In May, SAP announced several security fixes for its Adaptive Server Enterprise (ASE) database product, which thousands of enterprises worldwide use.
The researchers who discovered and reported the vulnerabilities are now urging organisations to deploy those patches as soon as possible because they allow attackers to take control of the underlying database systems and the servers they run on.
ASE, previously known as Sybase SQL Server, is a high-performance relational database server with on-premise and cloud deployment options that is used by over 30,000 organisations worldwide, including over 90 per cent of the world's top 50 banks and security firms, according to SAP marketing materials.
SAP's Security Patch Day for May saw the release of 18 Security Notes, seven of which covered vulnerabilities in SAP ASE with medium to critical severity.
Six of the flaws were reported by security researchers from Trustwave and were documented in a blog post Wednesday. With detailed information now publicly available, organisations should make sure the patches are applied immediately.
"Organisations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments," the Trustwave researchers said in their report. "This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on."
SAP ASE vulnerabilities
The most serious vulnerability, tracked as CVE-2020-6248, has a score of 9.1 out of 10 in the Common Vulnerabilities Scoring System (CVSS) and stems from a lack of security checks on configuration files during database back-up operations.
More specifically, the flaw allows any users with the permission to run the DUMP database command to corrupt the configuration file on the Backup Server.
"On the next Backup Server restart the corruption of the configuration file will be detected by the server and it will replace the configuration with the default one," the Trustwave researchers explained. "And the default configuration allows anyone to connect to the Backup Server using the same login and an empty password!"
Attackers can then change the sybmultbuf_binary setting on the server to point to a malicious executable and trigger its execution with subsequent DUMP commands. On Windows, this operation is performed with LocalSystem privileges by default, which grants the potential hacker and their malicious code complete control over the machine.
Another privilege escalation vulnerability that affects SAP ASE on Windows is tracked CVE-2020-6252 and has a CVSS score of 9.0. The issue affects the Cockpit component of SAP ASE, which uses a small helper database based on SQL Anywhere and also runs with LocalSystem privileges.
The problem is that the password to login into this helper database is stored in a configuration file that is readable by all users of the operating system, which means an attacker with access to a local non-privileged Windows account can access the helper database and issue commands that can result in the overwriting of operating system files. This can potentially result in the execution of malicious code with LocalSystem privileges.
A third privilege escalation flaw, CVE-2020-6243 with a CVSS 8.0 score, exists in the XP Server component that is automatically installed with SAP ASE on Windows.
Any user of the database, regardless of privilege, can force the XP Server to execute the C:\SAP\.DLL file. This file location is writable by any Windows user, so attackers can replace the file with a malicious one. Since XP Server runs as LocalSystem, exploitation of this flaw can lead to arbitrary code execution with full system privileges.
The researchers also found and reported two SQL injection vulnerabilities that can result in the complete compromise of the database. One of them, tracked as CVE-2020-6241 with a CVSS 8.8 score, stems from the handling routine of the global temporary tables.
Any valid user of the database, without any special privileges, can exploit this vulnerability to gain administrative access to the entire database. The second, CVE-2020-6253 with CVSS 7.2, exists in the WebServices handling code and can be triggered by loading a maliciously crafted database dump.
"The attack is two-stage: first on an attacker-controlled ASE a dump is created so that it contains malicious system table entry," the researchers explained. "Next the dump is loaded on ASE being attacked so that the internal SQL injection happens during processing of the malformed entry from the dump."
The last vulnerability, CVE-2020-6250, has a CVSS 6.8 score and is an information leak: The SAP ASE installation logs on Linux/UNIX systems contain passwords in plaintext. The installation logs are only readable by the SAP account, but if there is some other issue that allows filesystem access, this oversight can result in the full compromise of the SAP ASE deployment.
Patching and mitigations for the SAP ASE vulnerabilities
SAP released patches for both ASE 15.7 and 16.0, but security experts warned in the past that SAP customers regularly fall behind on patches because of the high level of customisation in their environments. Security firm Onapsis, which specialises in securing business-critical applications, estimates that every SAP deployment has on average 2 million lines of custom code added by their users.
That makes applying security updates and making configurations changes a complicated process since compatibility tests need to be performed first.
SAP ASE deployments that are exposed directly to the internet are at greater risk, but these vulnerabilities can also be used for lateral movement by attackers who gain access to corporate networks using other attack vectors.
"It is the best practice to not expose any database to the Internet, but sometimes organisations do that," Martin Rakhmanov, security research manager at Trustwave SpiderLabs, tells CSO. "The flaws discovered are useful in both cases, but I would assume the lateral movement type scenario should be more common for exploitation."
Rakhmanov says that Trustwave does not have any telemetry about the patch state of SAP ASE deployments in customer environments but reiterated his usual recommendation: "Patch timely, which is ASAP."