January 5, 2023: Security vulnerability update and FAQ

Please see January 13, 2023: Security Vulnerability Update for the most recent updates, including information about the final report from our third-party forensics firm.


SugarCRM recently became aware of a publicly disclosed vulnerability affecting our Sugar Sell, Serve, Enterprise, Professional, and Ultimate software solutions. This vulnerability was assigned CVE-2023-22952 and is also documented in SugarCRM Security Advisory 2023-001.

Upon discovery, SugarCRM immediately responded by developing two hotfix patches for the vulnerability to mitigate any exploitation. SugarCRM implemented the patches to all applicable instances running in SugarCloud and in its managed hosting environments.

A module loadable package containing a hotfix for instances running outside of SugarCloud or SugarCRM managed hosting has also been made available for supported versions of Sugar.

On January 11, SugarCRM released versions 12.0.2 and 11.0.5. These versions already contain the hotfix and do not require additional patch installation to address this vulnerability. SugarCRM strongly recommends that customers download these releases and upgrade their relevant Sugar instance(s), or work with their partner (where applicable) to do so, to prevent potential exploitation of the vulnerability. To remain secure, all instances should be upgraded or patched, including production, sandbox or development environments. Customers are encouraged to upgrade to version 12.0.2 or version 11.0.5 even if they have previously applied the hotfixes. Customers on unsupported versions of Sugar are strongly encouraged to upgrade to Sugar 12.0.2.

SugarCRM also commenced an investigation into the nature and scope of the issue with the assistance of third-party specialists. SugarCRM appreciates your patience and understanding while we investigate and work to resolve this issue. SugarCRM will provide relevant updates when available. If you have specific questions, please direct them to secure@sugarcrm.com.

General FAQs:

What happened?

We recently became aware of a vulnerability impacting our Sugar Sell, Serve, Enterprise, Professional, and Ultimate software solutions. The vulnerability did not impact our Sugar Market software solution. We immediately responded by developing patches for the vulnerability to mitigate any exploitation. We are continuing to investigate this issue to confirm the full nature and scope.

What next steps should I take?

If you are running in SugarCloud or SugarCRM managed hosting, there is no action needed on your part. SugarCRM has already applied the hotfix to all applicable instances.

If you are running a supported Sugar instance outside of SugarCloud or SugarCRM managed hosting you will need to take action. SugarCRM strongly recommends at the earliest opportunity you download version 12.0.2 or 11.0.5 and upgrade your Sugar instance, as well as any sandboxes you may have. You can also choose to temporarily leverage the hotfix to patch all relevant Sugar instance(s) to prevent potential exploitation of the vulnerability. Please contact the Sugar Support Team at support@sugarcrm.com for access details. Note that hotfixes have been prepared for Sugar Enterprise and Sugar Professional versions 10.0.x, 11.0.x and 12.0.x. Additional information about downloading and applying the hotfix can be found at Installing a Hotfix. We recommend that you still plan an upgrade to 12.0.2 or 11.0.5 even if you have installed the hotfix.

If you are running an unsupported Sugar instance, SugarCRM highly recommends that you upgrade to version 12.0.2 as soon as possible. This version includes numerous security enhancements and features that will not only better protect your data, but also improve the overall performance. Please contact your Sugar Partner (if applicable) or Sugar Support team at support@sugarcrm.com for information about upgrading.

What should customers hosted outside of SugarCloud or SugarCRM managed hosting be on the lookout for?

Prior to the installation of version 12.0.2, 11.0.5 or the hotfix (v1.1 of “Hotfix 91155 XXXX”), the vulnerability could allow an attacker to upload code to the /cache/images/ directory on the web server. Once uploaded to the server, depending on server configuration, the attacker may be able to execute that code over the web via http or https.

Based on our current understanding, customers outside of SugarCloud or SugarCRM managed hosting can look for unexpected files in the /cache/images/ directory.The published exploit had a filename sweet.phar, but attackers could change this filename. Other possible filenames include, but are not limited to, imagefile.phar, meow.phar, rvsm.phar, and shell.phar. Customers hosted outside of SugarCloud or SugarCRM managed hosting can look for evidence in their web server logs or file system.

Requests for files under the /cache/images/ directory with the extension php, phar, phtml, php7, or any other executable extension allowed by your web server configuration are examples of attempts to access and execute this code.

Examples include (the * represents a wildcard, or any filename):

  • /cache/images/*.phar
  • /cache/images/*.php

If you find these requests, pay attention to the response code returned by your web server. The response codes can be found in your web server logs.

  • 404 – the file was not found. The code was not executed on this request.
  • 403 – the access was denied by web server. The code was not executed on this request. After applying the patch, attempts to access these files should generate a 403 error.

If other response codes are observed or an unexpected file is found in /cache/images, additional forensics should be performed in accordance with your incident response processes as this might indicate remote code execution has taken place. SugarCRM has engaged a third-party forensics firm to assist with its investigation in SugarCloud and SugarCRM managed hosting. SugarCRM will update this document if it becomes aware of additional information that may assist with your investigation.

What can I do if I'm running an unsupported version of Sugar?

SugarCRM urges all customers to upgrade to and remain on supported versions of our software and to upgrade to the releases that contain the patch, currently 12.0.2 and 11.0.5. Unsupported versions of Sugar have known security issues and will inherently become less secure over time.

