Information
Sybase ASE suffers from security vulnerabilities as any large software product invariably
does. Previous publicly documented vulnerabilities have allowed for low privileged users
to execute arbitrary code in the context of the operating system user that the ASE server is
running under.
Updates to Sybase ASE come in the following forms:
. Emergency Bug Fixes (EBFs) are released to correct the flawed component. The
accompanying documentation will typically state the severity of the issue (e.g.
Sybase views this as a mandatory correction that you should implement
immediately).
. Electronic Software Distribution packages (ESDs) are released periodically and
typically contain multiple EBFs and other non-security bug fixes packaged as a
single download, but no additional features. The most recent ESD for a given release
represents the most up-to-date stable version.
. Interim Releases (IRs) are minor releases that introduce new features and
enhancements, incorporating previous ESDs.
. Notification of upcoming patches and possible security threats from third party
components is often announced as an Urgent Notice. Urgent Notices may be
downloaded from the Sybase support site.
Occasionally details of vulnerabilities for which no patch exists may surface on security
mailing lists such as Bugtraq or Full Disclosure. It is therefore recommended that these
lists are regularly monitored. It may be preferable to set up keyword filters for Sybase
since these lists carry a high volume of traffic.
EBFs, ESDs and IRs should be installed in a timely manner subject to your organizations
patching policy and only after they have been fully tested on non-production servers.
Rationale:
It is important to keep up-to-date with patches to ensure the security and integrity of the
data within the database. Privilege escalation vulnerabilities could be used directly via low
privileged users or indirectly via application flaws such as SQL injection to compromise the
database and gain a foothold on the host operating system.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
1. Download and install the latest EBFs/ESD/IR from the Sybase download site.