Menu
Menu
SAP patches login flaw in ASE database

SAP patches login flaw in ASE database

Combined with other flaws, complete access to a database could be gained

SAP patched a flaw on Thursday that could allow an attacker to take complete control over a database, according to security vendor Trustwave.

The flaw (CVE-2014-6284) affects SAP's Adaptive Server Enterprise (ASE), a relational database for Unix, Linux and Windows systems, designed for high volumes of data-rich transactions. Vulnerable versions are 12.5, 15, 15.5, 15.7 and 16.

TrustWave's Martin Rakhmanov, a senior security researcher, found an error in the challenge and response mechanism used to access ASE. The account access gained is not a privileged account, but TrustWave said other flaws allow the privileges to be escalated to that of a database administrator.

"Combined with such privilege elevation vulnerabilities, this one allows complete takeover of the database server," TrustWave said in its advisory.

Trustwave published proof-of-concept code on GitHub. SAP has also released a security note, but login details are required to view it.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitySAPtrustwaveExploits / vulnerabilities

More about LinuxTrustwave

Show Comments