SAP Adaptive Server Enterprise vulnerabilities break your database, server & network security

Sometimes the installation of security updates is not carried out properly, generating new errors or exploiting vulnerabilities, mention security testing course specialists. A few weeks ago, SAP released some security updates for its Adaptive Server Enterprise (ASE) database product, employed by thousands of companies around the world.

Although the updates were released in May, multiple system administrators still do not install them, so the company has re-requested its immediate installation, as threat actors could still exploit these flaws to take control of the affected software and its underlying servers.    

ASE is a high-performance database server that can be hosted in physical or cloud structures employed by more than 30,000 organizations worldwide, including banking institutions, healthcare companies, security companies, and more, SAP executives say.

According to security testing course experts, the latest SAP update included seven ASE fixes to patch moderate and critical severity vulnerabilities. In launching the update, various members of the cybersecurity community emphasized the importance of their installation: “Many organizations store critical information in exposed or misconfigured databases; vulnerabilities like these can be exploited because of these practices, hence the importance of installing these updates”, mentions a report from the Trustwave firm.

The most critical of vulnerabilities in SAE, tracked as CVE-2020-6248, would allow threat actors to execute commands to corrupt the backup server configuration file. The flaw received a score of 9.1/10 on the Common Vulnerability Scoring System (CVSS).  

Security testing course experts also reported a privilege escalation vulnerability tracked as CVE-2020-6252, which received a score of 9/10. This flaw also affects the SAP ASE Cockpit component that uses a SQL Anywhere-based helper database and runs with LocalSystem privileges. The password to log in is stored in a file that any user can read, so a malicious hacker with local access could access the auxiliary database and deploy arbitrary commands.

On the other hand, CVE-2020-6243 flaw is also an escalation of privileges that received a score of 8/10. Apparently, any user in the database, regardless of their privilege level, could force the C:-SAP- file to run. DLL file and replace it with a malicious file. Exploiting this flaw can lead to arbitrary code execution with system privileges.

Other flaws received lower scores, although their presence also poses a risk to administrators. System administrators are recommended to upgrade their deployments as soon as possible. For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.