-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Security Advisory ARA-2020-005: Insecure Direct Object Reference (CVE-2020-15958) ## Affected Product(s) and Environment(s) Product: 1CRM <=8.6.7, confirmed for CRBM System ENT-8.6.5, CRBM System ENT-8.6.6 and Startup+ Edition 8.5.15 Environments: All host environments ## Security Risk Severity: High CVSS v3: 8.6 ## Impact Confidentiality: High Integrity: None Availability: None ## Exploitability Access Vector: Network Access Complexity: Low Privileges Required: None User Interaction: None ## Scope Scope: Changed ## Weakness Classification [CWE-862](https://cwe.mitre.org/data/definitions/862.html): Missing Authorization [CWE-219](https://cwe.mitre.org/data/definitions/219.html): Storage of File with Sensitive Data Under Web Root [CVE-2020-15958](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15958), public disclosure pending ## Remediation Level Sensitive files must not be stored within the web root or below. These files should be stored in a folder outside the web root and secured accordingly. A proper access control must be established to deliver these files to authorized users only. ## Timeline * 2020-07-27: Preliminary CVE Assignment by MITRE * 2020-07-27: Vendor notification * 2020-07-28: Notification of vendor's master partner for Germany Visual4, as requested by vendor * 2020-07-31: Visual4 acknowledges vulnerability * 2020-08-14: Visual4 issues security alert for all 1CRM on-premise systems and requests immediate update to version 8.6.7 [1] * 2020-08-20: Visual4 informs customers by mail about security alert * 2020-08-27: Vendor reports fix of vulnerability to aramido; fix could not yet be verified, public documentation not sufficient * 2020-09-14: Public disclosure after 45 days of initial vendor notification ## Description Summary 1CRM stores uploaded and other files within its web root. Due to incomplete authorization checks, an unauthenticated user can remotely access these files. Although filenames must be known, 1CRM follows a well-known naming pattern for at least some sensitive files. ## Product Introduction "The all-in-one CRM solution for managing every aspect of your business online. Collaborate effectively with your team, from near and far. 1CRM provides everything you need to manage your business online. Start with a complete CRM solution including lead forms and eCommerce integration. Add a portal to connect with your customers and provide self-service options including appointment scheduling. Top things off with a sophisticated marketing automation platform to help turn your leads into customers!" *Source:* [1CRM Website](https://1crm.com/) ## Technical Description 1CRM allows to upload files on several occasions, e.g. to record *Expenses* and *Purchase Orders*, add personal information to *Accounts* and *Contacts*, and to manage *Human Resources* by adding CVs and so on. Additionally, backups can be created manually or via a cron job alike automatism. Backups can be configured to include the database, application configs, file attachments and modules. All those files are stored in folders within the root directory of the web server (web root). A download script *download.php* exists, which is to ensure authorized access to the files. If a user is not authenticated or has not enough permissions, the error "Authentication required" is displayed. Example: [/download.php?type=DocumentRevisions&id=69cabcb5-c909-2379-9c8a-5f187453fab1&ver=88f87&field=filename](/download.php?type=DocumentRevisions&id=69cabcb5-c909-2379-9c8a-5f187453fab1&ver=88f87&field=filename) However, it is also possible to access the files stored in the web root via an insecure direct object reference. As a matter of fact, the application makes use of this way of access to download *Expense* attachments and backups (and not via the regular download.php script). The request on such a file is not handled by the 1CRM application but answered by the web server itself. As the folders are not protected in any special way, the files are accessible to anyone. It is necessary for such a request to know the URI. 1CRM implements a predictable folder structure such as [/files/upload/42/](/files/upload/42/) and some of the most sensitive files have a predictable, at least guessable name such as [backup_20380119_031407.zip](backup_20380119_031407.zip). ### Proof of Concept (PoC) A backup file, which might contain all the CRM's information including clear text passwords of