Six critical vulnerabilities were recently disclosed in SAP Adaptive Server Enterprise that could allow hackers to execute arbitrary code, expose passwords, and elevate privileges. SKOUT recommends updating SAP ASE to the latest version.
Technical detail and additional information
What is the threat?
This May SAP detailed and released patches for seven flaws affecting SAP Adaptive Server Enterprise (ASE) for both Windows and Linux, and now details regarding six of those vulnerabilities have been disclosed. These vulnerabilities vary both in their severity and potential impact, but all of them have been patched at this time. The vulnerabilities are as follows:
- An arbitrary code execution vulnerability that allows an attacker to corrupt a backup server configuration file with a single command. This results in the configuration file reverting to default login credentials, allowing an attacker to access it and use it to run arbitrary code at elevated privilege. (CVE-2020-6248)
- An information disclosure vulnerability in the Cockpit component used in default SAP ASE installations on Windows. Cockpit uses a small SQL Anywhere database that runs with LocalSystem privileges, and the login password is visible to all users. (CVE-2020-6252)
- A privilege escalation vulnerability stemming from a SQL injection that allows users with no special rights to connect to the server and increase their user privileges, up to administrator. (CVE-2020-6241)
- There is an additional privilege escalation to administrator vulnerability from a SQL injection, but only database owners may exploit it. (CVE-2020-6253)
- An arbitrary code execution as Local System via XP Server, where database users (with any privilege) could have the server attempt to load and execute extended stored procedures that do not exist. (CVE-2020-6243)
- An information disclosure vulnerability in which an unauthenticated attacker can read plaintext passwords of system administrators from installation logs. (CVE-2020-6250)
Why is this noteworthy?
SAP ASE is a very common tool used by a wide variety of organizations, and by extension this sizable list of vulnerabilities puts them at risk. In particular several of the listed vulnerabilities have been assigned a Common Vulnerability Scoring System (CVSS) score that qualifies them as “critical”, which places them in the highest bracket of CVSS score. These scores are calculated by a large number of metrics, and scores range from 0 (no severity) to 10 (critical severity. The critical vulnerabilities are CVE-2020-6248 (CVSS 9.1) and CVE-2020-6252 (CVSS 9.0). The remaining vulnerabilities scored no lower than a 7.0 on the Scoring System, making them at least high severity.
What is the exposure or risk?
Given that there are six different vulnerabilities listed they will have at least slightly different risks depending on which one is in question.
- CVE-2020-6252 and CVE-2020-6250 are information disclosure vulnerabilities, both of which display login information. Exploitation of these vulnerabilities can allow an attacker to steal this login information, log in to these administrative accounts, and perform any actions that they are capable of with their elevated privileges.
- CVE-2020-6248 and CVE-2020-6243 are arbitrary code execution vulnerabilities, which will allow a user that exploits them to run arbitrary code at higher, or even the highest, privileges. From here an attacker can do anything, make any changes, add/modify/delete any files, the possibilities are numerous.
- CVE-2020-6241 and CVE-6253 are privilege escalation vulnerabilities, which allow an attacker to gain increased access to resources and functions on a system that are normally restricted only to certain users. For example, an attacker who escalates their privileges could access resources meant only for an administrator, and could add/modify/delete users, files and applications, and execute code and other applications at will.
What are the recommendations?
Due to the high/critical CVSS score attributed to these vulnerabilities, it is highly recommended that users of SAP ASE immediately update it to the latest available version to mitigate these and other potential vulnerabilities. These patches are available from the community support portal, the link to it can be found below
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.