A new set of critical vulnerabilities uncovered in SAP’s Sybase database software can grant unprivileged attackers complete control over a targeted database and even the underlying operating system in certain scenarios.
The six flaws, disclosed by cybersecurity firm Trustwave today, reside in Sybase Adaptive Server Enterprise (ASE), a relational database management software geared towards transaction-based applications.
The cybersecurity company said the issues — both specific to the operating system and the platform as a whole — were discovered during a security testing of the product, one of which has a CVSS rating of 9.1.
Identified as CVE-2020-6248, the most severe vulnerability allows arbitrary code execution when making database backups, thus allowing an attacker to trigger the execution of malicious commands.
“During database backup operations, there are no security checks for overwriting critical configuration files,” Trustwave researchers said in a report shared with The Hacker News. “That means anyone who can run the DUMP command (e.g., database owners) can perform very dangerous tasks.”
A second vulnerability (CVE-2020-6252) concerns ASE Cockpit, a web-based…