Newly Patched SAP ASE Flaws Could Let Attackers Hack Database Servers

A new set of critical vulnerabilities uncovered in SAP’s
Sybase database software can grant unprivileged attackers complete
control over a targeted database and even the underlying operating
system in certain scenarios.

The six flaws, disclosed by cybersecurity firm Trustwave today,
reside in Sybase Adaptive Server Enterprise (ASE^[1]), a relational database
management software geared towards transaction-based
applications.

The cybersecurity company said the issues — both specific to the
operating system and the platform as a whole — were discovered
during a security testing of the product, one of which has a CVSS
rating of 9.1.

Identified as CVE-2020-6248, the most severe
vulnerability allows arbitrary code execution when making database
backups, thus allowing an attacker to trigger the execution of
malicious commands.
^[2]

“During database backup operations, there are no security checks
for overwriting critical configuration files,” Trustwave researchers said in a report shared
with The Hacker News. “That means anyone who can run the DUMP
command (e.g., database owners) can perform very dangerous tasks.”

A second vulnerability (CVE-2020-6252^[4]) concerns ASE Cockpit, a
web-based administrative console that’s used for monitoring the
status and availability of ASE servers. Impacting only Windows
installations of ASE 16, the flaw lets a bad actor with access to a
local network to capture user account credentials, overwrite
operating system files, and even execute malicious code with
LocalSystem privileges.

Two other flaws (CVE-2020-6241 and CVE-2020-6253) allows an authenticated
user to execute crafted database queries to elevate their
privileges via SQL injection, permitting a user with no special
privileges to gain database administrator access.

In the latter case, an attacker-controlled ASE database dump is
altered with malicious data before loading it into a target ASE
server.

A fifth flaw (CVE-2020-6243) exists when the server does not
perform necessary checks for an authenticated user while executing
a stored procedure (“dummy_esp”), allowing Windows users to run
arbitrary code and delete data on the ASE server.

Lastly, CVE-2020-6250 involves information
disclosure in Linux systems wherein an authenticated attacker can
read system administrator passwords from installation logs.
“The logs are only readable to the SAP account, but when joined
with some other issue which allows filesystem access, [it] will
completely compromise the SAP ASE,” the researchers noted.

After Trustwave responsibly disclosed the findings to Sybase,
SAP addressed the issues^[8] in a patch that was
pushed last month on May 12.

“Organizations often store their most critical data in
databases, which, in turn, are often necessarily exposed in
untrusted or publicly exposed environments,” Trustwave said.

“This makes vulnerabilities like these essential to address and
test quickly since they not only threaten the data in the database
but potentially the full host that it is running on.”

It’s highly recommended that users update to the latest version
of ASE to resolve the flaws.

Besides these six flaws in Adaptive Server, SAP has also
released critical security patches for ABAP application server,
Business Client, BusinessObjects, Master Data Governance, Plant
Connectivity, NetWeaver, and SAP Identity Management software as
part of its May 2020 batch of patch release.

^[3][5][6][7]