linked mailboxes, is stored in [/files/backups/](/files/backups/). The file contains the date and the time the archive was created. Assuming the backup is created on a daily bases, guessing the date is trivial. Guessing the time could be achieved by trying out all 86.400 possibilities. However, creating backups usually during nightly hours narrows this number further down. The backup is an unencrypted file and can for example be access via [/files/backups/backup_20380119_031407.zip](/files/backups/backup_20380119_031407.zip). Other uploaded files are stored under [/files/upload/\/](/files/upload//). While it is not a big challenge to guess the \-part, it is harder to determine the actual filenames. These filenames are generated by the user and not at random. Assuming a sales man names an offer according to a certain scheme, e.g. Offer_20380119-1.pdf, it might be tempting to try similar names. If this vulnerability is combined with another weakness, such as a directory listing, an adversary would be able to easily obtain all exposed files. ## Solution We strongly recommend to store sensitive data outside the web root. By this, an adversary cannot directly access those file but a download mechanism must be implemented. This download script, which already exists, must ensure the authorization of the requester. As an urgent solution we recommend 1CRM hosters to place an .htaccess file within the affected folders. The .htaccess file must contain the following for an Apache setup: ``` Order deny,allow Deny from all ``` Furthermore, we suggest to use random file names when storing them into a file system. The real file name can be stored into the database if necessary. A random file name can be chosen in a way to be hardly guessable and to only use secure characters for any operating or file system. Due to the big impact in case a backup file was leaked, we suggest to always encrypt backup files. Upon fix of all findings by the vendor, we suggest on premise hosters the update to the most recent version (at least 8.6.7). Additional security measurements such as segmentation and the usage of a virutal private network (VPN) are strongly advised. ## References [0] [aramido responsible disclosure policy](https://aramido.de/blog/Sicherheitshinweise) [1] [Die Sicherheit Ihres CRM-Systems auf maximale Stufe drehen](https://1crm-system.de/crm-ratgeber/sicherheit-webanwendungen/) [2] [Sicherheitswarnung: 1CRM schützt Daten unzureichend (CVE-2020-15958)](https://aramido.de/blog/sicherheitshinweise/sicherheitswarnung-1crm-schutzt-daten-unzureichend-cve-2020-15958) ## Authors Christoph Biedl, aramido GmbH E-mail: christoph.biedl () aramido.de PGP-Key: https://aramido.de/christoph.biedl.asc PGP-Fingerprint: 04DF BDFD 81D4 4537 FF20 A8A5 C73C F15B 3780 F158 Andreas Sperber, aramido GmbH E-mail: andreas.sperber () aramido.de PGP-Key: https://aramido.de/andreas.sperber.asc PGP-Fingerprint: FC84 BB4D 696D F04C E1A1 2BED 7518 A24A 06B9 BEA7 ### aramido - Information Security Consultancy aramido is a trusted consultancy for information security from Karlsruhe. aramido advises companies and other organizations on information security issues, checks systems, for example, through penetration tests, and helps with security incidents through a rapid incident response. aramido GmbH Amalienstraße 24 76133 Karlsruhe, Germany Management board: Armin Harbrecht, Andreas Sperber Web: [https://aramido.de](https://aramido.de) ## Disclaimer The information provided in this advisory is provided "as is" without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. ## Copyright CC-BY-4.0 https://creativecommons.org/licenses/by/4.0/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElg7G/qrUhYz1TF6UKkksQOF7cp8FAl9fVnAACgkQKkksQOF7 cp+E1A//QhorttbTLsI1cLb/nd1kRNBJomAiiVICQK6kjUaIhP8+HvA36ZfobuJr SdRONGt9LEWPyxt+EXlW3d1mEpnuVEib/5PtZM+VFUYJVzR38gl1uYar1AE+LPD4 26wB07pfamrJASPaa2OPgxW3/9eVmVPJREjgGeGVs2Ic31vqHw+l5135GTjmLpK3 AtWDLblrzdVqliGuhasI4jDP9xivgIdgHLfu4fWlma9ovD1v61UlT7BBJfr5YX5L opPeGHmnxx4Bdyy299QIMikPaLWeFs5bRZ9hdEWrCPvQpGJTAKbSJNRGZc7TJLLh Lb4fhLdwyQnWYuMUBIquRbqm1AXZ4EisKnnC1nfGN+n3ULWyXX1phmpHOLFNNkXJ 1313ISe/K6F9WrWJbhjJGt/2U7lb0kRu7Tw+EsTJGU+AJm2g5SHUV3R7MkcgP6M+ aiJO+b6nrkw7NAu04HGsCu+4hP/VE6803yikTxnTMmDqsOlY7EsIiFwYz8P9S/7Q aUOI4wuXbcEerTnJtN2rzEUhoJ36z4haNK2ZQLeEzgumqO5I4sG9/RBQNhLJcAgM lZuiJX3up4AvVxIhEHX1SRlOljUGRnpbXEjUpU1tF4nDo/BRxLd19WAtE3H6I5Is +nzMkyhZiFcYSJfeYbhItxAwYOgZYX1kQL8EIUVEo34zmMMAvz0= =+QEC -----END PGP SIGNATURE-----