CVE-2016-6144 - OpenCVE

The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as "False," which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Hana

Configuration 1 [-]

cpe:2.3:a:sap:hana:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html
http://seclists.org/fulldisclosure/2016/Aug/91
http://www.securityfocus.com/bid/92065
https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components
https://www.onapsis.com/research/security-advisories/sap-hana-system-user-brute-force-attack

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-08-05T14:00:00

Updated: 2024-08-06T01:22:20.566Z

Reserved: 2016-07-01T00:00:00

Link: CVE-2016-6144

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-08-05T14:59:15.110

Modified: 2016-11-28T20:30:39.167

Link: CVE-2016-6144

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-21T00:00:00", "descriptions": [{"lang": "en", "value": "The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as \"False,\" which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-system-user-brute-force-attack"}, {"tags": ["x_refsource_MISC"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"name": "92065", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92065"}, {"name": "20160819 Onapsis Security Advisory ONAPSIS-2016-026: SAP HANA SYSTEM user brute force attack", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2016/Aug/91"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-6144", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as \"False,\" which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.onapsis.com/research/security-advisories/sap-hana-system-user-brute-force-attack", "refsource": "MISC", "url": "https://www.onapsis.com/research/security-advisories/sap-hana-system-user-brute-force-attack"}, {"name": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components", "refsource": "MISC", "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"name": "92065", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92065"}, {"name": "20160819 Onapsis Security Advisory ONAPSIS-2016-026: SAP HANA SYSTEM user brute force attack", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2016/Aug/91"}, {"name": "http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:22:20.566Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-system-user-brute-force-attack"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"name": "92065", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/92065"}, {"name": "20160819 Onapsis Security Advisory ONAPSIS-2016-026: SAP HANA SYSTEM user brute force attack", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2016/Aug/91"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6144", "datePublished": "2016-08-05T14:00:00", "dateReserved": "2016-07-01T00:00:00", "dateUpdated": "2024-08-06T01:22:20.566Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:hana:*:*:*:*:*:*:*:*", "matchCriteriaId": "23408464-31ED-47D7-B215-2E363F16B14F", "versionEndIncluding": "1.00.73.00.389160", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SQL interface in SAP HANA before Revision 102 does not limit the number of login attempts for the SYSTEM user when the password_lock_for_system_user is not supported or is configured as \"False,\" which makes it easier for remote attackers to bypass authentication via a brute force attack, aka SAP Security Note 2216869."}, {"lang": "es", "value": "La interfaz SQL en SAP HANA en versiones anteriores a Revision 102 no limita el n\u00famero de intentos de inicio de sesi\u00f3n para el usuario SYSTEM cuando el password_lock_for_system_user no es apoyado o est\u00e1 configurado como \"False,\" lo que facilita a atacantes remotos eludir la autenticaci\u00f3n a trav\u00e9s de un ataque de fuerza bruta, tambi\u00e9n conocido como SAP Security Note 2216869."}], "id": "CVE-2016-6144", "lastModified": "2016-11-28T20:30:39.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-08-05T14:59:15.110", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/138443/SAP-HANA-DB-1.00.73.00.389160-SYSTEM-User-Brute-Force.html"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2016/Aug/91"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/92065"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.onapsis.com/blog/onapsis-publishes-15-advisories-sap-hana-and-building-components"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://www.onapsis.com/research/security-advisories/sap-hana-system-user-brute-force-attack"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}