Critical SAP Sybase ASE bugs allowed full system takeover

A set of vulnerabilities in SAP's Sybase Adaptive Server Enterprise, which is widely used by banks and financial institutions, could be used by attackers to take over unpatched systems, security researchers have revealed.

Security vendor Trustwave reported critical and high severity several Sybase ASE vulnerabilities to SAP, including one that rated 9.1 out of 10 on the Common Vulnerabilities Scoring System.

The vulnerability, CVE-2020-6248, allows anyone with database manager privileges to run the DUMP command to overwrite critical configuration files since there are no security checks in place to prevent this from happening.

It is possible for attackers to run any code of their choice using this technique, Trustwave found.

Another flaw was found in the default configuration of Sybase ASE version 16 on Windows.

This left the password for the helper SQL Anywhere database readable by all Windows user.

Since the SQL Anywhere database runs with the high LocalSystem privileges on Windows, it could be used to overwrite operating system files and possibly execute arbitrary code, Trustwave found.

The above - and further four Sybase ASE vulnerabilities - were reported by Trustwave to SAP, which has issued patches for them that users are urged to test and apply as soon as feasible.

SAP patched three other critical vulnerabilties in its latest Patch Day that had higher CVSS scores than the flaws uncovered by Trustwave.

These include a code injection vulnerability affecting the Application Server Advanced Business Application Programming (ABAP) language that is part of the NetWeaver platform, with a CVSS of 9.9.

A missing authentication check in SAP's Business Object Business Intelligence Platform (CVSS 9.8) was also fixed.

In total, SAP released six patches rated as "Hot News" priority, with a CVSS over 9 out of 10 maximum.

A further four high priority patches and 12 medium ones were also included in the latest set of security updates from SAP.