SAP Internet Graphics Service executes malicious code
The Internet Graphics Service (IGS) that comes installed and activated by default on SAP's web applications server can be exploited by attackers to break into the system, reports security service provider Cybsec. SAP has subsequently already released updates to close the security holes.
The IGS improperly processes the defective packets from the Net. Attackers can use manipulated packets to cause the service to crash. They could also take control of the entire computer if the service is running under Windows; on Unix machines they are more restricted, but could still take full control of the SAP system. Cybsec reports that it will publish more specific details on the vulnerabilities in three months' time.
IGS versions 6.4 at patch levels below 16 as well as 7.00 at patch level 3 and lower are affected by the flaw. Administrators of SAP web applications servers should acquire and install the updates from SAP as soon as possible through the standard channels.
- SAP Internet Graphics Service (IGS) Remote Denial of Service (PDF), advisory from Cybsec
- SAP Internet Graphics Service (IGS) Remote Buffer Overflow (PDF), Advisory from Cybsec