Critical Vulnerabilities Discovered in SAP’s Sybase Database Software
A new set of severe vulnerabilities in SAP’s Sybase Adaptive Server Enterprise (ASE) database software has come to light, potentially allowing unprivileged attackers to gain complete control over targeted databases, and in some cases, the underlying operating system. These critical flaws, revealed by Trustwave, a cybersecurity firm, highlight significant security risks related to transaction-based applications managed through ASE.
Trustwave disclosed six vulnerabilities during routine security testing of the software. Among these, one vulnerability, identified as CVE-2020-6248, stands out with a severity rating of 9.1 on the CVSS scale. This flaw enables arbitrary code execution during database backup operations, creating an opportunity for attackers to execute unauthorized commands by exploiting the backup functionality.
A second vulnerability, CVE-2020-6252, is specifically linked to the ASE Cockpit, a web-based administrative interface primarily used for monitoring ASE server status. Pertinent to Windows installations of ASE version 16, this vulnerability could allow an attacker with network access to capture user credentials, overwrite operating system files, and execute malicious code with heightened LocalSystem privileges.
Additional vulnerabilities include CVE-2020-6241 and CVE-2020-6253, which allow authenticated users to execute malcrafted database queries that could escalate their privileges through SQL injection tactics. These vulnerabilities highlight numerous scenarios where an attacker can gain unauthorized database administrator access by manipulating database dumps.
Moreover, CVE-2020-6243 presents a risk during the execution of stored procedures, wherein the absence of required checks enables Windows users to run arbitrary code, potentially leading to data loss on the ASE server. Additionally, CVE-2020-6250 exposes sensitive information on Linux systems, allowing authenticated attackers to read administrative passwords from installation logs. This presents a particular concern, as it could entirely compromise the SAP ASE when combined with other vulnerabilities that permit file system access.
After responsibly disclosing these findings to SAP, Trustwave reported that the company pushed a patch to address these vulnerabilities on May 12, 2020. Given that critical data is often stored within databases, and these databases can be exposed to untrusted environments, quickly addressing such vulnerabilities is crucial for safeguarding sensitive information.
The identified vulnerabilities in ASE could align with several tactics as outlined in the MITRE ATT&CK framework. Notably, techniques related to initial access, privilege escalation, and execution—central to the vulnerabilities—underscore the sophisticated nature of potential cyber threats targeting businesses utilizing SAP ASE. Business owners are strongly advised to update to the latest version of ASE as a preventive measure against these security flaws.
In addition to the vulnerabilities in ASE, SAP has also released critical patches for other software systems, including ABAP application server, Business Client, and more, as part of its May 2020 patch updates. These actions reflect ongoing efforts to bolster cybersecurity and protect organizational assets against emerging threats in a rapidly evolving digital landscape.