Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

About SAP Adaptive Server Enterprise dbcc import_sproc SQL injection vulnerability (CVE-2016-7402)

This vulnerability was introduced in SAP Adaptive Server Enterprise 16.0 SP02 PL03: prior versions of 16.0 are not vulnerable.

The DBCC command import_sproc is internal to the server and is not intended to be called by users. However any database owner can still invoke it using the following syntax:

dbcc import_sproc('loopback', 'SourceDB', 'TargetDB')

Interestingly, SAP renamed this dbcc command in 16.0 SP02 PL04 to import_stored_programs instead of import_sproc:

E:\SAP\ASE-16_0\scripts>strings -s * | findstr /i /c:"dbcc im"
E:\SAP\ASE-16_0\scripts\instmstr: dbcc import_stored_programs(@srvname, @dbname, @dbname)

When the command is executed on the patched version, permissions error is returned if user is not already an admin:

dbcc import_stored_programs('loopback', 'SourceDB', 'TargetDB')
Msg 10353, Level 14, State 6: Server '...', Line 1:
You must have any of the following role(s) to execute this command/procedure: 'sa_role' . Please contact a user with the appropriate role for help.

As you can see SAP simply changed the permissions for the dbcc import_stored_programs to require the sa_role to execute instead of remediation of the injection itself.

To fix this issue we recommend admins apply the vendor supplied fix, 16.0 SP02 PL04 HF1, which was released in September 2016.

As usual, Trustwave database security products contain a dedicated check for this vulnerability. Trustwave also published an advisory: TWSL2016-017


Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More