Recently, Sybase released an urgent notice announcing patches for 12 vulnerabilities reported by TeamSHATTER. Here’s a link to the notice from Sybase: http://www.sybase.com/detail?id=1098877.
This notice from Sybase was the first public disclosure of these critical issues. Following our disclosure policy, to date TeamSHATTER has not shared exploit details with anyone except the vendor (SAP Sybase).
TeamSHATTER downloaded, installed, and tested the patches released by Sybase. We found that of the 12 issues Sybase disclosed, only 2 were fixed properly; the other 10 remain fully exploitable. The two that were properly fixed are CRs 689823 and 691642.
For the other 10 issues, Sybase made unsuccessful fixes. With very minor modifications to the original proof of concept code TeamSHATTER sent to Sybase in our initial vulnerability report, the exploits still work. It appears that Sybase blocked the specific exploit code we submitted without fixing the underlying vulnerability, and then performed insufficient testing and code review to notice the problem before shipping the patches and publicly disclosing the vulnerability information.
Most of these unfixed vulnerabilities require no permissions beyond the ability to login to Sybase (they are exploitable by PUBLIC), and they allow an attacker to take full control over the Sybase server by either assuming the SA role or by loading and running arbitrary java code.
For the vulnerabilities involving java, there is a workaround. Sybase users can disable java in the database. This approach however only works for those Sybase systems that have no need for Java.
For the vulnerabilities that allow escalation to the SA role, there is unfortunately no workaround.
Sybase has acknowledged to TeamSHATTER that the patches they released are in fact incomplete, and they will issue new fixes in the future. No date or timeframe has been provided on when these fixes will be made available.
In order to protect our customers, TeamSHATTER has released attack signatures to detect exploits of all 12 of these Sybase vulnerabilities using DbProtect. Users of DbProtect can alert on any attempted exploit in real-time and take automated steps to block the attack and remove the attacker from the system.
We understand that mistakes happen, but we hope this incident serves as a wakeup call to SAP Sybase around software security. Clearly, the patches that were released don’t represent Sybase’s best work. Additionally, the amount of time that has passed since Sybase disclosed these vulnerabilities (which was late July) with no fix available has given any attacker plenty of head start. Sybase users need to be able to rely on the security of their databases, and right now, without 3rd party tools like DbProtect to help them, they simply cannot.