SAP Hard-Coded Credentials

2014.06.07
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-798

Onapsis Security Advisories:Multiple Hard-coded Usernames (CWE-798) have been found and patched in a variety of SAP components. Summaries of the advisories with links to full versions follow: 1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented Procurement Hard-coded credentials ======================================================================= - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Affected Components: * Project System * Structures * Project-Oriented Procurement (Check SAP Note 1791081 for detailed information on affected releases) - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011 2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials ===================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N) - -- Fix in SAP Note:1768049 - -- Affected Components: * Brazil Specific Add-On - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012 3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers Workbench Hard-coded Credentials ===================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1920323 - -- Affected Components: * SAP Oil Industry Solution Traders and Schedulers Workbench - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013 4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials ===================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P) - -- Fix in SAP Note: 1915873 - -- Affected Components: * SAP Upgrade Tools - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014 5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials ================================================================ - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N) - -- Fix in SAP Note: 1914777 - -- Affected Components: * SAP Web Services Tool - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015 6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials ============================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1911174 - -- Affected Components: * SAP CCMS Monitoring - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016 7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials ==================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1795463 - -- Affected Components: * SAP Transaction Data Pool - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017 8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials ================================================================ - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1789569 - -- Affected Components: * SAP Capacity Leveling - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018 9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials =============================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N) - -- Fix in SAP Note: 1738965 - -- Affected Components: * SAP Open Hub Service - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019 - -- Ezequiel Gutesman Director Of Research Onapsis


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top