Researchers reveal that patched SAP ASE flaws could lead to hacks

System takeover is possible through new SAP Adaptive Server Enterprise vulnerabilities

Flaws in software can allow complete control of the databaseVulnerabilities in SAP ASE revealed missing authorization check, SQL injection vulnerability, and 4 more. Flaws in SAP Adaptive Server Enterprise (ASE) allow unauthorized users to gain full control of the database and operating systems in some cases,[1] according to new research conducted by the Trustwave team.[2] These six flaws in the Sybase Adaptive Server Enterprise[3] can be used on targeted databases and cause huge losses since this is the relational database management program focused on transaction-based software.

These vulnerabilities that got discovered were not only linked with the operating systems but with the platform as a whole. The most severe flaw identified as CVE-2020-6248[4] can lead to arbitrary code execution and allow attackers to trigger the launch of various malicious processes.

Researchers state that anyone who can run the command can perform dangerous tasks:

During database backup operations, there are no security checks for overwriting critical configuration files.

Multiple vulnerabilities with different severity rates exposed

Besides the upper mentioned flaw, researchers found other vulnerabilities. One of them concerns the ASE Cockpit that is a web-based admin console that allows status monitoring and checking the availability of ASE servers. This flaw affects ASE 16 installations on Windows devices only and lets hackers gain access to the network and capture user account credentials, overwrite data in the OS folders, and even execute malicious code with LocalSystem privileges.

Other flaws can allow an authenticated user to execute queries in the database, so their rights get privileged via SQL injection. This is how users get no specific privileges, so the attacker can get administrative access to the targeted database. Researchers noticed that some cases can involve malicious data before the database is loaded into the ASE server.

Another flaw exists when the server is not performing needed checks for user authentication. When this is not done during the execution of stored procedures Windows users can run the arbitrary code or delete data on the ASE server. The last flaw reported is creating risks in Linux systems when an authenticated attacker can read information like system administrator passwords from installation logs. Typically these logs only readable to SAP account, but these flaws allow the system file access, so it may lead to completely compromised SAP ASE.

Organizations affected since their critical data gets stored in databases

These vulnerabilities were found after the patch on Sybase.[5] Researchers disclosed their findings because their flaws are essential since they are not only affecting the data in the database but also can trigger issues with the host that the database is running on. There might be more issues that these flaws may create:

We've focused on the latest version which was ASE 16 SP03 PL08 but it should be noted that older versions are also vulnerable to many of the flaws.

The latest SAP updated includes fixes for these six vulnerabilities mentioned. Also, flaws related to the ABAP application server, Business Client, Master Data Governance, and other software got patched with this May 2020 batch of patches released. It is recommended to users that they update the software to the latest version to resolve issues with ASE.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions