Critical Sage X3 RCE Bug Allows Full System Takeovers
#1
Information 
Quote:Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found – including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications, they said.
 
Sage X3 is targeted at mid-sized companies – particularly manufacturers and distributors – that are looking for all-in-one ERP functionality. The system manages sales, finance, inventory, purchasing, customer-relationship management and manufacturing in one integrated ERP software solution.
 
Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal and William Vu, who discovered the issues (CVE-2020-7387 through -7390), said that the most severe of the flaws exist in the remote administrator function of the platform. As such, they said that there could be supply-chain ramifications to a successful attack (a la Kaseya) if the platform is being used by managed service providers to deliver functionality to other businesses.

“When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context,” the researchers said in a Wednesday posting. “This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software and otherwise take complete control of the system for any purpose.”

Read more: Critical Sage X3 RCE Bug Allows Full System Takeovers | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
You found a seed phrase from someone els...
Scammers have inve...harlan4096 — 09:58
Google files remedies proposal in DOJ's ...
The U.S. Departmen...harlan4096 — 09:48
PowerToys 0.87.1
PowerToys 0.87.1 ...harlan4096 — 09:46
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07
AirVPN Christmas Sale 2024!
AirVPN CHRISTMAS SAL...jasonX — 07:52

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>