The Channel logo


By | John Leyden 11th March 2016 11:01

SAP software download app exposed passwords thanks to serious vuln

Java bug splatted. Patch, update, you know the drill

A Java application from SAP that allows downloading of software packages and support notes needs patching following the discovery of a serious security flaw.

Core Security found that an attacker who manages to get access to a user's configuration file in SAP’s Download Manager might be able to obtain the stored proxy password.

The information leak is not remotely exploitable. SAP has resolved the issue with update software earlier this week, allowing Core to go public with a low-down on the vulnerability.

Core Security Consulting Services’ Martin Gallo, who discovered the SAP vulnerability, said: "SAP system and BASIS administrators often use the SAP Download Manager program to download software packages and fixes. We found that this program stores credentials information on the local user's directories using an encryption mechanism that can be easily bypassed.”

“While recent versions of the program had stopped storing SAP's Marketplace credentials, proxy authentication information is still kept on the program's configuration file. This represents a risk on the enterprise environment where proxy authentication is integrated with other systems, for example using Active Directory's credentials, if the configuration file is compromised,” he added.

Core’s advisory - which contain proof of concept exploit code - can be found here. A SAP spokesman told El Reg that “this [flaw] was reported to us and is already fixed”.

SAP published a Security Note – number 2282338 – accessible to SAP clients (public the unwashed masses) via its Support Portal.

An updated version of SAP Download Manager can be found here. ®

comment icon Read 2 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe