Admins of on-premises Sage X3 ERP deployments should check they're not exposing the enterprise resource planning suite to the public internet in case they fall victim to an unauthenticated command execution vulnerability.
And said administrators should have installed by now the latest patches for the software, which address a bunch of bugs earlier discovered and reported by Rapid7. The infosec outfit described in detail the flaws, calling them "protocol-related issues involving remote administration of Sage X3."
The aforementioned command execution vulnerability (CVE-2020-7388) scores a perfect ten out of ten in CVSS severity. Hence, protect and patch: miscreants have everything they need now to exploit the bugs.
- Microsoft struggles to wake from its PrintNightmare: Latest print spooler patch can be bypassed, researchers say
- Dell SupportAssist contained RCE flaw allowing miscreants to remotely reflash your BIOS with code of their creation
- Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws
- Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulns in Windows Defender
We're told CVE-2020-7388 can be exploited to trick Sage X3 into executing as NT AUTHORITY/SYSTEM commands in specially crafted requests sent to an administrative service exposed through TCP port 1818. The other vulns found by Rapid7 are rated at four or five on the CVSS scoring scale:
- CVE-2020-7387 allows an attacker to remotely discover the X3 installation directory, making exploitation of CVE-2020-7388 easier to achieve.
- CVE-2020-7389 exploitation involves pairing X3's System function with the CHAINE variable to execute arbitrary commands "including those sourced from a remote SMB share," with Rapid7 warning that the functionality should only be enabled in dev environments and not production
- CVE-2020-7390 is a stored cross-site scripting (XSS) vuln on an X3's user profile page.
A successful exploit of 7390 "could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or capture administrator session cookies for later impersonation as a currently-logged-in administrator," said Rapid7.
Sage published patches for the programming blunders, without giving detail about the holes, a couple of months ago. Diligent sysadmins will doubtless have installed them already though it's worth double checking.
Now the information's in the public domain we can expect malicious folk to start scanning for exposed and/or unpatched deployments, as has been the case with recent high-profile vulns abused by ransomware criminals.
Chains of CVE-rated vulns to compromise software are not rare but not unusual either. In June a similar four-vuln chaining technique was shown to compromise Dell SupportAssist, a remote PC firmware upgrade utility, in such a way as to allow remote attackers to upload custom BIOS images to vulnerable machines.
As for the Sage X3 flaws, while the impact of the most severe one is at the highest end of the scale, normal security practices should mitigate it already, according to Rapid7.
"Generally speaking, Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required," it advised. "Following this operational advice effectively mitigates all four vulnerabilities." ®