SAP Sybase ESP Vulnerabilities

June 27, 2014

XML-RPC is a remote procedure call (RPC) protocol; it works by sending a HTTP request to a server implementing the protocol. The client in that case is typically software wanting to call a single method of a remote system. Multiple input parameters can be passed to the remote method, one return value is returned. The parameter types allow nesting of parameters into maps and lists, thus larger structures can be transported.

SAP Sybase Event Stream Processor (ESP) is a real-time data analysis solution. Traditional data analysis involves running queries against static data in a database. Sybase ESP, on the other hand, tries to run continuous queries against continuous stream. XML-RPC is used in ESP applications to modify elements.

Several vulnerabilities exist in SAP Sybase ESP. The vulnerabilities are due to insufficient boundary check when processing XML-RPC requests. A remote attacker could exploit these vulnerabilities by sending a crafted XML-RPC request to the vulnerable ESP server. Successful exploitation could result in arbitrary code execution or a denial of service condition.

The following CVEs are related to this issue: CVE-2014-3457 and CVE-2014-3458.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting these vulnerabilities. The signatures are listed below:

  • 3924 Sybase ESP esp_parse ConnectionType Remote Code Execution
  • 4092 Sybase ESP esp_parse Connection Remote Code Execution