Security researchers just disclosed four vulnerabilities in the Sage X3 ERP platform (enterprise resource planning). One of the flaws is critical, with a score of 10 out of 10 on the CVSS scale. Furthermore, two of them could be chained together, allowing for complete system takeovers and supply-chain ramifications, the researchers said.
Four Vulnerabilities in Sage X3 ERP Platform
According to Rapid7 security report, the vulnerabilities were identified by several of the company’s researchers, including Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and Willian Vu. The issues were reported to Sage via Rapid7’s vulnerability disclosure process, and were quickly addressed in recent releases for “Sage X3 Version 9 (those components that ship with Syracuse 22.214.171.124), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 126.96.36.199), Sage X3 Version 11 (Syracuse v188.8.131.52), and Sage X3 Version 12 (Syracuse v184.108.40.206). Note, there was no commercially available Version 10 of Sage X3.”
The four vulnerabilities have the following identifiers:
- CVE-2020-7387: Sage X3 Installation Pathname Disclosure;
- CVE-2020-7388: Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component;
- CVE-2020-7389: System CHAINE Variable Script Command Injection;
- CVE-2020-7390: Stored XSS Vulnerability on ‘Edit’ Page of User Profile;
The most severe of the vulnerabilities is located in the remote administrator function of the platform. The bug could create the possibility for a supply-chain attack, similar to the Kaseya attack, in case the platform is utilized by MSPs (managed service providers).
Chaining CVE-2020-7387 and CVE-2020-7388
“When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context. This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software, and otherwise take complete control of the system for any purpose,” the report said.
Mitigating the Vulnerabilities
Enterprise users of Sage X3 should update their Sage infrastructure. The most recent on-premises versions of Sage X3 Version 9, Version 11, and Version 12 fix the flaws. However, in case the flaws can’t be applied at this time, customers should try the following mitigation tricks, as per the original report:
- For CVE-2020-7388 and CVE-2020-7387, do not expose the AdxDSrv.exe TCP port on any host running Sage X3 to the internet or other untrusted networks. As a further preventative measure, the adxadmin service should be stopped entirely while in production.
- For CVE-2020-7389, generally speaking, users should not expose this webapp interface to the internet or other untrusted networks. Furthermore, users of Sage X3 should ensure that development functionality is not available in production environments. For more information on ensuring this, please refer to the vendor’s Best Practices documentation.
- In the event that network segmentation is inconvenient due to business critical functions, only users trusted with system administration of the machines that host Sage X3 should be granted login access to the web application.