SAP R/3 sapinfo RFC API Account Locking Weakness

SAP R/3 sapinfo RFC API Account Locking Weakness

SAP R/3 may not lock a user account after numerous attempts to login fail. On a default installation, SAP R/3 is designed to lock out accounts that fail to properly authenticate after a set number of times.

An attacker can use the sapinfo utility to attempt to verify a password for a victim user. Due to the use of the sapinfo utility, SAP does not lock out the user account. This may provide the attacker with a greater chance of success for determining the victim user's password.