CVE-2022-41397
📋 TL;DR
Sage 300's optional Web Screens and Global Search features use a hard-coded encryption key ('LandlordPassKey') to protect sensitive data in configuration files and databases. This allows attackers who gain access to encrypted data to easily decrypt it, exposing credentials and other secrets. All Sage 300 installations with these optional features enabled are affected.
💻 Affected Systems
- Sage 300
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Sage 300 environment including database credentials, application secrets, and potential lateral movement to connected systems.
Likely Case
Exfiltration of sensitive configuration data and database credentials leading to data theft and potential privilege escalation.
If Mitigated
Limited exposure if features are disabled or systems are properly segmented with strict access controls.
🎯 Exploit Status
Exploitation requires access to encrypted configuration files or database tables, but decryption is trivial once data is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023 or later
Vendor Advisory: https://www.sage.com/en-ca/products/sage-300/
Restart Required: Yes
Instructions:
1. Upgrade Sage 300 to version 2023 or later. 2. Apply all available security patches. 3. Restart Sage 300 services. 4. Regenerate any encryption keys that may have been exposed.
🔧 Temporary Workarounds
Disable vulnerable features
windowsDisable Web Screens and Global Search features if not required for business operations
Navigate to Sage 300 Administration > Feature Management and disable 'Web Screens' and 'Global Search'
Restrict file access
windowsApply strict file permissions to configuration files containing encrypted data
icacls "C:\Program Files\Sage\Sage 300\*.config" /inheritance:r /grant:r "Administrators:(F)" /grant:r "SYSTEM:(F)"
🧯 If You Can't Patch
- Disable Web Screens and Global Search features immediately
- Implement network segmentation to isolate Sage 300 systems and restrict access to configuration files
🔍 How to Verify
Check if Vulnerable:
Check if Web Screens or Global Search features are enabled in Sage 300 Administration > Feature ManagementCheck Version:
Check Help > About in Sage 300 application or review installation directory version informationVerify Fix Applied:
Verify Sage 300 version is 2023 or later and check that encryption keys have been regenerated📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Sage 300 configuration files
- Unusual database access patterns from Sage 300 service accounts
Network Indicators:
- Unexpected outbound connections from Sage 300 servers
- Traffic patterns indicating data exfiltration
SIEM Query:
source="Sage300" AND (event="FileAccess" OR event="ConfigAccess") AND user!="SYSTEM" AND user!="Administrator"