====== Security update for Lime CRM Server ====== ; Bulletin ID : LCSEC18-01 ; Date published : 2018-07-05 ; Priority : 2 ; Severity : Critical Priority and severity ratings are determined as described [[security:ratings|here]]. ===== Summary ===== This security update resolves a vulnerability in Lime CRM Server. The vulnerability could allow remote code execution in Lime CRM Server if an attacker alters the system configuration in a malicious way. However, an attacker would need access to a user account with administrator privileges in order to succeed with exploiting the vulnerability. ===== Affected versions ===== ^ Product ^ Version ^ Platform ^ | Lime CRM Server | 12.25 - 12.41.1.5 | All platforms | ===== Solution ===== Lime categorizes this update with the following priority rating and recommends customers to either install the provided hotfix or update their installation to the newest version: ^ Product ^ Type ^ Updated version ^ Priority rating ^ Availability ^ | Lime CRM Server | Hotfix for any affected version | - | 2 | [[https://builds.lundalogik.com/api/v1/builds/lcsec18-01/versions/latest/file/|Download]] | | Lime CRM Server | Product release | 12.41.2.5 | 2 | [[https://builds.lundalogik.com/api/v1/builds/limecrm-server/versions/12.41.2.5/file/|Download]] | ===== Vulnerability information ===== ==== Detailed summary ==== A remote code execution vulnerability exists in Lime CRM Server software when the software fails to properly validate configuration data input by users with administrator privileges. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the user running the Lime CRM Web Server service. If that user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. ==== Mitigating factors ==== Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in this situation: * Running the Lime CRM Web Server service under an account configured to have fewer user rights on the system could be less impacted than running as a user operating with full administrative rights. ==== Workarounds ==== Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update. * Update firewall/proxy rules to deny HTTP requests using the PUT verb for the following endpoints: https://lime.example.com//api/v1/activitytype/ https://lime.example.com//widgets/widget-salespipe/config https://lime.example.com//webclient/add/config The impact of this workaround is that it will not be possible to update Lime CRM Web Client configuration until rules are disabled or removed.