Cybersecurity firm Trustwave on Wednesday disclosed the details of several vulnerabilities found by its researchers in SAP Adaptive Server Enterprise (ASE).
SAP ASE is a relational database management system that is used by many major organizations, particularly in the financial sector. At one point, SAP said this product was used by a vast majority of the world’s top 25 banks.
Researchers at Trustwave analyzed SAP ASE and discovered a total of six vulnerabilities, most of which have been assigned a critical or high severity rating. The company says the security holes can allow unprivileged attackers to gain complete control of the database and possibly even the underlying operating system.
The critical issues can allow an attacker with limited privileges to execute arbitrary code with higher permissions — LocalSystem permissions on Windows systems. The flaws, tracked as CVE-2020-6248 and CVE-2020-6252, are related to the Backup Server and Cockpit components.
There is also a high-severity flaw related to the XP Server component that can also be exploited for arbitrary code execution with LocalSystem privileges, Trustwave revealed in a blog post.
Two other high-severity vulnerabilities allow privilege escalation via SQL injection attacks. The last issue, rated medium severity, affects only Linux/UNIX systems and it’s related to the presence of cleartext passwords in installation logs. This weakness can be dangerous when combined with other vulnerabilities as it can result in SAP ASE getting completely compromised.
Trustwave reported its findings to SAP, which released patches in late April for ASE 15.7 and 16.0. SAP mentioned the vulnerabilities in the advisory it released for its May 2020 security updates.
“Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments,” Trustwave said. “This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.”
SAP’s latest round of security updates addressed 18 vulnerabilities affecting ABAP Application Server, Business Client, Business Objects, Enterprise Threat Detection, Master Data Governance, NetWeaver, and Identity Management.