CVE-2021-45492 - Vulnerability Details

Vendors	Products
Sage	Sage 300

Link	Providers
https://controlgap.com/blog?tag=insecurity
https://www.controlgap.com/blog/sage-300-case-study

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\\Sage\\Sage300\\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set explicit permissions and therefore inherits weak permissions from the C:\\ folder. Because entries in the system-wide PATH variable are included in the search order for DLLs, an attacker could perform DLL search-order hijacking to escalate their privileges to SYSTEM. Furthermore, if the Global Search or Web Screens functionality is enabled, then privilege escalation is possible via the GlobalSearchService and Sage.CNA.WindowsService services, again via DLL search-order hijacking because unprivileged users would have modify permissions on the application directory. Note that while older versions of the software default to installing in %PROGRAMFILES(X86)% (which would allow the Sage folder to inherit strong permissions, making the installation not vulnerable), the official Sage 300 installation guides for those versions recommend installing in C:\\Sage, which would make the installation vulnerable."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-14T15:03:32", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://controlgap.com/blog?tag=insecurity"}, {"tags": ["x_refsource_MISC"], "url": "https://www.controlgap.com/blog/sage-300-case-study"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2021-45492", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\\Sage\\Sage300\\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set explicit permissions and therefore inherits weak permissions from the C:\\ folder. Because entries in the system-wide PATH variable are included in the search order for DLLs, an attacker could perform DLL search-order hijacking to escalate their privileges to SYSTEM. Furthermore, if the Global Search or Web Screens functionality is enabled, then privilege escalation is possible via the GlobalSearchService and Sage.CNA.WindowsService services, again via DLL search-order hijacking because unprivileged users would have modify permissions on the application directory. Note that while older versions of the software default to installing in %PROGRAMFILES(X86)% (which would allow the Sage folder to inherit strong permissions, making the installation not vulnerable), the official Sage 300 installation guides for those versions recommend installing in C:\\Sage, which would make the installation vulnerable."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://controlgap.com/blog?tag=insecurity", "refsource": "MISC", "url": "https://controlgap.com/blog?tag=insecurity"}, {"name": "https://www.controlgap.com/blog/sage-300-case-study", "refsource": "MISC", "url": "https://www.controlgap.com/blog/sage-300-case-study"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:21.179Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://controlgap.com/blog?tag=insecurity"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.controlgap.com/blog/sage-300-case-study"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-45492", "datePublished": "2022-07-14T15:03:32", "dateReserved": "2021-12-25T00:00:00", "dateUpdated": "2024-08-04T04:39:21.179Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sage:sage_300:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8A63515-64F4-4132-B748-C4759CBA67FD", "versionEndIncluding": "2022", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\\Sage\\Sage300\\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set explicit permissions and therefore inherits weak permissions from the C:\\ folder. Because entries in the system-wide PATH variable are included in the search order for DLLs, an attacker could perform DLL search-order hijacking to escalate their privileges to SYSTEM. Furthermore, if the Global Search or Web Screens functionality is enabled, then privilege escalation is possible via the GlobalSearchService and Sage.CNA.WindowsService services, again via DLL search-order hijacking because unprivileged users would have modify permissions on the application directory. Note that while older versions of the software default to installing in %PROGRAMFILES(X86)% (which would allow the Sage folder to inherit strong permissions, making the installation not vulnerable), the official Sage 300 installation guides for those versions recommend installing in C:\\Sage, which would make the installation vulnerable."}, {"lang": "es", "value": "En Sage 300 ERP (anteriormente accpac) versiones hasta 6.8.x, el instalador configura el directorio C:\\Sage\\Sage300\\Runtime para que sea la primera entrada en la variable de entorno PATH del sistema. Sin embargo, este directorio puede ser escrito por usuarios no privilegiados porque el instalador de Sage no establece permisos expl\u00edcitos y, por lo tanto, hereda los permisos d\u00e9biles de la carpeta C:\\N. Debido a que las entradas en la variable PATH de todo el sistema son incluidas en el orden de b\u00fasqueda de DLLs, un atacante podr\u00eda llevar a cabo el secuestro del orden de b\u00fasqueda de DLLs para escalar sus privilegios a SYSTEM. Adem\u00e1s, si la funcionalidad de B\u00fasqueda Global o Pantallas Web est\u00e1 habilitada, entonces es posible una escalada de privilegios por medio de los servicios GlobalSearchService y Sage.CNA.WindowsService, de nuevo por medio del secuestro del orden de b\u00fasqueda de DLL porque los usuarios no privilegiados tendr\u00edan permisos de modificaci\u00f3n en el directorio de la aplicaci\u00f3n. Tenga en cuenta que mientras las versiones m\u00e1s antiguas del software son instaladas por defecto en %PROGRAMFILES(X86)% (lo que permitir\u00eda que la carpeta Sage heredara permisos fuertes, haciendo que la instalaci\u00f3n no fuera vulnerable), las gu\u00edas oficiales de instalaci\u00f3n de Sage 300 para esas versiones recomiendan instalar en C:\\NSage, lo que har\u00eda que la instalaci\u00f3n fuera vulnerable"}], "id": "CVE-2021-45492", "lastModified": "2024-11-21T06:32:19.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-07-14T16:15:08.230", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://controlgap.com/blog?tag=insecurity"}, {"source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://www.controlgap.com/blog/sage-300-case-study"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://controlgap.com/blog?tag=insecurity"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://www.controlgap.com/blog/sage-300-case-study"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "[email protected]", "type": "Primary"}]}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object