Governance & Risk Management , Patch Management

Researchers Disclose 2 Critical Vulnerabilities in SAP ASE

Trustwave Analysts Find Total of Six Flaws in the Popular Database Software
Researchers Disclose 2 Critical Vulnerabilities in SAP ASE

Researchers at the security firm Trustwave on Wednesday disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 (ASE) database software.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Two of the vulnerabilities in the software, which is the latest version, are listed as critical, meaning attackers could perform arbitrary code execution and tamper with a system's data. The remaining four vulnerabilities are considered either high or medium risk.

"Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments. This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on," writes Martin Rakhmanov, security research manager at Trustwave SpiderLabs.

Trustwave tells Information Security Media Group that it has not seen any instances of exploits of these vulnerabilities.

SAP did not immediately reply to a request for comment.

Critical Vulnerabilities

The two vulnerabilities rated critical are CVE-2020-6248 and CVE-2020-6252

The former vulnerability refers to the database software failing to perform the necessary validation checks for an authenticated user while executing "dump" or "load" commands that can be exploited by a malicious actor to allow arbitrary code execution or code Injection, according to the National Vulnerability Database description.

"On the next backup server restart, the corruption of configuration file will be detected by the server and it will replace the configuration with the default one. And the default configuration allows anyone to connect to the backup server using the sa login and an empty password," Rakhmanov says. "The problem is that the password to log into the helper database is in a configuration file that is readable by everyone on Windows."

CVE-2020-6252 affects only the Windows version of SAP ASE 16 with Cockpit. The problem here is the password to log into the helper database is in a configuration file that is readable by everyone on Windows. This means any valid Windows user can take the file and then recover the password. Then, they are able to log into the SQL Anywhere database as the special user "utility_db" and begin to issue commands and possibly execute code with local system privileges, Rakhmanov writes.

High-Rated Vulnerabilities

One of the high-rated vulnerabilities, CVE-2020-6241, was created when ASE 16 was updated with global temporary tables, which have a flaw when handling DDL statements that allows any valid database user to quickly gain database administrator access.

The report states that another high-rated vulnerability, CVE-2020-6243, only affects the SAP ASE XP Server on Windows platform. This flaw can give the attacker the ability to read, modify and delete restricted data on connected servers, leading to code injection.

Medium-Rated Vulnerabilities

One of the medium-rated vulnerabilities, CVE-2020-6253 is an issue with internal SQL injections in the WebServices handling code. The problem can only be exploited by the database owner because the flaw involves loading a database dump but if a malicious actor takes advantage, they will be granted admin access, the report says.

"The attack is two-stage: First on an attacker-controlled ASE a dump is created so that it contains malicious system table entry. Next the dump is loaded on ASE being attacked so that the internal SQL injection happens during processing of the malformed entry from the dump," Rakhmanov writes.

The other medium-rated vulnerability, CVE-2020-6250, refers to cleartext passwords found in the installation logs. But it only affects Linux and UNIX installations, according to Trustwave.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.