SAP users should deploy the patches for Adaptive Server Enterprise (ASE) released last month because the server fails to clear credentials from persistent installation logs. Even though the credentials are encrypted or hashed, researchers warn that attackers can easily decrypt them to gain full access to a sensitive monitoring component.
Previously known as Sybase SQL Server, the SAP Adaptive Server Enterprise (ASE) is a high-performance relational database with on-premises and cloud deployment options. The product is used by over 30,000 organizations worldwide, including over 90% of the world’s top 50 banks.
SAP ASE is a complex piece of software with many components, one of which is called Cockpit and is used to monitor the performance of large-scale deployments. The Cockpit agent is installed by default and broadcasts information about the ASE host to clients. According to SAP, Cockpit’s features include historical monitoring, threshold-based alerts and notifications, alert-based script execution and tools for identifying performance and usage trends.
Two SAP ASE information leaks
On Thursday, researchers from security firm Trustwave released detailed information and proof-of-concept exploit code for two information leak issues that can compromise administrative passwords for Cockpit on SAP ASE deployments.
The first vulnerability, tracked as CVE-2020-6295, stems from ASE failing to enforce proper file access controls for its installation log on Windows. This is the file where the product writes debug information every time a component is installed or updated. The log file persists on the host and is configured to be readable by any Windows user. This means that a potential attacker only needs access to a limited account on the system which in many cases is not hard to obtain on a Windows network.
An encrypted version of the Cockpit repository password is written to the log file every time the component is updated and while this might not look like much of a problem, researchers from Trustwave figured out that the information needed to decrypt it can be found in two other files, csibootstrap.properties and csikeystore.jceks, that are also readable to any user on the system.
“Csibootstrap.properties contains the keystore password while the csikeystore.jceks is the actual keystore. A very useful script for the research is C:\SAP\COCKPIT-4\bin\passencrypt.bat,” Trustwave said in its advisory, which includes a proof-of-concept exploit written in Java that can be used to extract the password.
The vulnerability is rated as high severity with a CVSS score of 7.8 because when decrypted, this password can be used to view, modify or make unavailable Cockpit data.
The second information disclosure vulnerability is tracked as CVE-2020-6317 and stems from the file permissions issue. The SAP ASE log file also includes SHA-256 hashes and base64-encoded salts for the sccadmin and uafadmin passwords. These are two administrative accounts associated with Cockpit.
This vulnerability is only rated as 2.6 on the CVSS scale because the passwords are hashed. However, Martin Rakhmanov, Trustwave’s security research manager, tells CSO that it’s easy to decode the salt and run dictionary-based offline brute-force attacks against the hashes to crack the passwords. Looping over dictionaries with SHA-256 is very fast, he said.
This is not the first time that improper file access controls have exposed SAP ASE and Cockpit. SAP’s May security updates included a fix for a privilege escalation vulnerability resulting from a Cockpit helper database password being included in a configuration file that was readable by all system users. The password could allow attackers to run database commands that would overwrite operating system files and lead to malicious code execution with LocalSystem privileges.
“In the end, exploiting the vulnerabilities discussed here will allow malicious users to either guess privileged user passwords (CVE-2020-6317) or just decrypt it (CVE-2020-6295) and then use compromised accounts for subsequent attacks,” the Trustwave researchers warned. “Do not wait: Apply the vendor-provided patches ASAP.”