Security researchers discovered multiple exploits in the SAPCAR archive program by SAP. Patches that fixed the security vulnerabilities are now available from the vendor. They were made available on Tuesday as part of the SAP Security Patch Day for August 2016. The multiple exploits are found in the compression libraries that are used in a variety of the vendor’s products including MAXDB7.5 and 7.6, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and etc.
Further Details
Using the same underlying technology for various products and services has been a core concept for programmers for years. The problem is that when a security issue is identified then the vendor has to develop patches for all programs that are affected by the exploit. This situation has happened to SAP as the compression library is used universally among its most popular products. This in turns allows criminals a limited time to potentially wreak havoc on critical systems.
Here are some details about the vulnerabilities:
CVE-2015-2282 – This is a stack-based buffer overflow vulnerability in the LZC decompression implementation. This issue affects SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool and other products that include this component. The exploit allows criminals to execute a denial of service (crash) attack or possibly to execute arbitrary code.
CVE-2015-2278 – A buffer overflow vulnerability in the LZH decompression implementation. This issue affects SAP MAXDB 7.5 and 7.6, Netweaver Application Server, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK and other products that include this component. The exploit allows criminals to execute a denial of service (crash) attack.
Two other exploits have been discovered which allow for local denial of service attacks and security systems bypass. These two vulnerabilities are described in CVE-2016-5845 and CVE-2016-5847. One of them is related to an authentication bypass during file operations when extracting files. The other one is an exploit that allows criminals to change file permission values on arbitrary user data.
SAP’s announcement is available on their blog.