Newly Patched SAP ASE Flaws Could Let Attackers Hack Database Servers
A new set of critical vulnerabilities uncovered in SAP's Sybase database software can grant unprivileged attackers complete control over a targeted database and even the underlying operating system in certain scenarios.
The six flaws, disclosed by cybersecurity firm Trustwave today, reside in Sybase Adaptive Server Enterprise (ASE), a relational database management software geared towards transaction-based applications.
The cybersecurity company said the issues — both specific to the operating system and the platform as a whole — were discovered during a security testing of the product, one of which has a CVSS rating of 9.1.
Identified as CVE-2020-6248, the most severe vulnerability allows arbitrary code execution when making database backups, thus allowing an attacker to trigger the execution of malicious commands.
“During database backup operations, there are no security checks for overwriting critical configuration files,” Trustwave researchers said in a report shared with The Hacker News. “That means anyone who can run the DUMP command (e.g., database owners) can perform very dangerous tasks.”
A second vulnerability (CVE-2020-6252) concerns ASE Cockpit, a web-based administrative console that's used for monitoring the status and availability of ASE servers. Impacting only Windows installations of ASE 16, the flaw lets a bad actor with access to a local network to capture user account credentials, overwrite operating system files, and even execute malicious code with LocalSystem privileges.
Two other flaws (CVE-2020-6241 and CVE-2020-6253) allows an authenticated user to execute crafted database queries to elevate their privileges via SQL injection, permitting a user with no special privileges to gain database administrator access.
In the latter case, an attacker-controlled ASE database dump is altered with malicious data before loading it into a target ASE server.
A fifth flaw (CVE-2020-6243) exists when the server does not perform necessary checks for an authenticated user while executing a stored procedure (“dummy_esp”), allowing Windows users to run arbitrary code and delete data on the ASE server.
Lastly, CVE-2020-6250 involves information disclosure in Linux systems wherein an authenticated attacker can read system administrator passwords from installation logs.
“The logs are only readable to the SAP account, but when joined with some other issue which allows filesystem access, [it] will completely compromise the SAP ASE,” the researchers noted.
After Trustwave responsibly disclosed the findings to Sybase, SAP addressed the issues in a patch that was pushed last month on May 12.
“Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments,” Trustwave said.
“This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.”
It's highly recommended that users update to the latest version of ASE to resolve the flaws.
Besides these six flaws in Adaptive Server, SAP has also released critical security patches for ABAP application server, Business Client, BusinessObjects, Master Data Governance, Plant Connectivity, NetWeaver, and SAP Identity Management software as part of its May 2020 batch of patch release.