For customers on unsupported versions of Sugar the code referenced below is provided “as-is” to assist customers to mitigate the published vulnerability while planning the upgrade. The instructions to accomplish this are highly technical. If you are uncomfortable, or not able to follow and adapt these instructions for your environment, please contact your Sugar Partner (if applicable) or Sugar Support team at support@sugarcrm.com.

Technical Instructions

The published vulnerability uploads executable PHP code to the /cache/images/ directory on the webserver. You can configure your webserver to block access to this executable code via tools like htaccess or by configuring your web application firewall to block access to executable files in the /cache/images/ directory.

Examine your web server configuration to identify executable file types. php and phar are two file types that should be blocked in the /cache/images/ directory. An example apache rule is as follows.

RewriteRule (?i)^/(cache|clients|data|examples|include|jssource|log4php|metadata|ModuleInstall|modules|soap|xtemplate)/+.*\.(php|tpl|phar)$ - [L,F]

By default, the htaccess gets overwritten when an administrative user triggers the "Repair .htaccess" action in the administrative interface. You can patch the file install/install_utils.php to ensure that the appropriate restrictions remain in place. In the method getForbiddenPaths(), update the last line as follows. Add other file extensions as appropriate:

'^(cache|clients|data|examples|include|install|jssource|metadata|ModuleInstall|modules|soap|xtemplate)/.*\.(php|tpl|phar)$',

Once blocked, you should verify that paths such as /cache/images/sweet.phar result in a 403 error.

The underlying vulnerability relies on a missing authentication check in the loadUser() method in include/MVC/SugarApplication.php

Before the line that looks like:

$authController = AuthenticationController::getInstance();

You can insert the following code to properly check the session

//If there was a login error, we should not allow the further code execution and destroy the session

if (isset($_SESSION['login_error'])) {

if ($sess->getId()) {

$sess->destroy();

};

header('Location: ' . $this->getUnauthenticatedHomeUrl(true));

exit();

}

While these instructions can assist a customer to mitigate this particular issue on an unsupported version, SugarCRM highly recommends that customers upgrade to Sugar 12.0.2 as soon as possible.

What is the vulnerability that was identified?

This security advisory documents the issue: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/index.html

The following publicly accessible post contains the public disclosure of the vulnerability: https://seclists.org/fulldisclosure/2022/Dec/31

What caused the vulnerability?

We are working with third-party specialists to investigate the cause of this issue. Our investigation is ongoing and will provide relevant updates as they become available.

How have you responded?

Since the vulnerability was discovered, we developed two hotfix patches, which have been deployed in applicable SugarCloud and SugarCRM managed hosting instances and have been made available for download and installation in instances running outside of SugarCloud and SugarCRM managed hosting.

We subsequently also released Sugar versions 12.0.2 and 11.0.5. These versions contain the patches and do not require additional hotfix installation. All customers are encouraged to upgrade to version 12.0.2 or version 11.0.5 even if they have previously applied the hotfixes.

Our on-going investigation continues with the help of the third-party forensics firm.

When will you know more information?

We are actively investigating the full nature and scope of this issue. As we learn more, and if we discover important information relevant to your situation, we will provide updates. We appreciate your patience as we work to better understand this issue and take all steps necessary to respond.

Is my/customer information affected or taken?

Protecting the privacy of our customers' information and ensuring the security of information stored on our software are among our highest priorities. As of January 9th, we have confirmed that if SugarIdentity was enabled in your instance this vulnerability was not exploitable. For help in determining if SugarIdentity was enabled on your instance, instructions can be found here. We have an active investigation into the nature and scope of this issue. If we determine any customer information was impacted in our SugarCloud or SugarCRM managed hosting environments as a result of this event, we will notify the affected parties as soon as possible.

Will you provide us with updates?

We appreciate your patience and cooperation during this time. We will continue to provide updates as relevant information becomes available. In the meantime, should you have any questions, in order to best ensure you receive an accurate, thorough and timely response, please direct questions to secure@sugarcrm.com.

Parents
  • Thanks for the quick patch.

    It is very unfortunate that an official statement from the SugarCRM side came on the 4th of Jan while the vulnerability was announced on the 28th of December. Considering this is a 0-day Auth bypass, it would have been better if the announcement was made as soon as it is public; so that customers can take some precautionary measures while waiting for a quick patch.

  • Hi Junaid –although information was put into the public domain on Dec 28th, Sugar only became aware of the information on Jan 3th.  As soon as Sugar was aware of the information, we moved quicky to provided the official statement.  Furthermore, the initial hotfix was produced and put into SugarCloud within ~6hrs of Sugar being made aware of the vulnerability.  We appreciate that this is time sensitive problem and we take the security of our customers seriously.

Comment
  • Hi Junaid –although information was put into the public domain on Dec 28th, Sugar only became aware of the information on Jan 3th.  As soon as Sugar was aware of the information, we moved quicky to provided the official statement.  Furthermore, the initial hotfix was produced and put into SugarCloud within ~6hrs of Sugar being made aware of the vulnerability.  We appreciate that this is time sensitive problem and we take the security of our customers seriously.

Children
No Data