Researchers Disclose 2 Critical Vulnerabilities in SAP ASETrustwave Analysts Find Total of Six Flaws in the Popular Database Software
Researchers at the security firm Trustwave on Wednesday disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 (ASE) database software.
Two of the vulnerabilities in the software, which is the latest version, are listed as critical, meaning attackers could perform arbitrary code execution and tamper with a system's data. The remaining four vulnerabilities are considered either high or medium risk.
"Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments. This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on," writes Martin Rakhmanov, security research manager at Trustwave SpiderLabs.
Trustwave tells Information Security Media Group that it has not seen any instances of exploits of these vulnerabilities.
SAP did not immediately reply to a request for comment.
The former vulnerability refers to the database software failing to perform the necessary validation checks for an authenticated user while executing "dump" or "load" commands that can be exploited by a malicious actor to allow arbitrary code execution or code Injection, according to the National Vulnerability Database description.
"On the next backup server restart, the corruption of configuration file will be detected by the server and it will replace the configuration with the default one. And the default configuration allows anyone to connect to the backup server using the sa login and an empty password," Rakhmanov says. "The problem is that the password to log into the helper database is in a configuration file that is readable by everyone on Windows."
CVE-2020-6252 affects only the Windows version of SAP ASE 16 with Cockpit. The problem here is the password to log into the helper database is in a configuration file that is readable by everyone on Windows. This means any valid Windows user can take the file and then recover the password. Then, they are able to log into the SQL Anywhere database as the special user "utility_db" and begin to issue commands and possibly execute code with local system privileges, Rakhmanov writes.
One of the high-rated vulnerabilities, CVE-2020-6241, was created when ASE 16 was updated with global temporary tables, which have a flaw when handling DDL statements that allows any valid database user to quickly gain database administrator access.
The report states that another high-rated vulnerability, CVE-2020-6243, only affects the SAP ASE XP Server on Windows platform. This flaw can give the attacker the ability to read, modify and delete restricted data on connected servers, leading to code injection.
One of the medium-rated vulnerabilities, CVE-2020-6253 is an issue with internal SQL injections in the WebServices handling code. The problem can only be exploited by the database owner because the flaw involves loading a database dump but if a malicious actor takes advantage, they will be granted admin access, the report says.
"The attack is two-stage: First on an attacker-controlled ASE a dump is created so that it contains malicious system table entry. Next the dump is loaded on ASE being attacked so that the internal SQL injection happens during processing of the malformed entry from the dump," Rakhmanov writes.
The other medium-rated vulnerability, CVE-2020-6250, refers to cleartext passwords found in the installation logs. But it only affects Linux and UNIX installations, according to Trustwave.