SAP crypto offers customers choice of remote code execution or denial of service
Home-baked encryption followed the wrong recipe
Yet another proprietary implementation of a popular protocol has turned up unexpected vulnerabilities, with SAP's data compression software open to remote code execution and denial-of-service exploits.
The implementation in question is SAP's code running the popular LZC and LZH compression algorithms. As outlined over at Full Disclosure, CVE-2015-2282 and CVE-2015-2278 is a pair of out-of-bounds reads and writes.
As well as a nice bag of SAP products – various Netweaver servers, SDKs, the GUI, the MaxDB database and SAPCAR archiving – the vulnerability has been carried over into the open source MaxDB 7.5 and 7.6.
The CORE team's post says server-side components can be attacked via crafted packets from a malicious client; a crafted .SAR or .CAR archive could be sent to a client to trigger the vulnerability; and man-in-the-middle attacks are feasible.
Threatpost explains: “The code that handles decompression for LZC is prone to memory corruption via stack-based buffer overflow, which is caused by the out-of-bounds write mentioned above. The LZH algorithm vulnerability is caused by an out-of-bounds read of a buffer used by the decompression routine when performing lookups of non-simple codes.”
SAP customers can access security notes 2124806, 2121661, 2127995, 2125316 at the company's support portal. ®