The SAP Adaptive Server Enterprise (ASE), previously known as Sybase SQL Server, is a high-performance relational database server that can be hosted on-premise or cloud structure that is used by over 30,000 organizations worldwide, including banking institutions, healthcare companies, security firms, according to SAP marketing materials.
SAP released a security update in May, fixing several vulnerabilities in its Adaptive Server Enterprise (ASE) database product. Updating these security updates is easier with a Patch Management Software.
The researchers who discovered and reported the vulnerabilities are now imploring organizations to apply those patches at the earliest as they allow perpetrators to take control of the underlying database systems and the servers they run on. A good vulnerability management tool can help to combat these vulnerabilities.
Security researchers from Trustwave have disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16 (SP03 PL08). Although SAP had released patches for both ASE 15.7 and 16.0 in its May 2020 update, researchers disclosed technical details of the vulnerabilities in a blog post on Wednesday.
Vulnerability Details:
Code injection in SAP Adaptive Server Enterprise (Backup Server)[CVE-2020-6248]:
- This is the most critical vulnerability, with a Common Vulnerabilities Scoring System(CVSS) score of 9.1 out of 10. The flaw exists from a lack of security validation for overwriting critical configuration files during database backup operations.
- Any unprivileged user who can execute a DUMP database command (which is generally used by admins to back up the file system to storage devices) can send a corrupted configuration file, leading to a potential takeover of the database. On the next Backup server restart, this corrupt file will detect the server and replace it with a default one.
- Successful exploitation of the vulnerability will allow anyone to connect to the Backup Server using the login and an empty password.
- Attackers can then change the “sybmultbuf_binary” setting to point to a malicious executable and execute with subsequent DUMP commands. If SAP ASE runs on Windows, this operation is performing with LocalSystem privileges by default. Allowing the attacker to take over the machine completely.
Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)[CVE-2020-6252]:
- A critical flaw with a Common Vulnerabilities Scoring System(CVSS) score of 9.0 was discovered affecting Windows installations of the SAP ASE 16. The flaw affects the Cockpit component of SAP ASE, a web-based administrative console that’s used for monitoring the status and availability of ASE servers, which uses a small helper database based on SQL Anywhere and also runs with LocalSystem privileges.
- The flaw exists because the login password for the helper database is storaging in a configuration file that is readable by any Windows user.
- An attacker with access to a local non-privileged Windows account can recover the password from the configuration file and login into the helper database as the special user utility_db and issue commands like CREATE ENCRYPTED FILE that can result in the overwriting of operating system files and even execute malicious code with LocalSystem privileges.
Researchers are also finding two SQL injection flaws that exploit privilege escalation and complete database compromise.
SQL Injection vulnerability in SAP Adaptive Server Enterprise[CVE-2020-6241] | [CVE-2020-6253]:
- The first flaw exists while handling the routine of the global temporary tables. An authenticated user, without any special privileges, can execute crafted database queries. To exploit this vulnerability to gain administrative access to the entire database.
- The second flaw exists while handling code by WebServices. It can be a trigger away from loading a maliciously crafted database dump.
- For successful exploitation of the vulnerability, it is a two-stage attack. First, an attacker-controlled ASE dump with a malicious system table entry. Next, the dump is on load with the target ASE server. So the internal SQL injection happens while processing the malformingentry from the dump.
Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform)[CVE-2020-6243]:
- A third privilege escalation flaw exists in the XP Server component that is automatically installing with SAP ASE on Windows.
- The flaw exists due to insufficient security checks for an authenticated user while executing the extended stored procedure.
- Any authenticated user can force the XP Server to execute the C:\SAP\.DLL file. This file location is writable by any Windows user. Therefore, an attacker can replace the .dll file with a malicious one.
- As XP Server runs as LocalSystem, exploiting this flaw can lead to arbitrary code execution with full system privileges.
Information Disclosure in SAP Adaptive Server Enterprise[CVE-2020-6250]:
- The SAP ASE installation logs on Linux/UNIX systems contain passwords in plaintext. An authenticated SAP account user can access the installation logs and can read system administrator passwords.
- Also, if there is some other issue that allows filesystem access. This oversight can result in the full compromise of the SAP ASE deployment.
Impact
Exploiting these vulnerabilities could allow attackers to access sensitive information or execute arbitrary commands on the target systems.
Affected Products
SAP Adaptive Server Enterprise 15.7, 16.0, and prior.
Solution
SAP has released security fixes for Adaptive Server Enterprise(ASE) 15.7, 16.0 at SAP Security Patch Day.
Therefore, We strongly recommend installing these security updates without any delay.