Security update for Lime CRM Server

Bulletin ID
LCSEC18-01
Date published
2018-07-05
Priority
2
Severity
Critical

Priority and severity ratings are determined as described here.

This security update resolves a vulnerability in Lime CRM Server. The vulnerability could allow remote code execution in Lime CRM Server if an attacker alters the system configuration in a malicious way. However, an attacker would need access to a user account with administrator privileges in order to succeed with exploiting the vulnerability.

Product Version Platform
Lime CRM Server 12.25 - 12.41.1.5 All platforms

Lime categorizes this update with the following priority rating and recommends customers to either install the provided hotfix or update their installation to the newest version:

Product Type Updated version Priority rating Availability
Lime CRM Server Hotfix for any affected version - 2 Download
Lime CRM Server Product release 12.41.2.5 2 Download

A remote code execution vulnerability exists in Lime CRM Server software when the software fails to properly validate configuration data input by users with administrator privileges. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the user running the Lime CRM Web Server service. If that user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in this situation:

  • Running the Lime CRM Web Server service under an account configured to have fewer user rights on the system could be less impacted than running as a user operating with full administrative rights.

Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.

  • Update firewall/proxy rules to deny HTTP requests using the PUT verb for the following endpoints:
    https://lime.example.com/<appname>/api/v1/activitytype/
    https://lime.example.com/<appname>/widgets/widget-salespipe/config
    https://lime.example.com/<appname>/webclient/add/config

    The impact of this workaround is that it will not be possible to update Lime CRM Web Client configuration until rules are disabled or removed.

  • Last modified: 20 months ago
  • (external edit)