Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2018-2393

Disclosure Date: February 14, 2018
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Collection
Techniques
Validation
Validated

Description

Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

This vulnerability currently has a Metasploit module in the PR queue at https://github.com/rapid7/metasploit-framework/pull/14163, so here is a nutshell version of what this vulnerability is and why it matters, as well as why it might not matter as much.

Basically this vulnerability is a bug from 2018 in SAP Internet Graphics Servers (IGS) in their /XMLCHART pages due to a lack of XML external entity validation on the <Element> HTML tag value when a POST request containing XML is sent to the /XMLCHART page, which will then instruct the SAP IGS server to render a new chart with the provided data.

By abusing this vulnerability an attacker can retrieve the contents of any file on the system as the user running the SAP IGS server. This user will typically be the SAP admin user, but will not necessarily be the root user, meaning that whilst the attacker will have elevated access to SAP IGS related files, they may not be able to access some OS related files due to their lack of permissions.

Still it is important to note that SAP systems are often responsible for processing business sensitive information, so whilst the attacker may not be able to access something like the /etc/shadow file, they would still be able to potentially retrieve sensitive information such as data about company performance or analytics that may not be available to the public, which could allow for activities such as insider trading. It is also possible that the SAP admin user may have been given extra permissions by accident which could allow the attacker to read the contents of other sensitive files on the disks. These could include configuration files which may contain sensitive usernames and passwords.

This vulnerability is therefore listed as a Medium as it certainly gives an attacker a fair degree of file access, however the attacker will not be able to do anything beyond reading files with this bug alone, which limits its impact a little bit.

General Information

Vendors

  • SAP SE

Products

  • SAP Internet Graphics Server

Additional Info

Technical Analysis