Critical Flaws Reported in Sage X3 Enterprise Management Software

Technology

Four security vulnerabilities have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable adversaries to execute malicious commands and take control of vulnerable systems.

These issues were discovered by researchers from Rapid7, who notified Sage Group of their findings on Feb. 3, 2021. The vendor has since rolled out fixes in recent releases for Sage X3 Version 9 (Syracuse 9.22.7.2), Sage X3 HR & Payroll Version 9 (Syracuse 9.24.1.3), Sage X3 Version 11 (Syracuse 11.25.2.6), and Sage X3 Version 12 (Syracuse 12.10.2.8) that were shipped in March.

Stack Overflow Teams

The list of vulnerabilities is as follows –

  • CVE-2020-7388 (CVSS score: 10.0) – Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component
  • CVE-2020-7389 (CVSS score” 5.5) – System “CHAINE” Variable Script Command Injection (No fix planned)
  • CVE-2020-7387 (CVSS score: 5.3) – Sage X3 Installation Pathname Disclosure
  • CVE-2020-7390 (CVSS score: 4.6) – Stored XSS Vulnerability on ‘Edit’ Page of User Profile

“When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context,” the researchers said. “This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software, and otherwise take complete control of the system for any purpose.”

Sage X3 Enterprise Management

The most severe of the issues is CVE-2020-7388, which takes advantage of an administrative service that’s accessible over the internet to craft malicious requests with the goal of running arbitrary commands on the server as the “NT AUTHORITY/SYSTEM” user. The service in question is used for remote management of the Sage ERP solution through the Sage X3 Console.

Prevent Ransomware Attacks

Separately, the ‘Edit’ page associated with user profiles in the Sage X3 Syracuse web server component is vulnerable to a stored XSS attack (CVE-2020-7390), enabling the execution of arbitrary JavaScript code during ‘mouseOver‘ events in the ‘First name’, ‘Last name’, and ‘Email’ fields.

“If successful, however, this vulnerability could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or capture administrator session cookies for later impersonation as a currently-logged-in administrator,” the researchers said.

Successful exploitation of CVE-2020-7387, on the other hand, results in the exposure of Sage X3 installation paths to an unauthorized user, while CVE-2020-7389 concerns a missing authentication in Syracuse development environments that could be used to gain code execution via command injection.

“Generally speaking, Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required,” the researchers noted in the disclosure. “Following this operational advice effectively mitigates all four vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules.”

Products You May Like

Articles You May Like

‘Jeopardy!’ Fans React to ‘Tiring’ Video Clues From ‘Nosferatu’ Stars Nicholas Hoult & Lily-Rose Depp
Sophos Issues Hotfixes for Critical Firewall Flaws: Update to Prevent Exploitation
8 Best Christmas Episodes of ‘The Simpsons’
“This Will Be A Certified Hit” — Morgan Wallen Teases Demo Of New Song & Fans Are Begging Him To Release It
Wall Street’s fear gauge — the VIX — saw second-biggest spike ever on Wednesday