Executive Summary

Summary
Title SAP Sybase Adaptive Server Enterprise vulnerable to XML injection
Informations
Name VU#303900 First vendor Publication 2013-10-17
Vendor VU-CERT Last vendor Modification 2013-10-17
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#303900

SAP Sybase Adaptive Server Enterprise vulnerable to XML injection

Original Release date: 17 Oct 2013 | Last revised: 17 Oct 2013

Overview

SAP Sybase Adaptive Server Enterprise Version 15.7 ESD 2 and possibly earlier versions contains an XML injection vulnerability (CWE-91).

Description

CWE-91: XML Injection (aka Blind XPath Injection)

SAP Sybase Adaptive Server Enterprise (ASE) Version 15.7 ESD 2 contains an XML injection vulnerability, which can lead to information exposure. This is due to the expanded use of XML External Entity (XXE) Processing. The XMLParse procedure is vulnerable to attack. Using a specially crafted SQL request, an authenticated attacker may be able to read files with the permissions of the user running the ASE application.

For example, the attacker can read the /etc/passwd file of the server using the following SQL query:
SELECT xmlextract('/', xmlparse('<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/passwd">]><content>&abc;</content>'))

Impact

An authenticated attacker may be able to use the vulnerabilities to read user credentials. This may be used to obtain unauthorized administrative or privileged access to the system.

Solution

Apply an Update
SAP has released a patch on the Sybase downloads page. If an update cannot be applied, please consider the following workaround.

Disable XXE
By disabling the external general entities feature of the SAXParserFactory used to parse the XML within Java code, the attacker cannot successfully make these requests. More details can be found on the OWASP XML External Entity (XXE) Processing page.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SAPAffected08 Jan 201315 Oct 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base2.3AV:A/AC:M/Au:S/C:P/I:N/A:N
Temporal1.8E:POC/RL:OF/RC:C
Environmental1.4CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://cwe.mitre.org/data/definitions/91.html
  • http://www.sybase.com/products/databasemanagement/adaptiveserverenterprise

Credit

Thanks to Igor Bulatenko for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

  • CVE IDs:CVE-2013-6025
  • Date Public:01 Oct 2013
  • Date First Published:17 Oct 2013
  • Date Last Updated:17 Oct 2013
  • Document Revision:27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/303900

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Nessus® Vulnerability Scanner

Date Description
2013-11-20 Name : The version of SAP Sybase Adaptive Server Enterprise (ASE) installed on the r...
File : sybase_ase_note1887341.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-02-17 12:07:43
  • Multiple Updates
2013-10-21 21:27:36
  • Multiple Updates
2013-10-19 17:22:19
  • Multiple Updates
2013-10-17 17:20:17
  • First insertion