Rapid7 researchers found four security vulnerabilities involving in the Sage X3 Enterprise Resource Planning (ERP) platform. The first two are protocol-related issues involving remote administration of Sage X3, and the latter two are web application vulnerabilities.
Sage X3 is an Enterprise Resource Planning (ERP) application used for supply chain management in medium to large enterprises. The product is particularly popular in British and other European markets.
It provides flexible configuration options and applications to support the industry-specific processes and can be operated in the Cloud – managed by Sage – or in the company data center, giving total control over IT strategy.
CVE-2020-7388: Sage X3 Unauthenticated Remote Command Execution (RCE)
The experts say this exposes an administrative service on port TCP/1818 under the process “AdxDSrv.exe,” part of the AdxAdmin component.
This vulnerability within the service allows a malicious actor to craft a request to the exposed service to execute commands on the server as the “NT AUTHORITY/SYSTEM” user.
In this case, an attacker can simply swap one byte and cause the service to ignore provided user credentials, and instead execute under the current AdxDSrv.exe process security context, which runs as NT AUTHORITY\SYSTEM.
The issue was fixed in AdxAdmin version 93.2.53, which is common to X3 V9, V11, and V12, and ships with Syracuse 18.104.22.168, 22.214.171.124, and 126.96.36.199, respectively.
CVE-2020-7387: Sage X3 Installation Pathname Disclosure
Researchers observed sending the first byte as “0x09” rather than “0x6a”, with three trailing null bytes, returned the installation directory without requiring any authentication.
Therefore the report says an attacker can primary study the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context. This allows an attacker to run arbitrary operating system commands to create Administrator-level users, install malicious software, and otherwise take complete control of the system for any purpose.
CVE-2020-7389: System CHAINE Variable Script Command Injection
In this case, some web application scripts allowed the use of the ‘System’ function could be paired with the ‘CHAINE’ variable to execute arbitrary commands, including those sourced from a remote SMB share.
CVE-2020-7390: Stored XSS Vulnerability on ‘Edit’ Page of User Profile
The ‘First name’, ‘Last name’, and ‘Email’ fields within the ‘Edit User’ page are vulnerable to a stored XSS sequence. If successful, this vulnerability could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or capture administrator session cookies for later impersonation as a currently logged-in administrator.
The recent on-premises versions of Sage X3 Version 9, Version 11, and Version 12 address these issues, and users of Sage X3 are urged to update their Sage infrastructure at their earliest convenience.