CVE-2020-7388

Sage X3 AdxAdmin Unauthenticated Command Execution Bypass by Spoofing

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.

Una Ejecución de Comandos Remotos no Autenticados (RCE) de Sage X3 como SYSTEM en el componente AdxDSrv.exe. Al editar la petición de autenticación del lado del cliente, un atacante puede omitir la comprobación de credenciales. Mientras que la explotación de este problema requiere el conocimiento de la ruta de instalación, esa información puede ser aprendida al explotar CVE-2020-7387. Este problema fue corregido en AdxAdmin versión 93.2.53, que se envía con actualizaciones para las versiones locales de Sage X3, incluyendo la Versión 9 (componentes enviados con Syracuse versiones 9.22.7.2 y posteriores), Sage X3 HR & Payroll Versión 9 (aquellos componentes que se envían con Syracuse versiones 9.24.1.3), Versión 11 (componentes enviados con Syracuse versiones 11.25.2.6 y posteriores) y Versión 12 (componentes enviados con Syracuse versiones 12.10.2.8 y posteriores) de Sage X3. Otras versiones locales de Sage X3 no son compatibles por el proveedor

*Credits: Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarrea, and William Vu, all of Rapid7

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-21 CVE Reserved
2021-07-21 CVE Published
2021-08-09 First Exploit
2024-09-16 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-290: Authentication Bypass by Spoofing

CAPEC

References (4)

URL	Tag	Source
https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed	Broken Link

URL	Date	SRC
https://github.com/ac3lives/sagex3-cve-2020-7388-poc	2023-03-16
https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities	2021-08-09

URL	Date	SRC
https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches	2021-08-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sage Search vendor "Sage"	Adxadmin Search vendor "Sage" for product "Adxadmin"	< 93.2.53 Search vendor "Sage" for product "Adxadmin" and version " < 93.2.53"	-	Affected	in	Sage Search vendor "Sage"	X3 Search vendor "Sage" for product "X3"	9.0 Search vendor "Sage" for product "X3" and version "9.0"	-	Safe
Sage Search vendor "Sage"	Adxadmin Search vendor "Sage" for product "Adxadmin"	< 93.2.53 Search vendor "Sage" for product "Adxadmin" and version " < 93.2.53"	-	Affected	in	Sage Search vendor "Sage"	X3 Search vendor "Sage" for product "X3"	11.0 Search vendor "Sage" for product "X3" and version "11.0"	-	Safe
Sage Search vendor "Sage"	Adxadmin Search vendor "Sage" for product "Adxadmin"	< 93.2.53 Search vendor "Sage" for product "Adxadmin" and version " < 93.2.53"	-	Affected	in	Sage Search vendor "Sage"	X3 Search vendor "Sage" for product "X3"	12.0 Search vendor "Sage" for product "X3" and version "12.0"	-	Safe
Sage Search vendor "Sage"	Adxadmin Search vendor "Sage" for product "Adxadmin"	< 93.2.53 Search vendor "Sage" for product "Adxadmin" and version " < 93.2.53"	-	Affected	in	Sage Search vendor "Sage"	X3 Hr \& Payroll Search vendor "Sage" for product "X3 Hr \& Payroll"	9.0 Search vendor "Sage" for product "X3 Hr \& Payroll" and version "9.0"	-	Safe