CVE-2022-38583 – This vulnerability allows low-privileged Sage 3... (How to Fix)

Q: What is the severity of CVE-2022-38583?

CVE-2022-38583 has a CVSS score of 7.8 (HIGH). This vulnerability allows low-privileged Sage 300 workstation users to access and modify credentials stored in the SharedData folder on connected servers. Attackers can impersonate users and gain system administrator access to the SQL database, potentially compromising all program records and database server functionality. Affected systems include Sage 300 versions 2017-2022 configured in Windows Peer-to-Peer or Client Server Network setups.

📋 TL;DR

This vulnerability allows low-privileged Sage 300 workstation users to access and modify credentials stored in the SharedData folder on connected servers. Attackers can impersonate users and gain system administrator access to the SQL database, potentially compromising all program records and database server functionality. Affected systems include Sage 300 versions 2017-2022 configured in Windows Peer-to-Peer or Client Server Network setups.

💻 Affected Systems

Products:

Sage 300

Versions: 6.4.x - 6.9.x (2017 - 2022)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations configured in 'Windows Peer-to-Peer Network' or 'Client Server Network' configurations. The SharedData folder permissions are the key vulnerability vector.

📦 What is this software?

Sage 300 by Sage

View all CVEs affecting Sage 300 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Sage 300 database with ability to create, update, delete all records, execute arbitrary code on database server, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to sensitive business data, financial manipulation, credential theft, and privilege escalation within the Sage 300 environment.

🟢

If Mitigated

Limited to authorized user actions with proper access controls and monitoring in place.

🌐 Internet-Facing: LOW - This vulnerability requires authenticated access to the Sage 300 workstation and network access to the SharedData folder.

🏢 Internal Only: HIGH - Exploitation requires internal network access and low-privileged Sage 300 user credentials, which are commonly available in business environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires low-privileged Sage 300 user access and network access to the SharedData folder. The attack path is straightforward once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with Sage for specific patched versions

Vendor Advisory: http://sage.com

Restart Required: Yes

Instructions:

1. Contact Sage support for the latest security patches. 2. Apply patches to all Sage 300 servers and workstations. 3. Restart Sage 300 services and verify functionality. 4. Test critical business processes after patching.

🔧 Temporary Workarounds

Restrict SharedData Folder Permissions

windows

Modify NTFS permissions on the SharedData folder to restrict access to authorized administrators only

icacls "C:\ProgramData\Sage\Sage 300\SharedData" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"

Implement Network Segmentation

all

Isolate Sage 300 servers from regular workstation networks to limit access to SharedData folder

🧯 If You Can't Patch

Implement strict access controls on SharedData folder (minimum privilege principle)
Enable detailed auditing and monitoring of access to SharedData folder and SQL database connections

🔍 How to Verify

Check if Vulnerable:

Check Sage 300 version (Help > About) and verify if SharedData folder has overly permissive permissions allowing low-privileged users write/read access.

Check Version:

Within Sage 300 application: Help > About or check program files version information

Verify Fix Applied:

Verify SharedData folder permissions only allow authorized administrators, test that low-privileged users cannot access the folder, and confirm Sage 300 version is patched.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to SharedData folder
Unusual SQL database connections from non-standard accounts
Multiple failed authentication attempts followed by successful privileged access

Network Indicators:

Unexpected SMB traffic to Sage server SharedData folder
SQL connection attempts from unexpected workstations

SIEM Query:

EventID=4663 AND ObjectName LIKE '%SharedData%' AND AccessMask IN ('0x10000', '0x120089') | OR | SQL audit logs showing privilege escalation or unusual administrator account usage

📊 Metadata

CVE ID: CVE-2022-38583

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: April 28, 2023

Last Updated: January 31, 2025

🔗 References

http://sage.com Vendor Advisory
https://www.controlgap.com/blog/sage-300-case-study Exploit,Third Party Advisory
http://sage.com Vendor Advisory
https://www.controlgap.com/blog/sage-300-case-study Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-38583, you might also want to check these: