Administrators of on-premises Sage X3 ERP deployments should ensure that they do not expose the Enterprise Resource Planning Suite to the public Internet in the event that they experience an unauthenticated command execution vulnerability.
And those admins should already have installed the latest patches for the software, which fix a bunch of bugs previously discovered and reported by Rapid7. The infosec team described the flaws in detail, calling them “protocol-related issues involving remote administration of Sage X3.”
The aforementioned command execution vulnerability (CVE-2020-7388) scores a perfect ten out of ten for CVSS severity. Therefore, Protect and Fix: Disbelievers now have everything they need to exploit bugs.
We are told that CVE-2021-7388 can be exploited to trick Sage X3 into executing as NT AUTHORITY / SYSTEM commands in specially crafted requests sent to an exposed administrative service through TCP port 1818. The others vulnerabilities found by Rapid7 are rated four or five on the CVSS rating scale:
- CVE-2020-7387 allows an attacker to remotely discover the X3 installation directory, facilitating the exploitation of CVE-2021-7388.
- CVE-2020-7389 operation involves associating the system function of X3 with the CHAIN variable to execute arbitrary commands “including those coming from a remote SMB share”, with Rapid7 warning that the feature should only be enabled in environments of development and not in production
- CVE-2020-7390 is a cross-site scripting (XSS) vulnerability stored on the user profile page of an X3.
Successful exploit of 7390 “could allow a regular Sage X3 user to perform privileged functions as a currently logged in administrator or capture administrator session cookies for later impersonation as administrator currently logged in, ”said Rapid7.
Sage released fixes for programming errors, without giving details of the holes, a few months ago. Diligent system administrators will no doubt have them installed already, although it is worth checking out.
Now that the information is in the public domain, we can expect attackers to start looking for exposed and / or unpatched deployments, as has been the case with recent high-profile vulnerabilities exploited by ransomware criminals.
Chains of CVE-classified vulnerabilities to compromised software are not uncommon, but neither are they unusual. In June, a similar four-vulnerability chaining technique was shown to compromise Dell SupportAssist, a remote PC firmware upgrade utility, in a way that allows remote attackers to download custom BIOS images to machines. vulnerable.
As for the Sage X3 flaws, while the impact of the most serious is at the highest end of the scale, normal security practices should already mitigate it, according to Rapid7.
“In general, Sage X3 installations should not be exposed directly to the Internet, but rather should be made available through a secure VPN connection if necessary,” he advised. “Following these operational tips effectively mitigates the four vulnerabilities. “®