In certain environments that run SAS^® Cost and Profitability Management 8.4M2 on Windows, the SAS Cost and Profitability Management [SASConfig-Lev1] service might unexpectedly terminate when network activity targets the mid-tier application port. (For example, port 9050.)

This issue occurs in the following scenarios:

• When an external vulnerability or security scanner (such as Qualys) performs a network scan against the server and probes the SAS Cost and Profitability Management mid-tier port.
• When you directly access an invalid http://<midtier_host>:<port> from a web browser.

When this issue occurs, the Windows Application Event Log might record entries similar to the following:

• Faulting application: sas.activitybasedmanagementsvr.service.exe
• Faulting module: KERNELBASE.dll
• Exception code: 0xe0434352
• .NET Runtime version: v4.0.30319
• Exception type: System.Xml.XmlException
• Description: The process was terminated due to an unhandled exception.

The crash indicates that the SAS Cost and Profitability Management mid-tier service encounters an unhandled exception when processing unexpected or malformed input received on the listening port.

Cause

Security and vulnerability scanning tools commonly perform low-level TCP port discovery and connectivity checks as part of host discovery and vulnerability assessment.

These scans typically involve the following:

• TCP SYN packets to determine whether a port is open
• TCP ACK or SYN-ACK packets as part of handshake validation

TCP probe packets operate at the transport layer and are intended to identify open ports and responsive services. The probes do not represent full application-layer requests and do not contain valid protocol-specific payloads (for example, valid HTTP or XML content).

If the SAS Cost and Profitability Management mid-tier service receives unexpected, incomplete, or non-application-layer traffic on its listening port, the service might attempt to process the input as valid application data. As a result, an unhandled exception can occur (for example, during XML parsing), which causes the Windows service to terminate.

Similarly, manually accessing the raw service port directly via a browser (instead of the proper web application context) can result in malformed or incomplete requests that reach the service, which might trigger the same behavior.

Additional Notes

• This issue is triggered by network probing activity rather than normal SAS Cost and Profitability Management application usage.
• The behavior is associated with how the service handles unexpected input on its listening port.
• Repeated service interruptions might occur if no mitigations are in place for environments with frequent vulnerability scanning or aggressive port scanning. 

There is no workaround for this issue.