Page 42 - Cyber Defense eMagazine for July 2020
P. 42
Don’t Be Breached When Using Commercial Software
Products
By Randy Reiter CEO of Don’t Be Breached
In May, 2020 the software giant SAP made available eighteen security fixes for its Adaptive Server
Enterprise (ASE) database system (formerly Sybase ASE). ASE is used by SAP products and 30,000
organizations worldwide. 90% of the top 50 banks and security firms use ASE.
Four of the eighteen security fixes had a CVSS score of 8 or higher. Common Vulnerability Scoring
System (CVSS ) is a free and open industry standard for assessing the severity of computer system
security vulnerabilities. Vulnerabilities are scored from 0 to 10 with 10 being the most severe.
One of the security fixes was for SQL Injection Attacks. This vulnerability allowed any user of a database
regardless of their permission level to gain Administrator access to the entire database. Wow.
SAP software products are comprehensive and complex. SAP customers have added on average up to
2 million lines of custom code to their deployment. This makes applying security patches a lengthy
process due to comprehensive application testing requirements prior to deployment of the security fixes.
Other 2020 Database Security Vulnerabilities:
• June, 2020. KingMiner botnet operation targets SQL Server databases with brute force attacks.
The KingMiner botnet has been active since 2018. Once KingMiner gains access to SQL Server
it is capable of gaining root access to the Windows server.
• May, 2020. Hacker leaked online the database for 7,600 websites serviced by Daniel’s Hosting.
Daniel’s Hosting is the largest free web hosting provider for Dark Web services. The leaked
Cyber Defense eMagazine –July 2020 Edition 42
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.