Critical Vulnerability in SAP Message Server: A Worldwide Scan

Wednesday, July 04, 2012

Alexander Polyakov


ZDI has recently published the details of two buffer overflow vulnerabilities in SAP Message Server.

Both of them can be exploited remotely so that exploit code can be executed on the server. The vulnerabilities have received respective ratings of 9 and 10 according to CVSSv2.

SAP released the security notes 1649840 and 1649838 back in February 2012, so responsible administrators had the chance to install the updates before the details were published.

Nevertheless, many companies neglect security updates so their systems still remain vulnerable.

It is believed that the main threats come from malicious insiders or cyber criminals who found a way into corporate internal resources.

However, according to a recent research by ERPScan, which is described in a report called “SAP security in figures: a global survey 2007-2011”, SAP Message Server is also accessible from the Internet.

Out of 1000 companies that use SAP worldwide, randomly selected in the course of the research, 4% expose SAP Message Server to the Internet. This can lead to critical consequences if the mentioned vulnerabilities exist in a corporate system.

Three countries were scanned in detail, namely Germany, Russia and Portugal. The results are available at and updated regularly.

Exposed SAP Message Servers have amounted to:

  • Portugal: 18
  • Germany: 9
  • Russia: 6

It is highly recommended to install the mentioned updates as soon as possible.

Possibly Related Articles:
Information Security
Patching Insider Threats Exploits Network Security Servers SAP Buffer Overflow vulnerability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.