A researcher has discovered several vulnerabilities in SugarCRM’s popular customer relationship management (CRM) product. While most of the flaws appear to have been patched, the expert’s disclosure suggests that the vendor needs to make some improvements in how it communicates with individuals who report security holes.
Sugar is one of the most popular CRM solutions on the market. The product is used by many major organizations, including IBM, Audi, T-Mobile, HTC and Reebok.
Italy-based researcher Egidio Romano has been analyzing Sugar since 2011 and he claims to have identified more than 50 security issues. Many of the weaknesses were discovered during a virtual internship with the company that involved the analysis of SugarCRM Community Edition, which is open source.
While most of the vulnerabilities have been addressed, Romano disclosed over the weekend the details of several flaws that had apparently not been patched. After the researcher published his blog post, SugarCRM clarified that all the issues had in fact been fixed in the commercial version of its product.
The expert’s blog post describes CVE-2012-0694, a serialization-related code execution vulnerability he discovered back in 2012, and how last year he managed to find a way to bypass SugarCRM’s fix by leveraging a PHP flaw tracked as CVE-2016-7124.
During the summer of 2016, Romano also discovered several other vulnerabilities, including stored cross-site scripting (XSS), local file inclusion, SQL injection and authentication bypass vulnerabilities.
Some of the flaws could have been exploited by an unauthenticated attacker to gain access to user information, including names, email addresses, phone numbers, IP addresses, and credentials for services such as FTP, SSH, databases and VPNs.
Romano has also described a vulnerability involving SugarCRM’s updates.sugarcrm.com domain. According to the researcher, an attacker who manages to compromise this server may be able to hack all 2 million Sugar instances.
The expert said many of the flaws remain unpatched in the latest version of Sugar Community Edition.
In a security notice posted in response to Romano’s blog post, SugarCRM claimed all the vulnerabilities reported by the researcher last summer were patched in October with the release of Sugar 7.7.2.0.
SugarCRM has clarified that the company is focusing on its commercial products and the evolution of its open source program ended with the release of Sugar 7.
SugarCRM says it has been working on addressing the PHP-related serialization vulnerabilities and it plans on moving away from the use of this technique due to the risks it poses.
The firm said all of the flaws reported by Romano last summer had been classified as “medium” or “low” severity, and these types of weaknesses are no longer being patched in the Community Edition. Security holes that have a severity of “medium” or lower are not mentioned in release notes for the commercial product.
The vendor’s statement does not mention the communication issues it had in this case with the researcher. The company has however pointed out that it will make some changes to its policy concerning the inclusion of less severe vulnerabilities in its release notes.