5.2 Ensure External File System Access is disabled - enable file access

Information

Sybase ASE contains functionality for interacting with the file system through the creation
of 'proxy tables'. This functionality is implemented by the Component Integration Service
(CIS) and is accessed via standard Transact-SQL commands. It allows files and directories
to be created, deleted, written to and queried.

By default only users with the sa_role or the sso_role can create proxy tables that map to
files or directories. It is nonetheless recommended that external file system access is
disabled.

Rationale:

Though an attacker would need to have compromised an account with the sa_role or sso
role in order to create new proxy tables via External File System Access, this functionality,
if not in use, should be disabled as a defense in depth measure. This functionality could be
abused to modify operating system configuration files or create files that would allow an
attacker to run code in another process.

Solution

1. Connect to the ASE server with a user that has the sa_role and execute the
following SQL statement:

exec sp_configure 'enable cis', 0

2. If an error is returned indicating that the transaction coordinator must be disabled,
execute the following SQL statement to accomplish this, restart the server and
execute the above SQL statements again.

exec sp_configure 'enable xact coordination', 0

3. Restart the server.

4. Connect to the ASE server with a user that has the sa_role and execute the
following SQL statement:

exec sp_configure 'enable file access', 0

See Also

https://workbench.cisecurity.org/files/1612