If the security patches delivered in May by SAP for ASE are not immediately applied by companies that use the relational database, attackers could take complete control of it as well as that of the servers on which they are installed. However, SAP customers regularly fall behind on the security patches to be applied, due to the level of personalization of their environments which requires compatibility tests.
It is now urgent to apply the patches delivered in May by SAP for its Adaptive Server Enterprise database. Thousands of companies around the world are using the ASE solution, which was acquired from the publisher Sybase in 2010. Security researchers who have discovered and reported the vulnerabilities concerned are now directing organizations to deploy the patches as quickly as possible. . These vulnerabilities may allow attackers to take control of these databases and the servers on which they run. SAP ASE, previously known as Sybase SQL Server, is a high-performance relational database with on-premise and cloud deployment options. It is used by more than 30,000 organizations worldwide, including 90% of the largest banks and security companies, according to figures from SAP.
The security update released in May by SAP includes 18 bulletins, 7 of which cover the vulnerabilities found in ASE. These flaws are associated with levels of criticality ranging from medium to severe. 6 of them were reported by researchers at the firm Trustwave who documented them yesterday in a post. With detailed information now available to everyone, businesses need to make sure that fixes are applied immediately. “Organizations often store their most critical data in databases which, in turn, are often found in untrusted environments or are exposed to the public,” said Trustware. “It is therefore essential to take them into account quickly and carry out tests because they threaten not only the data in the database, but also, potentially, the entire host on which it is running. “
CVE-2020-6248, score of 9.1, risk of code injection
The most serious flaw, referenced CVE-2020-6248, has a critical score of 9.1 out of 10 on the CVSS (Common Vulnerabilities Scoring System) scale. It stems from a lack of security control over the configuration files during database backup operations. More specifically, the flaw allows all users authorized to launch the DUMP command to corrupt the configuration file on the backup server. “The next time the backup server is restarted, the corruption of the configuration file will be detected by the server and it will replace the configuration with the default,” explain the researchers at Trustwave. “And the default configuration allows anyone to connect to the backup server using the same login and an empty password!” “ Attackers can then modify the sybmultbuf_binary parameter on the server to point to a malicious executable and trigger its execution with the following DUMP commands. On Windows, this is done with LocalSystem privileges by default, which gives the potential attacker and his malicious code complete control over the machine.
Another privilege escalation vulnerability, referenced CVE-2020-6252, has a CVSS score of 9.0. The problem relates to the Cockpit component of ASE which uses a small assistance database based on SQL Anywhere and which also runs with LocalSystem privileges. The password to connect to this support base is stored in a configuration file which can be read by all users of the operating system. This means that an attacker with access to an unprivileged local Windows account can also access this small database and execute commands that will overwrite OS files. This could potentially lead to the execution of malicious code with LocalSystem privileges. A third privilege escalation vulnerability, CVE-2020-6243 with a CVSS score of 8.0, is housed in the XP Server component which is automatically installed with SAP ASE on Windows. Any user of the database, whatever their level of privilege, can force the XP server to execute the file C: SAP .DLL. This location is writable by any Windows user, which would allow attackers to install a malicious file on it instead. Since XP Server runs as LocalSystem, exploiting this flaw can lead to the execution of arbitrary code with full system privileges.
Two SQL injection vulnerabilities
Security researchers have also tracked down and reported two SQL injection vulnerabilities that can cause the entire database to be compromised. One of them (CVE-2020-6241, CVSS score of 8.8) comes from the routine for processing global temporary tables. Any valid user of the database, without special privileges, can use it to gain administrator access to the entire database. The second (CVE-2020-6253, CVSS score of 7.2) is housed in the processing code of WebServices and can be triggered by loading a copy of database (dump) specifically designed for this purpose. “The attack takes place in two stages: first, on an ASE controlled by an attacker, a dump is created to contain a malicious system table entry,” explained the researchers. “Then, the copy is loaded on the attacked ASE database so that the internal SQL injection occurs during the processing of the erroneous entry of the copy”.
The last vulnerability (CVE-2020-6250, CVSS score of 6.8) relates to an information leak. The installation logs for ASE on Unix and Linux systems contain passwords in clear text. These histories can only be viewed by the SAP account, but if there is another problem that allows access to the file system, this can lead to the complete compromise of the ASE deployment.
Too much custom code delays patching
SAP has released fixes for versions 15.7 and 16.0 of the ASE database. But security experts have warned in the past that the publisher’s customers regularly lag behind on the application of patches delivered due to the high level of customization in their environment. The security firm Onapsis, which specializes in securing critical applications, estimates that each SAP deployment has an average of 2 million lines of custom code added by their users. This complicates the application of security updates and configuration changes since compatibility tests must first be performed. SAP customers regularly lag behind on fixes due to the high level of customization in their environment. The security company Onapsis, which specializes in securing critical applications, estimates that each SAP deployment has an average of 2 million lines of custom code added by their users. This makes applying security updates and changing configurations a complicated process, since compatibility testing must be done first.
ASE deployments that are exposed directly to the Internet are more vulnerable, but flaws can also be exploited by attackers who access corporate networks through other attack vectors, using a phased (lateral) approach. “It is good practice not to expose any database on the Internet, but sometimes companies do,” said CSO colleagues Martin Rakhmanov, head of security research at the SpiderLab laboratory at Trustwave. “The flaws discovered can be used in both cases, but I think the phased (lateral) approach attack scenario should be more commonly used.” Rakhmanov clarified that Trustwave does not have telemetry measurements on the status of patching on SAP ASE deployments in client environments, but reiterated his usual recommendations: “Correct at the appropriate time, that is to say as quickly as possible ”.