SAP ASE leaves sensitive credentials in installation logs

SAP ASE leaves sensitive credentials in installation logs

Two vulnerabilities in SAP ASE's Cockpit component leaves some sensitive information available to anyone on the network and other data susceptible to brute-force attacks.

Credit: Dreamstime

SAP users should deploy the patches for Adaptive Server Enterprise (ASE) released last month because the server fails to clear credentials from persistent installation logs. Even though the credentials are encrypted or hashed, researchers warn that attackers can easily decrypt them to gain full access to a sensitive monitoring component.

Previously known as Sybase SQL Server, the SAP Adaptive Server Enterprise (ASE) is a high-performance relational database with on-premise and cloud deployment options. The product is used by over 30,000 organizations worldwide, including over 90% of the world's top 50 banks.

SAP ASE is a complex piece of software with many components, one of which is called Cockpit and is used to monitor the performance of large-scale deployments. The Cockpit agent is installed by default and broadcasts information about the ASE host to clients. According to SAP, Cockpit's features include historical monitoring, threshold-based alerts and notifications, alert-based script execution and tools for identifying performance and usage trends.

Two SAP ASE information leaks

On Thursday, researchers from security firm Trustwave released detailed information and proof-of-concept exploit code for two information leak issues that can compromise administrative passwords for Cockpit on SAP ASE deployments.

The first vulnerability, tracked as CVE-2020-6295, stems from ASE failing to enforce proper file access controls for its installation log on Windows. This is the file where the product writes debug information every time a component is installed or updated. The log file persists on the host and is configured to be readable by any Windows user. This means that a potential attacker only needs access to a limited account on the system which in many cases is not hard to obtain on a Windows network.

An encrypted version of the Cockpit repository password is written to the log file every time the component is updated and while this might not look like much of a problem, researchers from Trustwave figured out that the information needed to decrypt it can be found in two other files, and csikeystore.jceks, that are also readable to any user on the system.

" contains the keystore password while the csikeystore.jceks is the actual keystore. A very useful script for the research is C:\SAP\COCKPIT-4\bin\passencrypt.bat," Trustwave said in its advisory, which includes a proof-of-concept exploit written in Java that can be used to extract the password.

The vulnerability is rated as high severity with a CVSS score of 7.8 because when decrypted, this password can be used to view, modify or make unavailable Cockpit data.

The second information disclosure vulnerability is tracked as CVE-2020-6317 and stems from the file permissions issue. The SAP ASE log file also includes SHA-256 hashes and base64-encoded salts for the sccadmin and uafadmin passwords. These are two administrative accounts associated with Cockpit.

This vulnerability is only rated as 2.6 on the CVSS scale because the passwords are hashed. However, Martin Rakhmanov, Trustwave's security research manager, tells CSO that it's easy to decode the salt and run dictionary-based offline brute-force attacks against the hashes to crack the passwords. Looping over dictionaries with SHA-256 is very fast, he said.

This is not the first time that improper file access controls have exposed SAP ASE and Cockpit. SAP's May security updates included a fix for a privilege escalation vulnerability resulting from a Cockpit helper database password being included in a configuration file that was readable by all system users. The password could allow attackers to run database commands that would overwrite operating system files and lead to malicious code execution with LocalSystem privileges.

"In the end, exploiting the vulnerabilities discussed here will allow malicious users to either guess privileged user passwords (CVE-2020-6317) or just decrypt it (CVE-2020-6295) and then use compromised accounts for subsequent attacks," the Trustwave researchers warned. "Do not wait: Apply the vendor-provided patches ASAP."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Brand Post

What to expect from your IT Distributor

Whether you’re just starting out or you’ve been around since before the dot com rollercoaster, choosing the right distribution partner can be a pivotal factor in your success. This definitive guide outlines the traits that every IT partner needs to look for in their IT Distributor.



Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments