== Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Xen 4.14.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.14.2-r1" All Xen 4.15.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.15.0-r1" References ========== [ 1 ] CVE-2020-29479 https://nvd.nist.gov/vuln/detail/CVE-2020-29479 [ 2 ] CVE-2020-29486 https://nvd.nist.gov/vuln/detail/CVE-2020-29486 [ 3 ] CVE-2020-29487 https://nvd.nist.gov/vuln/detail/CVE-2020-29487 [ 4 ] CVE-2020-29566 https://nvd.nist.gov/vuln/detail/CVE-2020-29566 [ 5 ] CVE-2020-29567 https://nvd.nist.gov/vuln/detail/CVE-2020-29567 [ 6 ] CVE-2020-29568 https://nvd.nist.gov/vuln/detail/CVE-2020-29568 [ 7 ] CVE-2020-29569 https://nvd.nist.gov/vuln/detail/CVE-2020-29569 [ 8 ] CVE-2020-29570 https://nvd.nist.gov/vuln/detail/CVE-2020-29570 [ 9 ] CVE-2020-29571 https://nvd.nist.gov/vuln/detail/CVE-2020-29571 [ 10 ] CVE-2021-0089 https://nvd.nist.gov/vuln/detail/CVE-2021-0089 [ 11 ] CVE-2021-26313 https://nvd.nist.gov/vuln/detail/CVE-2021-26313 [ 12 ] CVE-2021-28687 https://nvd.nist.gov/vuln/detail/CVE-2021-28687 [ 13 ] CVE-2021-28690 https://nvd.nist.gov/vuln/detail/CVE-2021-28690 [ 14 ] CVE-2021-28691 https://nvd.nist.gov/vuln/detail/CVE-2021-28691 [ 15 ] CVE-2021-28692 https://nvd.nist.gov/vuln/detail/CVE-2021-28692 [ 16 ] CVE-2021-28693 https://nvd.nist.gov/vuln/detail/CVE-2021-28693 [ 17 ] CVE-2021-3308 https://nvd.nist.gov/vuln/detail/CVE-2021-3308 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-30 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (buster), these problems have been fixed in version 4.11.4+107-gef32c7afa2-1. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmDJEsUACgkQEMKTtsN8 TjaQhBAAvItimzF6QWWRYY5Ce+wWgee8vCrG0ZgrtTWbxlnT8XHLB97tQdBE/ytZ FXyaaoklSe8gWxA3e4wF3/mf8EcVi4MRXPtB+WL9If0uhjg24pm9hS75lUWNQzP4 wo7mShj/WBmvpz0BsvXMZRiVJm4m6mtbb+oBCCGqRQr70HvkOPn0jw5tGdqPt/1u f0q7mbun4cMmebdN2ZcBnIY0zVsCPvTdTMY5weiB3egBogJhP12XsgxPmv44GUpi rvQIngsOld6eJ3wfOmMacMxZ3a+SyhIjRC5lMfdxp9SOC8b2hsQaBaR9+dYLUtKR ieDyUVfFdXgAMsHA5Gn5PQivNHC0wVqx5nf3HIPvhgjpdGPbvgs+dM4OLkLrFW4r nyrJ70OVwUOBay8HJu1Gw2xyu54NmUCi6DN53SD7AxGrnjiyBfb72OeR4elZz5KT gggGzNfMoqPQPG3mPC7GW1PbJ0D4pxZmfr3jftgVdBvBEvuS4KqngoZqL9ZHj9n5 2sT5EycoQZS/O5JaG3KdZsiay9E7LodNmw5mvGvgeYouW+MpFVdOEzvB7F91ya5U TxY+nj5J1lboyB8CymcxensLet2g7n2IYZNPrH1Sr1EEx9Zg0znVCuOE3QhJI60O JFAnmgSM/XPrIqxtZR+gX8nxqTBPWYDaTtRFZOVhA7hDpVmnAGo= =stfn -----END PGP SIGNATURE-----

SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user. SAP NetWeaver AS for ABAP (Web Survey) Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

SAP NetWeaver AS ABAP, versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83,7.84, allows an unauthorized attacker to insert cleartext commands due to improper restriction of I/O buffering into encrypted SMTP sessions over the network which can partially impact the integrity of the application. SAP NetWeaver AS ABAP Contains an improper authentication vulnerability.Information may be tampered with

SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious users to obtain illegitimate access to the system. SAP NetWeaver ABAP Server and ABAP Platform Contains an authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method DpRTmPrepareReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0015 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3021197 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27628 CVE-2021-27607 - Vendor patch Information: SAP Security NOTE 3021197 ## Affected Components Description The SAP dispatcher service is part of SAP Kernel. Mandatory, it manage, gather and collect the requests from end users then forward them to work process. ## Vulnerability Details CVE-2021-27607 : A NULL pointer dereference exist in `ThSncIn(REQUEST_BUF**, unsigned char)`, where `_Z10DpCaGetPtri` tries to read a part of input controlled by an attacker, then return 0x0 instead of a pointer to normal value if the input is 0xffffffff. If an attacker crafts a valid SAP Dispatcher packet, with valid header, but with a total packet size smaller than normal, the subtraction operation results in a negative value. Also if this negative value is anticipated and put in the same packet at a particular offset, the check operation that compares the two values will pass, and this value is used as size during the next operation. ## Solution SAP has released SAP Note 3021197 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3021197. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/21/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27607 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27628 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3021197 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EncOAMParamStore() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver AS for ABAP (RFC Gateway), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method memmove() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver AS for ABAP (RFC Gateway) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. SAP NetWeaver AS ABAP Business Server is an application server suitable for ABAP (Advanced Business Application Programming) from SAP company in Germany. SAP NetWeaver AS ABAP Business Server has a security vulnerability, which stems from a memory corruption vulnerability in NetWeaver ABAP Server and ABAP Platform. Attackers can use this vulnerability to use multiple vulnerabilities in SAP products. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0018 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020209 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27597 CVE-2021-27633 CVE-2021-27634 - Vendor patch Information: SAP Security NOTE 3020209 ## Affected Components Description The SAP Gateway server is the component that manages the communication between SAP system and the rest of the world. This is a mandatory service for SAP Netweaver system, whitout it any background communication to the system is not possible, make the system useless. The source pointer is calculated partially with attacker controlled inputs. When this `GW_REQ*` pointer’s is used again in `GwSearchConn()`, to get another offset, it leads to unattended behavior or crash. An attacker can craft a malicious RFC packet to reach a particular part of function `ThrtHdlAppc()`, where inputs, after a few modifications, are sent to disp+work with `ThSAPCMSEND()`. Leading it to crash in `ThCPIC()`. In normal workload, RFC requests received by the gwrd are forwarded to a work process type DIA to perform an ABAP task. These requests are stored in `pendingRequests` part in memory. An attacker can craft a valid RFC packet and force the service to store malicious entry in `pendingRequests` aera. Leading the disp+work to crash. ## Solution SAP has released SAP Note 3020209 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020209. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27597 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27633 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27634 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020209 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher), versions - KRNL32NUC - 7.22,7.22EXT, KRNL32UC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73,7.77,7.81,7.82,7.83, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method ThSncIn() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Dispatcher) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0015 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3021197 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27628 CVE-2021-27607 - Vendor patch Information: SAP Security NOTE 3021197 ## Affected Components Description The SAP dispatcher service is part of SAP Kernel. Mandatory, it manage, gather and collect the requests from end users then forward them to work process. ## Vulnerability Details CVE-2021-27607 : A NULL pointer dereference exist in `ThSncIn(REQUEST_BUF**, unsigned char)`, where `_Z10DpCaGetPtri` tries to read a part of input controlled by an attacker, then return 0x0 instead of a pointer to normal value if the input is 0xffffffff. If an attacker crafts a valid SAP Dispatcher packet, with valid header, but with a total packet size smaller than normal, the subtraction operation results in a negative value. Also if this negative value is anticipated and put in the same packet at a particular offset, the check operation that compares the two values will pass, and this value is used as size during the next operation. ## Solution SAP has released SAP Note 3021197 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3021197. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/21/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27607 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27628 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3021197 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited

SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified. SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server) Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. ## Advisory Information - Public Release Date: 11/22/2021 - Security Advisory ID: ONAPSIS-2021-0017 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: All SAP kernel 32 and 64 bits, unicode and no-unicode - SAP KERNEL 7.22 - SAP KERNEL 7.22EXT - SAP KERNEL 7.49 - SAP KERNEL 7.53 - SAP KERNEL 7.73 - SAP KERNEL 7.77 - SAP KERNEL 7.81 - SAP KERNEL 8.04 (Check SAP Note 3020104 for detailed information on affected releases) - Vulnerability Class: CWE-20, CWE-125, CWE-476 - CVSS v3 score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - Risk Level: High - Assigned CVE: CVE-2021-27606 CVE-2021-27629 CVE-2021-27630 CVE-2021-27631 CVE-2021-27632 - Vendor patch Information: SAP Security NOTE 3020104 ## Affected Components Description The SAP Enqueue server is the component that manages the lock table. There is only one ENQ server in a distributed SAP System. It receives a lock request and checks the lock table to determine collision. This is a mandatory service for SAP Netweaver system, whitout it any modification in the SAP system is not possible. ## Vulnerability Details CVE-2021-27606: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncOAMParamStore()`. A comparaison value in a loop can be tricked and forced to a high value. Eventually crashed when some relevant register was overwritten. CVE-2021-27629: Attacker can craft malicious enqueue packet to force a read out of memory bound in function `EncPSetUnsupported`. A counter for a movs instruction can be controlled by an attacker leading to a crash. CVE-2021-27630: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27631: A NULL pointer dereference exists in `EnqConvUniToSrvReq` when the program tries to calculate the size of part of the message from the input packet. A register points to the content of the packet and could be controlled by the attacker. CVE-2021-27632: A NULL pointer dereference exists in `EnqConvUniToSrvReq()`, where the function reads inputs from the provided packet then uses them to calculate an offset for a pointer. Both inputs are user controlled, and can lead to dereference a register that will be used in `EnqConvObjToStr`. ## Solution SAP has released SAP Note 3020104 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3020104. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - MM-DD-YYYY: - 02/01/2021: Onapsis sends details to SAP - 02/04/2021: SAP provides internal ID - 02/08/2021: SAP confirms CVSS - 06/09/2021: SAP releases SAP Note fixing the issue. - 11/22/2021: Advisory published ## References - Onapsis blogpost: https://www.onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27632 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3020104 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. ## License This advisory is licensed under a [Creative Commons 4.0 BY-ND International License](https://creativecommons.org/licenses/by-nd/4.0/legalcode) <br><br><img src="../../images/license_cc.png" align="left" height="36" width="112" > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited