Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

Four vulnerabilities found in Sage X3 ERP software could allow threat actors to run commands at will

published on 2021-07-09 21:30:57 UTC by Steve Zurier
Content:
A view of the entrance into the Rapid7 offices.
A view of the entrance into the Rapid7 offices. The research firm found vulnerabilities in Sage X’s ERP software, which was patched in recent releases. (Rapid7)

Researchers reported earlier this week that they had identified four vulnerabilities in Sage X3’s enterprise, resource and planning (ERP) supply chain software that if left unpatched, could have allowed threat actors to take over the system and run commands.

In a blog post, Rapid7 researchers said the vulnerabilities were fixed according to Rapid7’s vulnerability disclosure process and were patched in recent releases of Sage X3 Version 9.

Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.

Security researchers found the case concerning because the vulnerability discovered by Rapid7 is tied to an authentication bypass that’s serious in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest.

King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.

“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs,” King said. “The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software.”

The post Four vulnerabilities found in Sage X3 ERP software could allow threat actors to run commands at will appeared first on SC Media.

Article: Four vulnerabilities found in Sage X3 ERP software could allow threat actors to run commands at will - published over 3 years ago.

https://www.scmagazine.com/home/security-news/vulnerabilities/four-vulnerabilities-found-in-sage-x3-erp-software-could-allow-threat-actors-to-run-commands-at-will/   
Published: 2021 07 09 21:30:57
Received: 2021 07 09 22:00:39
Feed: SC Magazine
Source: SC Media
Category: News
Topic: Cyber Security
Views: 0

Custom HTML Block

Click to Open Code Editor