SAP sapinfo account lockout brute force
| sap-sapinfo-lockout-bypass (11487) |  Low Risk |
Description:
SAP could allow a remote attacker to bypass the account lockout feature and use brute force techniques to obtain access to the account. When used with the RFC (Remote Function Call) API, the sapinfo utility fails to lockout a known user account after repeated unsuccessful login attempts. A remote attacker could use this vulnerability to launch brute force password guessing attacks against a known account name to gain unauthorized access to the system.
Consequences:
Bypass Security
Remedy:
No remedy available as of July 9, 2011.
References:
- Full-Disclosure Mailing List, Tue Mar 04 2003 - 09:54:46 CST: SAP R/3, account locking and RFC SDK .
- BID-7007: SAP R/3 sapinfo RFC API Account Locking Weakness
- CVE-2003-1035: The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does.
Platforms Affected:
- SAP SAP R/3
- SAP SAPgui 4.6C
- SAP SAPgui 4.6D
Reported:
Mar 04, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net