Researchers from Rapid7 discovered a total of four security vulnerabilities in the Sage X3 enterprise resource planning (ERP) solution. Chaining two of the vulnerabilities discovered by the expert, an attacker could execute malicious commands and take control of vulnerable systems.
The experts reported the flaw to the software vendor in February 2021 and the company addressed them with the release of Sage X3 Version 9 (Syracuse 18.104.22.168), Sage X3 HR & Payroll Version 9 (Syracuse 22.214.171.124), Sage X3 Version 11 (Syracuse 126.96.36.199), and Sage X3 Version 12 (Syracuse 188.8.131.52).
The vulnerabilities are reported in the following table, the first two are protocol-related issues involving remote administration of Sage X3, while the remaining ones are issues that affect the web application.
|CVE Identifier||CWE Identifier||CVSS score (Severity)||Remediation|
|CVE-2020-7388||CWE-290: Unauthenticated Command Execution Bypass by Spoofing in AdxAdmin||10.0 (Critical)||Update available|
|CVE-2020-7387||CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AdxAdmin||5.3 (Medium)||Update available|
|CVE-2020-7389||CWE-306 Missing Authentication for Critical Function in Developer Environment in Syracuse||5.5 (Medium)||No fix planned, as this is a development function and not a production function.|
|CVE-2020-7390||CWE-79: Persistent Cross-Site Scripting (XSS) in Syracuse||4.6 (Medium)||Update available (note, this affects V12 only, unlike the other issues which affects V9 and V11 as well)|
Upon combining the CVE-2020-7387 and CVE-2020-7388 flaws, an attacker can gather info on the installation, then use that information to pass commands to the host system to be run in the SYSTEM context.
“When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context. This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software, and otherwise take complete control of the system for any purpose.” reads the post published by Rapid7.
The most severe of the vulnerabilities is the CVE-2020-7388 issue which takes advantage of an administrative service for remote management of the Sage ERP solution through the Sage X3 Console that is accessible online.
An attacker could send maliciously crafted requests to run arbitrary commands on the server as the “NT AUTHORITY/SYSTEM” user.
The exploitation of CVE-2020-7387 could allow an unauthorized attacker to access info about Sage X3 installation paths. The CVE-2020-7389 is a missing authentication in Syracuse development environments that could allow attackers to execute arbitrary code via command injection.
“Some web application scripts that allowed the use of the ‘System’ function could be paired with the ‘CHAINE’ variable in order to execute arbitrary commands, including those sourced from a remote SMB share. The page can be reached via the menu prompts Development -> Script dictionary -> Scripts. Note that, according to the vendor, this functionality should only be available in development environments, and not production environments.” continues the report.
Experts pointed out that Sage X3 installations should not be exposed directly to the internet, they recommend only allow remote access via VPN connection where required.
(SecurityAffairs – hacking, SAGE)