Security vulnerabilities in the ERP platform could allow attackers to tamper with or sabotage victims’ business-critical processes & to intercept data.
4 vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found – including 1 critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. 2 of the bugs could be linked together to allow complete system takeovers, with potential supply-chain effects, they explained.
Sage X3 is targeted at mid-sized companies – particularly manufacturers & distributors – that are looking for all-in-one ERP functionality. The system manages sales, finance, inventory, purchasing, customer-relationship management & manufacturing in one integrated ERP software solution.
Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal & William Vu, who discovered the issues (CVE-2020-7387 through -7390), stated that the most severe of the flaws exist in the remote administrator function of the platform.
As such, they warned that there could be supply-chain ramifications to a successful attack (a la Kaseya) if the platform is being used by managed service providers to deliver functionality to other businesses.
“When combining CVE-2020-7387 & CVE-2020-7388, an attacker can 1st learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context,” the researchers said in a Wed. posting. “This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software and otherwise take complete control of the system for any purpose.”
Critical Authentication-Bypass Security Vulnerability
The critical bug (CVE-2020-7388) allows unauthenticated remote command execution (RCE) with elevated privileges in the AdxDSrv.exe component, according to Rapid7. AdxAdmin is a function that is responsible for the remote administration of Sage X3 through the main console, researchers said & an exploit could allow an adversary to execute commands on the server as the high-privileged “NT AUTHORITY/SYSTEM” user.
The administrative service is exposed on port TCP/1818 by default, under the process “AdxDSrv.exe.” The issue lies in the custom protocol that Sage X3 uses for interaction between the Sage X3 Console & AdxDSrv.exe, according to Rapid7.
Request to Authenticate
The Sage X3 Console crafts a request to authenticate using a byte sequence that includes a password that has been encrypted using a custom mechanism. In response, the AdxDSrv.exe sends 4 bytes, indicating that authentication was successful.
“These bytes are always prefixed with \x00\x00 & then 2 apparently random bytes, like so: ‘\x00\x00\x08\x14,’” researchers outlined.
After receiving a response that the authentication was successful, it is then possible to execute remote commands, according to the advisory.
Temporary Batch File
“1st, the temporary directory is specified by the client with the name of the cmd file to be written to the server,” researchers explained.
“The batch file, with the provided cmd file name, is written to disk with the ‘whoami’ command in it. After the AdxDSrv.exe service writes the temporary batch file to the named folder, it will execute it under the security context of the provided user credentials, via a Windows API call to CreateProcessAsUserAs.”
To exploit the issue & bypass the authentication process, a malicious player could craft a special request to the exposed service. The cyber-attacker would need to sidestep 2 components involved in sending a command to execute, researchers observed.
1st, the attackers must know the installation directory of the AdxAdmin service, so that they can specify the full path location to which to write the cmd file to be executed.
“Obtaining the installation’s directory can be done either with prior knowledge, educated guesswork, or via an unauthenticated, remote information disclosure vulnerability (CVE-2020-7387),” researchers said. “Installation path names tend to be fairly predictable when it comes to most enterprise software—nearly all users install to a default directory on 1 of a handful of drive letters.”
Secondly, the attackers must defeat the authorisation sequence that includes the encrypted password. This can be done using a series of packets that spoof the AdxDSrv.exe authentication & command protocol, but with 1 critical modification.
“An attacker can simply swap 1 byte & cause the service to ignore provided user credentials, & instead execute under the current AdxDSrv.exe process security context, which runs as NT AUTHORITY\SYSTEM,” researchers explained
“A bit of fuzzing revealed that using ‘0x06’ instead of ‘0x6a’ during the start of the authorisation sequence allows the client to opt out of authentication entirely. In this mode, the requested command is executed as SYSTEM instead of impersonating a provided user account.”
The issue affects V9, V11 & V12 versions of the platform.
Medium-Severity Bugs in Sage X3
The other 3 issues are rated medium in severity:
- CVE-2020-7387: Exposure of Sensitive Information to an Unauthorised Actor in AdxAdmin (CVSS rating 5.3, affects V9, V11 & V12 versions)
- CVE-2020-7389: Missing Authentication for Critical Function in Developer Environment in Syracuse (CVSS rating of 5.5, affects V9, V11 & V12 versions)
- CVE-2020-7390: Persistent Cross-Site Scripting (XSS) in Syracuse (CVSS rating of 4.6, affects V12 only). This issue was previously reported to the vendor by Vivek Srivastav from Cobalt Labs in Jan., according to Rapid7.
As mentioned, the bug tracked as CVE-2020-7387 allows attackers to uncover the pathname for the needed installation directory, for use in exploiting the critical RCE flaw.
Authentication & Command Protocol
“While fuzzing the authentication & command protocol used by AdxAdmin.exe as described in CVE-2020-7388, it was discovered that sending the 1st byte as ‘0x09’ rather than ‘0x6a,’ with 3 trailing null bytes, returned the installation directory without requiring any authentication,” researchers explained.
Meanwhile, CVE-2020-7389 is a system CHAINE variable script command-injection bug – but Sage stated that it would not be fixing the issue since the functionality where the bug lives should only be available in development environments, not in production environments.
“Some web application scripts that allowed the use of the ‘System’ function could be paired with the ‘CHAINE’ variable in order to execute arbitrary commands, including those sourced from a remote SMB share,” according to the analysis. “The page can be reached via the menu prompts Development -> Script dictionary -> Scripts.”
Stored XSS Bug
Finally, the CVE-2020-7390 vulnerability is a stored XSS bug. Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. Unlike reflected XSS, a stored attack only requires that a victim visit a compromised web page.
In this case, the issue exists on the “Edit” page for user profiles, with the fields for 1st name, last name & email fields vulnerable to a stored XSS sequence, researchers explained.
A successful exploit could allow a regular user of Sage X3 to execute privileged functions as a currently logged-in administrator or to capture administrator session cookies for later impersonation as a currently logged-in administrator, according to Rapid7.
“The bug can only be triggered by an authenticated user & requires user interaction [convincing the authenticated person to visit the correct webpage] in order to complete the attack,” researchers explained.
Patching Information for Vulnerabilities
The 3 eligible vulnerabilities were fixed in recent releases for Sage X3 Version 9 (those components that ship with Syracuse 22.214.171.124), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 126.96.36.199), Sage X3 Version 11 (Syracuse v188.8.131.52), & Sage X3 Version 12 (Syracuse v184.108.40.206). Note: There was no commercially available Version 10 of Sage X3.
If updates cannot be applied immediately, customers have other options for remediation, according to Rapid7:
- For CVE-2020-7388 & CVE-2020-7387, do not expose the AdxDSrv.exe TCP port on any host running Sage X3 to the internet or other untrusted networks. As a further preventative measure, the AdxAdmin service should be stopped entirely while in production.
- For CVE-2020-7389 users should not expose this webapp interface to the internet or other untrusted networks. Furthermore, users of Sage X3 should ensure that development functionality is not available in production environments. For more information on ensuring this, please refer to the vendor’s best practices documentation.
- In the event that network segmentation is inconvenient due to business-critical functions, only users trusted with system administration of the machines that host Sage X3 should be granted login access to the web application.
Secure VPN Connection
“Generally speaking, Sage X3 installations should not be exposed directly to the internet & should instead be made available via a secure VPN connection where required,” according to the analysis.
“Following this operational advice effectively mitigates all 4 vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules.”