08 July 21, 16:07
Quote:Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found – including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications, they said.
Sage X3 is targeted at mid-sized companies – particularly manufacturers and distributors – that are looking for all-in-one ERP functionality. The system manages sales, finance, inventory, purchasing, customer-relationship management and manufacturing in one integrated ERP software solution.
Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal and William Vu, who discovered the issues (CVE-2020-7387 through -7390), said that the most severe of the flaws exist in the remote administrator function of the platform. As such, they said that there could be supply-chain ramifications to a successful attack (a la Kaseya) if the platform is being used by managed service providers to deliver functionality to other businesses.
“When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context,” the researchers said in a Wednesday posting. “This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software and otherwise take complete control of the system for any purpose.”
Read more: Critical Sage X3 RCE Bug Allows Full System Takeovers | Threatpost