Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29927: Critical Vulnerability Disclosure: Sage 300

Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the “Windows Peer-to-Peer Network” or “Client Server Network” Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.

CVE
#sql#vulnerability#web#windows#apache#hard_coded_credentials#auth

In 2022 Konrad Haase, a member of the Control Gap Offensive Security team, discovered a series of vulnerabilities in Sage 300, a well-established on-premises enterprise resource planning (ERP) solution, that could allow an attacker to bypass authentication and user-level access controls, decrypt sensitive data including stored passwords, and obtain direct database access to read/modify/delete all records. Over the past 10 months the Control Gap team has been working with Sage to develop a product update to address these issues, which Sage released on April 27, 2023. Users of the Sage 300 program are strongly encouraged to download and install this product update as soon as possible.

On June 1, 2023, Control Gap plans to release a full technical disclosure article that will detail the discovery and exploitation process for the six (6) vulnerabilities described below.

Disclosed Vulnerabilities

CVE-2023-29927: Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the “Windows Peer-to-Peer Network” or “Client Server Network” Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.

CVE-2022-38583: On versions of Sage 300 through 2022 that are setup in a “Windows Peer-to-Peer Network” or “Client Server Network” configuration, a low-privileged Sage 300 workstation user could leverage their access to the “SharedData” folder on the Sage 300 server to read and modify files containing encrypted Sage 300 user credentials, encrypted database connection strings, and application security settings. This can lead to privilege escalation within the Sage 300 platform.

CVE-2022-41397: The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key (“LandlordPassKey”) to encrypt and decrypt secrets stored in configuration files and in database tables.

CVE-2022-41398: The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance. This issue could allow attackers to login to the Solr dashboard with admin privileges and access sensitive information.

CVE-2022-41399: The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key (“PASS_KEY”) to encrypt and decrypt the database connection string for the PORTAL database found in the “dbconfig.xml” file. This issue could allow attackers to obtain access to the SQL database.

CVE-2022-41400: Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings.

Impact

The exploitation of the vulnerabilities described above could allow an attacker to gain unrestricted access to all Sage 300 data. This access could be leveraged to perform the following attacks:

  1. Read and/or exfiltrate all ERP data, which may include sensitive financial and inventory information. This information could then be published to cause reputational damage to the company or leveraged to conduct further attacks against the organization.
  2. Modify ERP data, which could allow attackers to commit fraud. For example, an attacker could modify payment information to reroute money transfers or inventory deliveries.
  3. Delete the ERP data or hold ERP data for ransom to cause a business disruption.

Pictured below is the output of a tool developed by Control Gap to automatically exploit the disclosed issues. This output below shows the results after targeting the “WINDEV2204EVAL” system (a test system in a Control Gap lab environment) running Sage 300 2021 with both Web Screens and Global Search installed:

As depicted in the output above, these vulnerabilities could be exploited by an unauthenticated attacker to recover plaintext Sage 300 user passwords (including password history) and SQL login IDs that would allow that attacker to access all ERP data.

A full technical disclosure article will be published by Control Gap on June 1, 2023, that will explore how to exploit the disclosed vulnerabilities, to produce the results outlined above. It is strongly recommended to apply the security update released by Sage prior to June 1, 2023.

Mitigation

At time of publication, the newly released Sage 300 2023.2 product update addresses most of the disclosed issues and contains completely overhauled installation and administration instructions to mitigate the lone unpatched vulnerability (CVE-2023-29927).

Please refer to the official Sage Knowledge Base article for updated security hardening guidance.

Related news

CVE-2022-38583

On versions of Sage 300 2017 - 2022 (6.4.x - 6.9.x) which are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could abuse their access to the "SharedData" folder on the connected Sage 300 server to view and/or modify the credentials associated with Sage 300 users and SQL accounts to impersonate users and/or access the SQL database as a system administrator. With system administrator-level access to the Sage 300 MS SQL database it would be possible to create, update, and delete all records associated with the program and, depending on the configuration, execute code on the underlying database server.

CVE-2022-41397

The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907