CVE-2024-37571

A buffer overflow vulnerability exists in SAS Broker version 9.2 build 1495. The issue stems from a crafted payload sent to the _debug parameter, which can trigger an integer overflow condition in the debug functionality. This flaw is classified as a buffer overflow, with the root cause being improper handling of input size when processing the _debug parameter, leading to an overflow [1].

The attack vector is remote, with low complexity. An attacker can send a specially crafted payload to the affected _debug parameter without needing authentication. This makes the vulnerability exploitable over the network by any unauthenticated user targeting the SAS Broker service [1].

Successful exploitation can lead to a denial of service (DoS) condition, disrupting normal operations. Additionally, the attacker may retrieve information about the software version and build number, which could aid in further targeted attacks. The impact is limited to information disclosure of version details and service disruption, with no indication of code execution [1].

As of the advisory date, no official patch has been released by SAS. Users are advised to restrict access to the SAS Broker service, monitor for unusual activity, and limit exposure to trusted networks. The vendor has been notified, and users should watch for future updates [1].