Four Critical Flaws Identified in Sage X3 ERP Software


Cybersecurity firm Rapid7 announced on Wednesday that it discovered four security flaws in the Sage X3 ERP software, resource, and planning (ERP) supply chain software that if left unpatched, could have allowed attackers to take over the system and run commands. 

The first two were protocol-related issues involving remote administration of Sage X3, and the latter two are web application flaws. Rapid7 recommends that Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. The company states that this will effectively mitigate all four flaws, but users will need to update according to their regular patch cycle schedule. 

Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, who identified the flaws (CVE-2020-7387 through -7390), said that the most critical vulnerabilities exist in the remote administrator function of the platform. Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.

Cybersecurity experts found the case concerning because the flaws identified by Rapid7 are linked to an authentication bypass that’s critical in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest. 

King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.

“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs. The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software,” King stated.

Following recent cyberattacks on the Colonial Pipeline and JBL, companies should be extra vigilant with their ERP software. Sage X3 is commonly used in supply chain management for medium and large organizations and can be a target for this particular type of attacker.