CVE-2017-16690

Published: Dec 12, 2017Modified: May 13, 2026

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A malicious DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity 2.3 and 15.0. It is possible that SAPSetup / NwSapSetup.exe loads system DLLs like DWMAPI.dll (located in your Syswow64 / System32 folder) from the folder the executable is in and not from the system location. The desired behavior is that system dlls are only loaded from the system folders. If a dll with the same name as the system dll is located in the same folder as the executable, this dll is loaded and code is executed.

Affected (2)

Products: Sap: Plant Connectivity

1 product

Plant Connectivity

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sap Plant Connectivity	Version 15.0
Sap Plant Connectivity	Version 2.3

Related CWEs

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (6)

http://www.securityfocus.com/bid/102145

Source: cna@sap.com

Third Party AdvisoryVDB Entry

https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/

Source: cna@sap.com

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2529480

Source: cna@sap.com

Permissions Required

http://www.securityfocus.com/bid/102145

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2529480

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.