“Critical” RCE, Fixed Account Takeover Flaws in Rock RMS Church Management Platform


Open-source CRM software is used by at least 500 churches worldwide

UPDATE Rock RMS, a “relationship management system” for churches, has been affected by a pair of vulnerabilities that could lead to account takeover and remote code execution (RCE).

Security researchers who discovered these and several other less serious flaws in the open-source application urged users to update their systems as soon as possible.

Perhaps best described as a customer relationship management (CRM) platform for religious institutions, Rock RMS allows church leaders to track attendance, manage donations online, and manage relationships with their congregations, among other features.

nearly 550 churches around the world – but primarily in North America – would use the platform.

The ongoing development of the app is funded by voluntary donations.

Bypass file upload restriction

The researchers, from the Cyber ​​Security Research Group, discovered what they considered to be a critical logic flaw in the way a blocklist function validates file extensions (CVE-2019-18643), which meant that attackers could upload malicious files to any system directory via and reach CRE.

Although researchers have suggested that a full fix only emerged four versions after an initial partial fix, this is disputed by Spark Development Network, which developed the app.

“They changed the details of their problem description several months after their initial communication” to “include other attack vectors,” but a fix was released quickly nonetheless, the organization’s developer Jon Edmiston said at non-profit. The daily sip.

The researchers published a detailed report account of their findings on the Full Disclosure security mailing list on January 2.

Account takeover

The other “critical” Rock RMS bug (CVE-2019-18642) could see attackers forge user credentials after they are sent to the server following profile updates made by low-privileged users, then “bring changes to any other user”.

This means they could change the system administrator’s email address, perform a password reset, then log in and get a full app compromise.

Both defects received a near-maximum CVSS score of 9.8.

However, Edmiston said these classifications were inaccurate. “While we treat every security issue very seriously, they grossly overestimate the impact of some of these items,” he said.

RECOMMENDED Swig Security Review 2020 – Part I

A third medium-severity flaw (CVSS 5.3) in the GetVCard functionality “allowed any unauthenticated user to browse through all sequential user IDs and exfiltrate the user’s personal information”, such as “first name, last name, telephone, e-mail address, [and] physical address.” (CVE-2019-18641).

Security researchers also discovered multiple insecure API calls, a cross-site scripting (XSS) flaw, and information leaks resulting from a private calendar access issue.

Disputed patch process

Researchers alerted Spark Development Network to the file upload, API beacon, and GetVCard flaws on January 9, 2020, then reported the account takeover bug on January 16.

Version 8.6 arrived three days later, on January 19, although researchers told officials on March 7 that this only partially fixed the file upload restriction bypass.

“Again, they’re referring to a report they wrote and then edited after we fixed the reported bug,” said Jon Edmiston of Spark Development Network. “They expanded the description.”

He added: “We actually corrected and published [comprehensive] fixes within days for all their items.

Learn about the latest open source software security news

The latest versions, 8.10 and 9.4 respectively, were released on November 5 and 6.

Researchers advised users to scan their content directory for potentially malicious file extensions such as , and web logs for file uploads to directories other than the content directory, as well as “for iterations suspicious browsing objects such as vcard credentials”.

“Overall, we think we’ve done an excellent job of addressing these reported issues,” especially given the relatively modest resources, Edmiston said.

“We responded very quickly to their communications,” he added, adding that the researchers had “praised our responsiveness.

“I even set up a call with them to make sure we understood every bit.”

The daily sip has contacted security researchers for further comment and will update the article if and when we receive a response.

This article was updated on January 5 with comments from Spark Development Network. A claim by researchers that “in some cases early access to patches requires a paid subscription”, was also removed – Spark Development Network claims that early access is for new features, not patches.

YOU MIGHT ALSO LIKE T-Mobile data breach exposes customers’ call information


About Author

Comments are closed.