Open source CRM software is used by at least 500 churches globally

Critical RCE, account takeover flaws patched in Rock RMS church management platform

UPDATED Rock RMS, a ‘relationship management system’ for churches, was affected by a pair of vulnerabilities that could lead to account takeover and remote code execution (RCE).

Security researchers who unearthed these and several other less serious flaws in the open source application have urged users to update their systems as soon as possible.

Perhaps best described as a customer relationship management (CRM) platform for religious institutions, Rock RMS enables church leaders to track attendance, handle online donations, and manage relationships with their congregations, among other features.

Nearly 550 churches globally – but mostly in North America – reportedly use the platform.

The application’s ongoing development is funded through voluntary donations.

File upload restriction bypass

The researchers, from the ‘Cyber Security Research Group’, found what they deemed a critical logic flaw in how a block list function validates file extensions (CVE-2019-18643) that meant attackers could upload malicious files to any system directory via fileUpload.ashx and achieve RCE.

Although the researchers suggested that a comprehensive patch only emerged four versions after an initial partial fix, this is disputed by Spark Development Network, which developed the application.

“They changed the details of their description of the issue several months after their initial communication” to “include other attack vectors”, but a patch was nevertheless issued promptly, Jon Edmiston, developer at the non-profit organization, told The Daily Swig.

The researchers posted a detailed account of their findings on the Full Disclosure security mailing list on January 2.

Account takeover

The other ‘critical’ bug in Rock RMS (CVE-2019-18642) could see attackers tamper with user IDs after they are sent to the server following profile updates made by low privileged users, and then “make changes to any other user”.

This means they could change the system administrator’s email address, perform a password reset, then login and achieve full application compromise.

Both flaws were assigned a near-maximum CVSS score of 9.8.

However, Edmiston said these classifications were inaccurate. “While we treat every security concern very seriously, they are very much overstating the impact of some of these items,” he said.

RECOMMENDED Swig Security Review 2020 – Part I

A third, medium severity flaw (CVSS 5.3) in the GetVCard functionality “allowed any unauthenticated user to loop through all sequential user ID’s and exfiltrate user’s personal information”, such as “first name, last name, phone numbers, email address, [and] physical address.” (CVE-2019-18641).

Security researchers also found several unsecured API calls, a reflected cross-site scripting (XSS) flaw, and information leakage arising from a problem with private calendar access.

Disputed patch process

The researchers alerted Spark Development Network to the file upload, API tag, and GetVCard flaws on January 9, 2020, then reported the account takeover bug on January 16.

Version 8.6 landed three days later, on January 19, although researchers told the maintainers on March 7 that this had only partially fixed the file upload restriction bypass.

“Again here they are alluding to a report they made that they then changed after we had fixed their reported bug,” said Jon Edmiston of Spark Development Network. “They widened the description.”

He added: “We in fact fixed and released [comprehensive] patches within days for all of their items.”

Read more of the latest open source software security news

The latest versions, 8.10 and 9.4 respectively, were released on November 5 and November 6.

The researchers have advised users to trawl their content directory for potentially malicious file extensions such as .aspx, and web logs for file uploads to directories other than the content directory, as well as “for suspicious iterations looping through objects such as vcard IDs”.

“All in all we feel we did an excellent job in dealing with these reported issued”, especially given comparatively modest resources, said Edmiston.

“We responded very quickly to their communications,” he added, saying that the researchers had “praised our responsiveness.

“I even setup a call with them to ensure we understood each item.”

The Daily Swig has contacted the security researchers for further comment and will update the article if and when we hear back. 

This article was updated on January 5 with comments from Spark Development Network. A claim from researchers, that “in some cases, early access to patches require a paid subscription”, was also removed – Spark Development Network say early access is for new features, not patches.

YOU MIGHT ALSO LIKE T-Mobile data breach exposes customer call information