[in]security blog

Critical Vulnerability Disclosure: Sage 300

Written by Konrad Haase | Apr 27, 2023 3:08:45 PM

In 2022 Konrad Haase, a member of the Control Gap Offensive Security team, discovered a series of vulnerabilities in Sage 300, a well-established on-premises enterprise resource planning (ERP) solution, that could allow an attacker to bypass authentication and user-level access controls, decrypt sensitive data including stored passwords, and obtain direct database access to read/modify/delete all records. Over the past 10 months the Control Gap team has been working with Sage to develop a product update to address these issues, which Sage released on April 27, 2023. Users of the Sage 300 program are strongly encouraged to download and install this product update as soon as possible.

On June 27 we published a series of technical articles detailing the discovery and exploitation process for the six (6) vulnerabilities described below.

 

Disclosed Vulnerabilities

CVE-2023-29927: Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connection strings being used by Sage 300 and interact directly with the underlying database(s) to create, update, and delete all company records, bypassing the program’s role-based access controls.

CVE-2022-38583: On versions of Sage 300 through 2022 that are setup in a "Windows Peer-to-Peer Network" or "Client Server Network" configuration, a low-privileged Sage 300 workstation user could leverage their access to the "SharedData" folder on the Sage 300 server to read and modify files containing encrypted Sage 300 user credentials, encrypted database connection strings, and application security settings. This can lead to privilege escalation within the Sage 300 platform.

CVE-2022-41397: The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables.

CVE-2022-41398: The optional Global Search feature for Sage 300 through version 2022 uses a set of hard-coded credentials for the accompanying Apache Solr instance. This issue could allow attackers to login to the Solr dashboard with admin privileges and access sensitive information.

CVE-2022-41399: The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml" file. This issue could allow attackers to obtain access to the SQL database.

CVE-2022-41400: Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings.

 

Impact

The exploitation of the vulnerabilities described above could allow an attacker to gain unrestricted access to all Sage 300 data. This access could be leveraged to perform the following attacks:

  1. Read and/or exfiltrate all ERP data, which may include sensitive financial and inventory information. This information could then be published to cause reputational damage to the company or leveraged to conduct further attacks against the organization.
  2. Modify ERP data, which could allow attackers to commit fraud. For example, an attacker could modify payment information to reroute money transfers or inventory deliveries.
  3. Delete the ERP data or hold ERP data for ransom to cause a business disruption. 

Pictured below is the output of a tool developed by Control Gap to automatically exploit the disclosed issues. This output below shows the results after targeting the “WINDEV2204EVAL” system (a test system in a Control Gap lab environment) running Sage 300 2021 with both Web Screens and Global Search installed:

As depicted in the output above, these vulnerabilities could be exploited by an unauthenticated attacker to recover plaintext Sage 300 user passwords (including password history) and SQL login IDs that would allow that attacker to access all ERP data.

After a 60-day patch adoption period, Control Gap published a series of technical articles detailing the discovery and exploitation process for the six (6) vulnerabilities outlined in this disclosure. This series of articles could be used to produce a tool capable of the output pictured above. It is strongly recommended that Sage administrators apply the available product update as soon as possible if they have not already.

 

Mitigation

At time of publication, the newly released Sage 300 2023.2 product update addresses most of the disclosed issues and contains completely overhauled installation and administration instructions to mitigate the lone unpatched vulnerability (CVE-2023-29927).

Please refer to the official Sage Knowledge Base article for updated security hardening guidance.