SAP Patches Database Flaw

Monday, April 27, 2015 @ 11:04 AM gHale

As the manufacturing environment continues to strengthen its connections to the enterprise, any issue that arises on the business side means all security professionals need to keep a keen eye open to potential issues.

With that in mind, SAP patched a hole in its SAP Adaptive Server Enterprise (ASE) that could allow an attacker to access the database server.

Threat Prevention Systems Not Enough
Social Engineering: Employees a Huge Risk
Affect of Attacks on Partners
BYOD, Cloud Security Risk Growing

SAP ASE is a relational database management product designed for high-performance transaction-based applications involving a large volume of data and a large number of users.

A vulnerability (CVE-2014-6284) ended up discovered by Martin Rakhmanov, a senior researcher in Trustwave’s SpiderLabs team. The issue first went to SAP in January 2014.

“SAP ASE ships with a login named ‘probe’ used for the two-phase commit probe process, which uses a challenge and response mechanism to access Adaptive Server. There is a flaw in implementation of the challenge and response mechanism that allows anyone to access the server as ‘probe’ login,” Trustwave said in a blog post.

“While the ‘probe’ is not a privileged account, other flaws exist that allow privilege elevation from regular database user to database administrator. Combined with such privilege elevation vulnerabilities this one allows complete takeover of the database server,” the advisory said.

The security firm has published proof-of-concept (PoC) code for the vulnerability on GitHub.

The flaw affects SAP ASE versions 12.5, 15.0, 15.5, 15.7, and 16.0. SAP addressed the issue with the release of ASE 15.7 SP132 and ASE 16.0 SP01.

SAP has published its own advisory for the security bug, but it’s only accessible to registered users.

Leave a Reply

You must be logged in to post a comment.