Security News > 2020 > June > Critical SAP ASE Flaws Allow Complete Control of Databases
ASE is used by more than 30,000 organizations globally - including 90 percent of the top banks and security firms worldwide, according to SAP. Researchers disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16.
While SAP has released patches for both ASE 15.7 and 16.0 in its May 2020 update, researchers disclosed technical details of the flaws on Wednesday, saying "There is no question" that the patches should be applied immediately if they haven't been already.
Another critical flaw was discovered affecting Windows installations of the SAP ASE 16.
In another issue, researchers found clear text passwords in the ASE server installation logs: "The logs are only readable to the SAP account, but will completely compromise the SAP ASE when joined with some other issue that allows filesystem access," they said.
One exists in global temporary tables in ASE 16, while the other stems from the WebServices handling code of ASE. The final bug discovered was an XP Server flaw that could allow authenticated Windows users to gain arbitrary code execution if they can connect to the SAP ASE. "Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments," said researchers.
News URL
https://threatpost.com/critical-sap-ase-flaws-complete-control-databases/156239/