Sage X3 RCE Bugs - CVE-2020-7387 to 7390

-

Security researchers recently uncovered four nasty bugs in the Sage X3 enterprise resource planning (ERP) platform. The platform is targeted at mid-sized companies, specifically in the manufacturing and distributor space, who are looking for an all-encompassing ERP platform. The platform manages multiple critical sectors of business like sales, inventory, finance, purchasing and other customer related functionalities.

Researchers at Rapid7, including Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, discovered the bugs (CVE-2020-7387 through -7390) and said that the most severe of the flaws exist in the remote administrator function of the ERP. The team came to the conclusion that there could be supply-chain ramifications as a result of threat actors leveraging these bugs; much like what was seen with the SUNBURST/Solarwinds attack or initial reports of the Kaseya attacks.

The Vulnerabilities

From top to bottom, the first two vulnerabilities in the table below are protocol related flaws involving remote admin of Sage X3. The latter two vulnerabilities are web application bugs. Per Rapid7's researchers that discovered these bugs, "... Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required". By following the advice provided by the team, organizations should be able to effectively mitigate all of the vulnerabilities detailed below (provided by Rapid7):


CVE IdentifierCWE IdentifierCVSS score (Severity)Remediation
CVE-2020-7388CWE-290: Unauthenticated Command Execution Bypass by Spoofing in AdxAdmin10.0 (Critical)Update available
CVE-2020-7387CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AdxAdmin5.3 (Medium)Update available
CVE-2020-7389CWE-306 Missing Authentication for Critical Function in Developer Environment in Syracuse5.5 (Medium)No fix planned, as this is a development function and not a production function.
CVE-2020-7390CWE-79: Persistent Cross-Site Scripting (XSS) in Syracuse4.6 (Medium)Update available (note, this affects V12 only, unlike the other issues which affects V9 and V11 as well)


For accurate information on how these exploits function and their impact, please visit Rapid7's blog post regarding the findings here.

Sage's response:

"Sage takes the security of its customer solutions extremely seriously, and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes. We are grateful to Rapid7, who recently made Sage aware of a vulnerability in our on-premise Sage X3 product. Sage and its Partners have issued a fix for the vulnerability, contacted all applicable customers and advised them on the onward process – more information can be found here – with information on Sage X3 security best practices here."


Relevant Articles

https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/

https://threatpost.com/critical-sage-x3-rce-bug-allows-full-system-takeovers/167612/

https://www.sagecity.com/support_communities/sage_erp_x3/f/sage-x3-announcements-news-and-alerts/169216/sage-x3-product-fix-for-security-vulnerability-has-been-posted-to-kb-110640

Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more