In the Sage X3 ERP (enterprise resource planning), four security limitations have been uncovered. Among these four security flaws, two can be combined to be a slight detail of an attack sequence—this aids in allowing the advisories to enforce destructive directions and come to the power of vulnerable systems.
On February 3, 2021, the researchers reported these flaws groups after discovering them at Rapid7. With the release of Sage X3 Version 12 (Syracuse 126.96.36.199), Sage X3 Version 11 (Syracuse 188.8.131.52), Sage X3 HR & Payroll Version 9 (Syracuse 184.108.40.206), and Sage X3 Version 9 (Syracuse 220.127.116.11), the company addressed all of the flaws.
On the installation, an attacker can get all the information when CVE-2020-7388 and CVE-2020-7387 flaws are combined. Afterward, in the System Context, this info is used to transfer the commands to the host system. Not only has this allowed the attacker to take complete control of the system for anything, but also he can install malicious software. And create administrator-level users by running arbitrary operating system commands.
Among all the flaws, the most critical one is CVE-2020-7388. As Sage X3 Console is available online on the Internet hence, using it, the CVE-2020-7388 makes the best use of an administrative service for Sage ERP arrangement’s remote management. “NT AUTHORITY / SYSTEM”: maliciously crafted requests are sent to run arbitrary commands on the server.
On the off chance that fruitful, nonetheless, this unguarded weakness could permit a regular Sage X3 user to be a presently-logged-in administrator and run the privileged capabilities. Also, as a currently logged-in administrator for subsequent impersonation, he can capture administrator session cookies.
When Sage X3 installation paths are exposed to an uncertified user, CVE-2020-7387 is responsible for successful exploitation. On the other hand, in Syracuse development environments, the missing authentication is caused by CVE-2020-7389 flaw. Moreover, by control injection, the code execution can b obtained using this.
After keeping all the facts in mind, the researchers recommended that it is better not to expose the Sage X3 installations on the Internet. However, making it accessible on a secure VPN connection should be considered a solution if it is crucial. If one follows all these techniques, he can effectively eliminate all four critical flaws reported in Sage X3 enterprise management software. We urge users to update their regular patch cycle schedules.
Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.
Want a consultation with the professionals at Rogue Logics, contact us and get a free quote.