Title ========================= Multiple vulnerabilities found in Rock RMS including RCE and account takeover. A total of three CVEs were issued for the vulnerabilities (CVE-2019-18641, CVE-2019-18642, CVE-2019-18643) Product Description ========================= Rock RMS is an open source CRM. Although the product is free, they request a paid subscription based on number of users. In some cases, early access to patches require a paid subscription. Vulnerability Descriptions ========================= 1 Name: File upload restriction bypass - CVE-2019-18643 CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Details: The file upload functionality using the fileUpload.ashx page was vulnerable to uploading malicious files by bypassing the file extension restrictions. Rock RMS uses a black list of file extensions which is checked upon uploading a file. The logic for the black list validation was vulnerable to bypass leading to arbitrary file uploads resulting in RCE. There were other issues with the file upload functionality such as being able to tamper the upload location which led to the ability to upload files to any directory on the system. Several failed patches were released for this vulnerability which partially addressed the issue but the product remained vulnerable to exploitation until the final patch was released. Disclosure dates: 01/09/2019 - initial disclosure of filetype restriction bypass 03/17/2019 - second disclosure informing that the 8.6 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit 07/10/2019 - third disclosure informing that the 8.8 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit 11/03/2019 - fourth disclosure informing that the 8.9 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit Patch date and version: Final patch was released on 11/05/2019 for version 8.10 and on 11/06/2019 for version 9.4. Vulnerable versions are < 8.10 and 9.0 - 9.3. 2 Name: Account takeover - CVE-2019-18642 CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Details: When a low privileged user updates their profile, the user ID is sent to the server. This ID can be tampered to make changes to any other user including the system administrator account. Changing the email address of another account allows an attacker to perform a password reset then login and take over the account. Performing this action on the administrator account leads to full application compromise. Disclosure date: 01/16/2019 Patch date and version: 02/19/2019 in version 8.6 3 Name: User personal information leak - CVE-2019-18641 CVSS score: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Details: The GetVCard functionality was not setup with any security. This allowed any unauthenticated user to loop through all sequential user ID's and exfiltrate user's personal information they have entered for their account. This information could include first name, last name, phone numbers, email address, physical address, etc. Disclosure date: 01/09/2019 Patch date and version: 02/19/2019 in version 8.6 There were other security risks that were identified in the product such as several API calls that were not secured, reflected XSS and private calendar access leading to information leakage. Detection and Remediation ====================== Firstly, update to the most recent patch as soon as possible. Once updated, there are a few things that can be checked to determine if any malicious activity has taken place on your implementation of Rock RMS. -Review the Content directory for any files that have file extensions that could be malicious such as aspx -Check all web logs you have to see if the file upload functionality was used to upload to a directory outside the Content directory -Check web logs for suspicious iterations looping through objects such as vcard IDs Responsible Disclosure Timeline ========================= 01/09/2019 - Initial disclosure of vulnerabilities including RCE via restricted file upload, vulnerable API tags, GetVCard exfil of users personal information and calendar private data 01/10/2019 - Vendor responded and informed they would investigate 01/16/2019 - Second disclosure - Account take over via profile update 01/18/2019 - Third disclosure - File upload can write to any location on disk, File upload with sensitive extensions allowed 02/19/2019 - Version 8.6 released 03/07/2019 - Disclosed that patch logic in 8.6 did not fully fix file upload issue 03/19/2019 - Version 8.7 released (no additional patch for upload issues - still vulnerable) 05/29/2019 - Version 8.8 released 07/10/2019 - Disclosed that patch logic in 8.8 did not fully fix upload issue 08/05/2019 - Version 9.0 released (9.x requires a paid account) 08/09/2019 - Version 8.9 released 08/20/2019 - Version 9.1 released (no additional patch for upload issues - still vulnerable) 09/11/2019 - Version 9.2 released (no additional patch for upload issues - still vulnerable) 10/23/2019 - Version 9.3 released (no additional patch for upload issues - still vulnerable) 11/03/2019 - Disclosed that patch logic in 8.9 did not fix the file upload issue. 11/05/2019 - Version 8.10 released (contained final fix for file upload vulnerability in version 8.x line) 11/06/2019 - Version 9.4 released (contained final fix for file upload vulnerability in version 9.x line) 11/07/2019 - Confirmed file upload vuln was fixed in 8.10 Delayed public disclosure to allow time for customers of the product to patch their systems.