The SAP Adaptive Server Enterprise (ASE), previously known as Sybase SQL Server, is a high-performance relational database server that can be hosted on-premise or cloud structure that is used by over 30,000 organizations worldwide, including banking institutions, healthcare companies, security firms, according to SAP marketing materials.
In May, SAP released a security update fixing several vulnerabilities for its Adaptive Server Enterprise (ASE) database product.
The researchers who discovered and reported the vulnerabilities are now imploring organizations to apply those patches at the earliest as they allow perpetrators to take control of the underlying database systems and the servers they run on.
Security researchers from Trustwave have disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16 (SP03 PL08). Although SAP had released patches for both ASE 15.7 and 16.0 in its May 2020 update, researchers disclosed technical details of the vulnerabilities in a blog post on Wednesday.
Code injection in SAP Adaptive Server Enterprise (Backup Server)[CVE-2020-6248]:
- This is the most critical vulnerability, with a Common Vulnerabilities Scoring System(CVSS) score of 9.1 out of 10. The flaw exists from a lack of security validation for overwriting critical configuration files during database backup operations.
- Any unprivileged user who can execute a DUMP database command (which is generally used by admins to back up the file system to storage devices) can send a corrupted configuration file, leading to a potential takeover of the database. On the next Backup server restart, this corrupted file will be detected by the server and replaced with a default one.
- Successful exploitation of the vulnerability will allow anyone to connect to the Backup Server using the login and an empty password.
- Attackers can then change the “sybmultbuf_binary” setting to point to a malicious executable and execute with subsequent DUMP commands. If SAP ASE is running on Windows, this operation is performed with LocalSystem privileges by default, which allows the attacker to completely take over the machine.
Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)[CVE-2020-6252]:
- A critical flaw with a Common Vulnerabilities Scoring System(CVSS) score of 9.0 was discovered affecting Windows installations of the SAP ASE 16. The flaw affects the Cockpit component of SAP ASE, a web-based administrative console that’s used for monitoring the status and availability of ASE servers, which uses a small helper database based on SQL Anywhere and also runs with LocalSystem privileges.
- The flaw exists because the login password for the helper database is being stored in a configuration file that is readable by any windows user.
- An attacker with access to a local non-privileged Windows account can recover the password from the configuration file and login into the helper database as the special user utility_db and issue commands like CREATE ENCRYPTED FILE that can result in the overwriting of operating system files and even execute malicious code with LocalSystem privileges.
Researchers also found two SQL injection flaws that could be exploited for privilege escalation and complete compromise of the database.
SQL Injection vulnerability in SAP Adaptive Server Enterprise[CVE-2020-6241] | [CVE-2020-6253]:
- The first flaw exists while handling the routine of the global temporary tables. An authenticated user, without any special privileges, can execute crafted database queries to exploit this vulnerability to gain administrative access to the entire database.
- The second flaw exists while handling code by WebServices and can be triggered by loading a maliciously crafted database dump
- For successful exploitation of the vulnerability, it is a two-stage attack, first, an attacker-controlled ASE dump is created with malicious system table entry. Next, the dump is loaded on the target ASE server, so that the internal SQL injection happens during the processing of the malformed entry from the dump.
Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform)[CVE-2020-6243]:
- A third privilege escalation flaw exists in the XP Server component that is automatically installed with SAP ASE on Windows.
- The flaw exists due to insufficient security checks for an authenticated user while executing the extended stored procedure.
- Any authenticated user can force the XP Server to execute the C:\SAP\.DLL file. This file location is writable by any Windows user, therefore an attacker can replace the .dll file with a malicious one.
- As XP Server runs as LocalSystem, exploitation of this flaw can lead to arbitrary code execution with full system privileges.
Information Disclosure in SAP Adaptive Server Enterprise[CVE-2020-6250]:
- The SAP ASE installation logs on Linux/UNIX systems contain passwords in plaintext. An authenticated SAP account user can access the installation logs and can read system administrator passwords.
- Also, if there is some other issue that allows filesystem access, this oversight can result in the full compromise of the SAP ASE deployment.
The exploitation of these vulnerabilities could allow attackers to access sensitive information or execute arbitrary commands on the target systems.
SAP Adaptive Server Enterprise 15.7, 16.0, and prior.
SAP has released security fixes for Adaptive Server Enterprise(ASE) 15.7, 16.0 at SAP Security Patch Day.
We strongly recommend installing these security updates without any delay.