NOTE: (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws, , and ).
#SAP ECC 7.0 RELEASE DATE CODE#
Technical Description / Proof of Concept Code The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories Team. These vulnerabilities were discovered and researched by Martin Gallo from Core Security Consulting Services. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities, , and ).Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities).Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities, , and ).Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: SAP released the security note 1687910 regarding these issues. Vendor Information, Solutions and Workarounds Vendor did not provide this information.Ħ.Older versions are probably affected too, but they were not checked.SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.9).SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.3).By sending different messages, the different vulnerabilities can be triggered. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the "Dispatcher" service, part of SAP Netweaver Application Server ABAP. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated, remote attacker to execute arbitrary code and lead to denial of service conditions. SAP Netweaver is a technology platform for building and integrating SAP business applications. Title: SAP Netweaver Dispatcher Multiple Vulnerabilities