Vendor takes action… four months after initial disclosure
Developers fixed five vulnerabilities in SuiteCRM, an open source fork of the widely used SugarCRM enterprise software – but only after a security researcher said he would go public with the flaws.
The shortcomings in SuiteCRM, uncovered by Egidio Romano, range from SQL injection to phar deserialization vulnerabilities in the customer relationship management (CRM) technology.
Asked to rate the severity of the bugs, Romano told The Daily Swig: “I would say the second-order PHP object injection, phar deserialization, and bean manipulation vulnerabilities are all critical vulnerabilities, as they allow for execution of arbitrary PHP code with the permissions of the web server user.
“I would rate the broken access control vulnerability and multiple SQL injection flaws as high-risk vulns.”
According to Romano, a second-order PHP object injection vulnerability (CVE-2020-8800) in SuiteCRM could be “exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks, such as executing arbitrary PHP code”.
SuiteCRM versions 7.11.11 and below are said to be vulnerable.
Multiple phar deserialization vulnerabilities (CVE-2020-8801) also pose an arbitrary PHP code execution risk in SuiteCRM (7.11.11).
A bean manipulation vulnerability (CVE-2020-8802) likewise poses a critical risk to the same versions of SuiteCRM, according to Romano.
The lesser vulnerabilities relate to a broken access control flaw and multiple SQL injection bugs in SuiteCRM version 7.11.10 and earlier.
These various flaws are explained in greater depth in a posting on Romano’s website.
Sweets for my suite
SuiteCRM – one of four forks to SugarCRM over the years since commercial developers turned over the community edition of the software to the open source community – offers a platform that claims more than 900,000 downloads and 4.5 million global users.
Romano said he notified the vendor in September and only published his findings after failing to get an adequate response from developers of the software about his various security concerns.
SalesAgility, the firm behind SuiteCRM, said all five of the vulnerabilities identified by the Italian researcher had now been patched.
Dale Murray, chief exec of SalesAgility, told The Daily Swig: “Our security team has provided patches for the disclosed vulnerabilities in SuiteCRM 7.11.12 and SuiteCRM 7.10.24. We have informed users of our software about these vulnerabilities and have prompted them to upgrade as soon as possible
“We have put a notice on our open source community channels and advice via social media. We have a dedicated community that works around the clock to spot vulnerabilities and produce suitable fixes, which is one of the key benefits for a business when choosing to use open source software.”
Romano said the patches, which started to roll out last week, fixed the vulnerabilities he had identified.
SugarCRM – the highly popular open source CRM software on which much of SuiteCRM’s codebase is built – was apparently vulnerable to much the same PHP object injection and phar deserialization vulnerabilities as those impacting the latter project.
SugarCRM fixed them both in October last year with its 9.0.2 release.
Romano said he had years of experience looking for bugs in SugarCRM and related technologies.
“Most of these [SuiteCRM] vulns are inherited from SugarCRM, and I’m looking for security bugs in it for almost eight years now (back in 2012 I did a virtual internship with them), basically working on their private bug bounty program,” he explained.
READ MORE Phar out: PHP deserialization techniques offer rich pickings for security researchers