Rapid7 has released details of four vulnerabilities in Sage X3. One of them, CVE-2020-7388, is rated at 10.0 (critical). Sage says that it has developed and released patches for three of these issues, and they have been available since March. With many Sage X3 customers running on-premises, the challenge is getting those customers to patch quickly. For the cloud-based implementation, Sage is applying the patch to protect all customers.
In its write-up, Rapid7 says that it identified the vulnerabilities in December 2020. Details were passed to Sage in February, and Sage released updates in March. In May, Sage started to talk to customers who had not applied the patches. The disclosure of the four vulnerabilities CVE-2020-7387, 7388, 7389 and 7380 are now public. The description of each vulnerability is in the table from Rapid7 below.
|CVE Identifier||CWE Identifier||CVSS score (Severity)||Remediation|
|CVE-2020-7388||CWE-290: Unauthenticated Command Execution Bypass by Spoofing in AdxAdmin||10.0 (Critical)||Update available|
|CVE-2020-7387||CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AdxAdmin||5.3 (Medium)||Update available|
|CVE-2020-7389||CWE-306 Missing Authentication for Critical Function in Developer Environment in Syracuse||5.5 (Medium)||No fix planned, as this is a development function and not a production function.|
|CVE-2020-7390||CWE-79: Persistent Cross-Site Scripting (XSS) in Syracuse||4.6 (Medium)||Update available (note, this affects V12 only, unlike the other issues which affects V9 and V11 as well)|
What detail has Rapid7 provided?
As can be seen above, only one vulnerability is rated critical, 7388. The risk here is that it allows the client to opt-out of authentication. More importantly, commands are then executed as SYSTEM, not an impersonated user account.
Rapid7 points out that this should not be a risk for many organisations as they are not exposing X3 to the Internet. Those that do will do so using a VPN service. It is probably right, but much will depend on the security stance of the organisation running it.
There is, however, a much greater risk. An attacker gaining access to the organisation will be able to use this vulnerability and attack from the inside. This is not as far-fetched as it may seem. Advanced attackers are getting smarter. They are no longer using smash and grab. Instead, they gain access to an organisation, move laterally and carry our reconnaissance on their target. It means that this attack is very much in play as a serious issue.
The other three vulnerabilities are of less import, but they are still a serious risk from an attacker inside the enterprise.
What does Sage say?
Enterprise Times sent some questions off to Sage to get a little more detail on these vulnerabilities. Rob Sinfield, VP Product, Sage, replied.
How will Sage ensure customers apply the patch? Will it send customers a notification when they log on to the product to make them update?
“We have made best efforts to contact relevant Sage X3 on-premises customers (direct, or via our VAR partners) and advised them of this potential vulnerability and the advised fix, as well as proactively provided the patch through all customer facing support channels. Customers also receive quarterly releases that include all relevant security updates as identified in our own software or in a 3rd party component. In addition to the fix we have provided customers with our current security best practices recommendations.”
Those partners selling X3 have their own consulting and security teams. ET asked how Sage will make sure all the channel partners update their copies and any copies their customers use?
“We have been working with our VAR partners throughout the process of building and providing our shared customers with the appropriate patches, and are confident that have updated their copies of the software to include this fix. In addition, the information regarding this fix has been posted to our user forums and communities as well as to our certified Value-added resellers (VARs), developer community, and to our ISV partners.”
It means that there are eyes on customers throughout the X3 ecosystem. The challenge, of course, will be ensuring that customers act quickly and that the risk is properly understood.
For those customers using cloud-based Sage X3, the understanding is that Sage is patching the platform.
What else is Sage doing?
There is a wider issue here that the whole industry faces. How do we reduce the number of vulnerabilities, and how do we detect those that occur quickly.
Sinfield commented: “Sage regularly tests the security of our software and our environments, applying security updates regularly in line with industry best practices.
- For customers hosted in a cloud environment – Sagecarry out at least annual security penetration testing and run security bug bounties against our own public cloud environments to ensure that security vulnerabilities are identified and resolved before applying quarterly updates.
- In light of this issue, we are reviewing the security and testing practices around our on premise desktop products to ensure we are able to identity vulnerabilities applicable in certain scenarios e.g. where customers chose not to apply Sage environment hardening guidelines.
Additionally, we publish comprehensive documentation outlining the recommended data security best practices that customers and partners should implement when deploying Sage X3.”
The mention of the bug bounty here is interesting. Sage runs no public bug bounty program. Instead, it has a page on hackerone telling people how to submit vulnerabilities. On that page, it states: “We are grateful to those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.”
Given the nature of these vulnerabilities, perhaps it is time for a change of approach.
Enterprise Times: What does this mean?
Rapid7 and Sage have acted quickly to deal with these four vulnerabilities. The process of responsible disclosure has not only worked, it has given Sage time to develop and deploy patches. It has also allowed Sage to spend time talking to customers and partners to ensure a high patch compliance level. However, it does also bring a few issues into focus.
The first is that it took two months from detection by Rapid7 to notification of Sage. That seems an inordinately long time, especially since one of these was severity 10 (critical). Whether this was down to the way Sage takes note of reports (see comment on hackerone site) or delays in communication between the two companies is unclear. Whatever was the cause, Sage needs a more streamlined process for critical vulnerabilities.
The second issue here is that companies should not get sidetracked by the comment from Rapid7 about external access. Doing so means they are not paying enough attention to the damage that an attack inside the network can cause. It is a wake-up call that all organisations need to think about.