SAP’s Sybase RDMS Patches Fail to Repair 10 Critical Vulnerabilities

Patches released this week by database and mobile management vendor Sybase did not completely repair serious privilege escalation and remote code execution vulnerabilities in versions 15.0.3 and later of its Adaptive Server Enterprise (ASE) product.Researchers at Application Security Inc., which specializes in database security, reported a dozen vulnerabilities to the SAP company in July. AppSec also sent along proof-of-concept exploit code with details of the vulnerabilities.

Patches released this week by database and mobile management vendor Sybase did not completely repair serious privilege escalation and remote code execution vulnerabilities in versions 15.0.3 and later of its Adaptive Server Enterprise (ASE) product.

Researchers at Application Security Inc., which specializes in database security, reported a dozen vulnerabilities to the SAP company in July. AppSec also sent along proof-of-concept exploit code with details of the vulnerabilities.

ASE is Sybase’s high performance relational database management system. The company said on its website that ASE is present in 24 of the world’s top 25 banking IT infrastructures. SAP acquired Sybase in 2010 for $5.8 billion.

AppSec CTO Josh Shaul said today that only two of the 12 flaws were properly repaired. Sybase has acknowledged this and said it will issue new patches at an undisclosed time. In the meantime, companies with ASE in their environments remain vulnerable to exploits. None have been reported in the wild, Sybase and AppSec said.

“With very minor modifications to the original proof of concept code TeamSHATTER sent to Sybase in our initial vulnerability report, the exploits still work,” Shaul wrote in a blog post. “It appears that Sybase blocked the specific exploit code we submitted without fixing the underlying vulnerability, and then performed insufficient testing and code review to notice the problem before shipping the patches and publicly disclosing the vulnerability information.”

ASE is vulnerable to a number of privilege elevation vulnerabilities in all versions, as well as arbitrary code execution flaws and privilege escalation flaws via Java in ASE.

“Most of these unfixed vulnerabilities require no permissions beyond the ability to login to Sybase (they are exploitable by PUBLIC), and they allow an attacker to take full control over the Sybase server by either assuming the SA role or by loading and running arbitrary java code,” Shaul said.

Shaul said that disabling Java is a workaround, but only for systems that have no need for Java.

Suggested articles