SAPControl Webmethods Exposure Detection Scanner
This scanner detects the use of SAPControl Webmethods Exposure in digital assets. It identifies the presence of an exposed SOAP interface that could lead to unauthorized access to SAP system properties.
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
19 days 5 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
SAPControl is a crucial component used in SAP systems for managing and controlling SAP services. This web-based control interface allows system administrators to manage instances efficiently. It is typically deployed in enterprise environments where SAP manages core business processes. The software is used to monitor processes, start and stop SAP-related services, and provide detailed service reports, playing a vital role in system maintenance and operations.
The vulnerability lies in the exposure of the SAPControl SOAP interface, particularly the GetInstanceProperties method. When improperly configured, this method can be accessed without authentication. Unauthenticated access to this specific method can reveal sensitive configuration details. This exposure represents a serious security misconfiguration risk, potentially impacting the confidentiality and integrity of the SAP system.
The vulnerable endpoint in the SAPControl SOAP interface is accessed via HTTP POST requests containing specially crafted SOAP envelopes. The parameters within the SOAP request can exploit the GetInstanceProperties method to disclose sensitive data. Successful exploitation typically results in exposing configuration properties, including information about web methods present in the system.
When exploited, this vulnerability allows attackers to gain insights into system configurations, potentially leading to more severe security breaches. Exposing internal configuration details can aid attackers in planning further exploits against the SAP environment. Such exposure increases the risk of unauthorized access, data loss, or system disruption.
REFERENCES
- https://community.sap.com/t5/technology-blog-posts-by-members/securing-the-sap-instance-agent-sap-start-service/ba-p/13486679
- https://help.sap.com/docs/SUPPORT_CONTENT/si/3362958690.html
- https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959700.html
- https://www.neteye-blog.com/2017/03/sap-monitoring-experiences-with-sapcontrol-and-check_sap_health/
- https://redrays.io/blog/extended-security-settings-for-sapstartsrv-sap-security-note-1439348/
