Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2018-2393

Disclosure Date: February 14, 2018
CVE-2018-2393 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Collection
Techniques
Validation
Validated

Description

Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Easy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

This vulnerability currently has a Metasploit module in the PR queue at https://github.com/rapid7/metasploit-framework/pull/14163, so here is a nutshell version of what this vulnerability is and why it matters, as well as why it might not matter as much.

Basically this vulnerability is a bug from 2018 in SAP Internet Graphics Servers (IGS) in their /XMLCHART pages due to a lack of XML external entity validation on the <Element> HTML tag value when a POST request containing XML is sent to the /XMLCHART page, which will then instruct the SAP IGS server to render a new chart with the provided data.

By abusing this vulnerability an attacker can retrieve the contents of any file on the system as the user running the SAP IGS server. This user will typically be the SAP admin user, but will not necessarily be the root user, meaning that whilst the attacker will have elevated access to SAP IGS related files, they may not be able to access some OS related files due to their lack of permissions.

Still it is important to note that SAP systems are often responsible for processing business sensitive information, so whilst the attacker may not be able to access something like the /etc/shadow file, they would still be able to potentially retrieve sensitive information such as data about company performance or analytics that may not be available to the public, which could allow for activities such as insider trading. It is also possible that the SAP admin user may have been given extra permissions by accident which could allow the attacker to read the contents of other sensitive files on the disks. These could include configuration files which may contain sensitive usernames and passwords.

This vulnerability is therefore listed as a Medium as it certainly gives an attacker a fair degree of file access, however the attacker will not be able to do anything beyond reading files with this bug alone, which limits its impact a little bit.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
SAP Internet Graphics Server 7.20
SAP Internet Graphics Server 7.20EXT
SAP Internet Graphics Server 7.45
SAP Internet Graphics Server 7.49
SAP Internet Graphics Server 7.53
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
auxiliary/admin/sap/sap_igs_xmlchart_xxe
Reporter
Unknown

Vendors

  • sap

Products

  • internet graphics server 7.20,
  • internet graphics server 7.20ext,
  • internet graphics server 7.45,
  • internet graphics server 7.49,
  • internet graphics server 7.53

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis