A view of the entrance into the Rapid7 offices. The research firm found vulnerabilities in Sage X’s ERP software, which was patched in recent releases. (Rapid7)
Researchers reported earlier this week that they had identified four vulnerabilities in Sage X3’s enterprise, resource and planning (ERP) supply chain software that if left unpatched, could have allowed threat actors to take over the system and run commands.
In a blog post, Rapid7 researchers said the vulnerabilities were fixed according to Rapid7’s vulnerability disclosure process and were patched in recent releases of Sage X3 Version 9.
Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.
Security researchers found the case concerning because the vulnerability discovered by Rapid7 is tied to an authentication bypass that’s serious in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest.
King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.
“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs,” King said. “The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software.”