Several security fixes issued in July by Sybase failed to fully address vulnerabilities in versions of its flagship Adaptive Server Enterprise product.
The vulnerabilities exist in versions 15.0.3 and later. According to database security firm Application Security, just two of the 12 flaws the company reported to Sybase earlier this year have been truly fixed. Many of the bugs are privilege escalation issues, while others allow attackers to execute arbitrary code. The most serious of the bugs, CR #694649, has a severity rating of 8.3 on a 10.0 scale.
"The two that were properly fixed are CRs 689823 and 691642," explained Josh Shaul, CTO of Application Security, in a blog post. "For the other 10 issues, Sybase made unsuccessful fixes. With very minor modifications to the original proof of concept code [Application Security's TEAMSHATTER] sent to Sybase in our initial vulnerability report, the exploits still work. It appears that Sybase blocked the specific exploit code we submitted without fixing the underlying vulnerability, and then performed insufficient testing and code review to notice the problem before shipping the patches and publicly disclosing the vulnerability information."
In a follow-up interview, Shaul said that all the vulnerabilities yield full control of ASE. So far, the firm has no evidence either way about whether the vulnerabilities are being actively exploited.
In a statement, Sybase, which was acquired by SAP in 2010, acknowledged the situation and said a new round of fixes are expected to be ready within six weeks.
"SAP takes very seriously any security vulnerability issues from its products," the company said. "Customers will be notified immediately about the vulnerabilities that exist in the various in-market releases of SAP Sybase ASE. It should be noted that the vulnerabilities are protected against any attacks from non-authenticated logins. Currently, there are no reported cases of attacks on these vulnerabilities in SAP Sybase ASE installations at customer sites."
Most of the vulnerabilities require no permissions beyond the ability to log in to Sybase and allow an attacker to take full control over the Sybase server by either assuming the system administrator (SA) role or by loading and running arbitrary Java code, Shaul blogged.
"For the vulnerabilities involving java, there is a workaround," he continued. "Sybase users can disable java in the database. This approach, however, only works for those Sybase systems that have no need for Java. For the vulnerabilities that allow escalation to the SA role, there is unfortunately no workaround."
"In order to protect our customers, TeamSHATTER has released attack signatures to detect exploits of all 12 of these Sybase vulnerabilities using DbProtect," Shaul added. "Users of DbProtect can alert on any attempted exploit in real-time and take automated steps to block the attack and remove the attacker from the system."