Title
=========================
Multiple vulnerabilities found in Rock RMS including RCE and account takeover. A total of three CVEs were issued for the vulnerabilities (CVE-2019-18641, CVE-2019-18642, CVE-2019-18643)
Product Description
=========================
Rock RMS is an open source CRM. Although the product is free, they request a paid subscription based on number of users. In some cases, early access to patches require a paid subscription.
Vulnerability Descriptions
=========================
1
Name: File upload restriction bypass - CVE-2019-18643
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: The file upload functionality using the fileUpload.ashx page was vulnerable to uploading malicious files by bypassing the file extension restrictions. Rock RMS uses a black list of file extensions which is checked upon uploading a file. The logic for the black list validation was vulnerable to bypass leading to arbitrary file uploads resulting in RCE. There were other issues with the file upload functionality such as being able to tamper the upload location which led to the ability to upload files to any directory on the system. Several failed patches were released for this vulnerability which partially addressed the issue but the product remained vulnerable to exploitation until the final patch was released.
Disclosure dates:
01/09/2019 - initial disclosure of filetype restriction bypass
03/17/2019 - second disclosure informing that the 8.6 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
07/10/2019 - third disclosure informing that the 8.8 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
11/03/2019 - fourth disclosure informing that the 8.9 patch did not fully fix the vulnerability. File upload is still vulnerable by tweaking the exploit
Patch date and version: Final patch was released on 11/05/2019 for version 8.10 and on 11/06/2019 for version 9.4. Vulnerable versions are < 8.10 and 9.0 - 9.3.
2
Name: Account takeover - CVE-2019-18642
CVSS score: 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details: When a low privileged user updates their profile, the user ID is sent to the server. This ID can be tampered to make changes to any other user including the system administrator account. Changing the email address of another account allows an attacker to perform a password reset then login and take over the account. Performing this action on the administrator account leads to full application compromise.
Disclosure date: 01/16/2019
Patch date and version: 02/19/2019 in version 8.6
3
Name: User personal information leak - CVE-2019-18641
CVSS score: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details: The GetVCard functionality was not setup with any security. This allowed any unauthenticated user to loop through all sequential user ID's and exfiltrate user's personal information they have entered for their account. This information could include first name, last name, phone numbers, email address, physical address, etc.
Disclosure date: 01/09/2019
Patch date and version: 02/19/2019 in version 8.6
There were other security risks that were identified in the product such as several API calls that were not secured, reflected XSS and private calendar access leading to information leakage.
Detection and Remediation
======================
Firstly, update to the most recent patch as soon as possible. Once updated, there are a few things that can be checked to determine if any malicious activity has taken place on your implementation of Rock RMS.
-Review the Content directory for any files that have file extensions that could be malicious such as aspx
-Check all web logs you have to see if the file upload functionality was used to upload to a directory outside the Content directory
-Check web logs for suspicious iterations looping through objects such as vcard IDs
Responsible Disclosure Timeline
=========================
01/09/2019 - Initial disclosure of vulnerabilities including RCE via restricted file upload, vulnerable API tags, GetVCard exfil of users personal information and calendar private data
01/10/2019 - Vendor responded and informed they would investigate
01/16/2019 - Second disclosure - Account take over via profile update
01/18/2019 - Third disclosure - File upload can write to any location on disk, File upload with sensitive extensions allowed
02/19/2019 - Version 8.6 released
03/07/2019 - Disclosed that patch logic in 8.6 did not fully fix file upload issue
03/19/2019 - Version 8.7 released (no additional patch for upload issues - still vulnerable)
05/29/2019 - Version 8.8 released
07/10/2019 - Disclosed that patch logic in 8.8 did not fully fix upload issue
08/05/2019 - Version 9.0 released (9.x requires a paid account)
08/09/2019 - Version 8.9 released
08/20/2019 - Version 9.1 released (no additional patch for upload issues - still vulnerable)
09/11/2019 - Version 9.2 released (no additional patch for upload issues - still vulnerable)
10/23/2019 - Version 9.3 released (no additional patch for upload issues - still vulnerable)
11/03/2019 - Disclosed that patch logic in 8.9 did not fix the file upload issue.
11/05/2019 - Version 8.10 released (contained final fix for file upload vulnerability in version 8.x line)
11/06/2019 - Version 9.4 released (contained final fix for file upload vulnerability in version 9.x line)
11/07/2019 - Confirmed file upload vuln was fixed in 8.10
Delayed public disclosure to allow time for customers of the product to patch their systems.