This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF8E57C8B38504CDDEDF52F15 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable (The following pre-advisory is also available in PDF format for download = at: http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_SET_REG_SERVE= R_PROPERTY_RFC_Function_Denial_of_Service.pdf ) CYBSEC S.A. www.cybsec.com Pre-Advisory Name: SAP RFC_SET_REG_SERVER_PROPERTY RFC Function Denial Of= Service =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Vulnerability Class: Denial Of Service =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Release Date: 2007-04-03 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Affected Applications: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =2E SAP RFC Library 6.40 =2E SAP RFC Library 7.00 Affected Platforms: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =2E AIX 32bit =2E AIX 64bit =2E HP-UX on IA64 64bit =2E HP-UX on PA-RISC 64bit =2E Linux on IA32 32bit =2E Linux on IA64 64bit =2E Linux on Power 64bit =2E Linux on x86_64 64bit =2E Linux on zSeries 64bit =2E Mac OS =2E OS/400 =2E OS/400 V5R2M0 =2E Reliant 32bit =2E Solaris on SPARC 32bit =2E Solaris on SPARC 64bit =2E Solaris on x64_64 64bit =2E TRU64 64bit =2E Windows Server on IA32 32bit =2E Windows Server on IA64 64bit =2E Windows Server on x64 64bit =2E z/OS 32bit Local / Remote: Remote =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Severity: Medium =3D=3D=3D=3D=3D=3D=3D=3D=3D Author: Mariano Nu=F1ez Di Croce =3D=3D=3D=3D=3D=3D=3D Vendor Status: Confirmed. Updates Released. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulne= rability_policy.pdf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Product Overview: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D "The RFC Library offers an interface to a SAP System. The RFC Library is = the most commonly used and installed component of existing SAP Software. = This interface provides the opportunity to call any RFC Function in a SAP Syst= em from an external application. Moreover, the RFC Library offers the possibility to write a RFC Server Program, which is accessible from any S= AP System or external application. Most SAP Connectors use the RFC Librar= y as communication platform to SAP Systems." RFC_SET_REG_SERVER_PROPERTY RFC function is used to set properties of ex= ternally registered RFC servers. This function is installed by default in= every external RFC server. Vulnerability Description: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D This function allows defining the exclusive use of an external registered= RFC server, denying access to other clients. Technical Details: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Technical details will be released three months after publication of this= pre-advisory. This was agreed upon with SAP to allow their customers to upgrade affected software prior to technical knowledge been publicly avai= lable. Impact: =3D=3D=3D=3D=3D=3D=3D This vulnerability may allow an attacker to remotely prevent licit client= s to connect with external RFC servers. Solutions: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SAP has released patches to address this vulnerability. Affected customer= s should apply the patches immediately. More information can be found on SAP Note 1005397. Vendor Response: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =2E 2006-11-21: Initial Vendor Contact. =2E 2006-12-01: Vendor Confirmed Vulnerability. =2E 2007-01-09: Vendor Releases Update for version 6.40. =2E 2007-01-09: Vendor Releases Update for version 7.00. =2E 2007-04-03: Pre-Advisory Public Disclosure. Special Thanks: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Thanks goes to Victor Montero and Gustavo Kunst. Contact Information: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D For more information regarding the vulnerability feel free to contact the= author at mnunez <at> cybsec <dot> com. About CYBSEC S.A. Security Systems ----------------------------------- Since 1996 CYBSEC S.A. is devoted exclusively to provide professional ser= vices specialized in Computer Security. More than 150 clients around the globe validate our quality and professionalism. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is= associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our= clients from emerging security threats, mantaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuosly researching new defen= se and attack techiniques and contributing with the security community wi= th high quality information exchange. =09 For more information, please visit www.cybsec.com --------------enigF8E57C8B38504CDDEDF52F15 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGE59hvWPewvmdrSgRApToAJ9FWP2Tolkb9l1Y48PaX/IUFmxwjQCgl5tg SfC+04musYB/6KmY6ocdQqc= =MUrs -----END PGP SIGNATURE----- --------------enigF8E57C8B38504CDDEDF52F15--