Vigil@nce - SAP Router: password disclosure via Brute Force
April 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a brute force on SAP Router, in order to
progressively obtain the password.
Impacted products: SAP ERP
Severity: 2/4
Creation date: 08/04/2014
Revision date: 16/04/2014
DESCRIPTION OF THE VULNERABILITY
The SAP Router uses a Route Permission Table, which can require a
password.
However, the duration of the password function verification varies
with the number of valid characters.
An attacker can therefore use a brute force on SAP Router, in
order to progressively obtain the password.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SAP-Router-password-disclosure-via-Brute-Force-14536