RCE “Critical”, Account Takeover Flaws Fixed in Rock RMS Church Management Platform

Open source CRM software is used by at least 500 churches around the world

UPDATE Rock RMS, a “relationship management system” for churches, has been affected by a pair of vulnerabilities that could lead to account takeover and remote code execution (RCE).

Security researchers who discovered these and several other less serious flaws in the open source application urged users to update their systems as soon as possible.

Perhaps best described as a customer relationship management (CRM) platform for religious institutions, Rock RMS enables church leaders to track attendance, manage online donations, and manage relationships with their families. congregations, among other features.

Nearly 550 churches around the world – but mostly in North America – are said to use the platform.

The continued development of the app is funded by voluntary donations.

Bypass File Download Restrictions

The researchers, from the Cyber ​​Security Research Group, discovered what they saw as a critical logical flaw in the way a blocklist function validates file extensions (CVE-2019-18643), which meant that attackers could download malicious files to any system directory through and reach RCE.

Although the researchers suggested that a full patch only emerged four versions after an initial partial patch, this is contested by Spark Development Network, which developed the app.

“They changed the details of their description of the problem several months after their initial communication” to “include other attack vectors,” but a fix was released nonetheless quickly, said Jon Edmiston, the organization’s developer at non-profit. The daily sip.

The researchers published a detailed account of their findings on the Full Disclosure security mailing list on January 2.

Account recovery

The other “critical” Rock RMS bug (CVE-2019-18642) could see attackers spoof user credentials after they are sent to the server as a result of profile updates made by less privileged users, and then “bring modifications to any other user “.

This means they can change the system administrator email address, reset the password, and then log in and achieve full app compromise.

Both defects received a CVSS score close to the maximum of 9.8.

However, Edmiston said these classifications were inaccurate. “Although we take every security issue very seriously, they greatly overstate the impact of some of these elements,” he said.

ADVISED Swig Security Review 2020 – Part I

A third medium-severity (CVSS 5.3) flaw in GetVCard functionality “allowed any unauthenticated user to browse all sequential user credentials and exfiltrate the user’s personal information”, such as “first name, last name, phone numbers, e-mail address, [and] physical address. “(CVE-2019-18641).

Security researchers also discovered several insecure API calls, a reflected cross-site scripting (XSS) flaw, and information leaks resulting from an issue with accessing the private calendar.

Contested patch process

Researchers alerted Spark Development Network to the file upload, API tag, and GetVCard flaws on January 9, 2020, and then reported the account takeover bug on January 16.

Version 8.6 arrived three days later, on January 19, although researchers told officials on March 7 that this only partially fixed the bypass of file download restrictions.

“Again, they’re hinting at a report they made and then edited after we fixed the reported bug,” said Jon Edmiston of Spark Development Network. “They widened the description.”

He added: “We have actually corrected and published [comprehensive] fixes in a few days for all their articles.

Learn about the latest open source software security news

The latest versions, 8.10 and 9.4 respectively, were released on November 5 and 6.

Researchers advised users to search their content directory for potentially malicious file extensions such as, and web logs for file uploads to directories other than the content directory, as well as “for suspicious looping iterations. through objects such as vcard IDs “.

“Overall, we think we’ve done a great job in dealing with these reported issues,” especially given the relatively modest resources, said Edmiston.

“We responded very quickly to their communications,” he added, adding that the researchers “praised our responsiveness.

“I even set up a call with them to make sure we understood every element.”

The daily sip has contacted security researchers for further comment and will update the article if and when we have a response.

This article was updated Jan 5 with comments from Spark Development Network. A claim by researchers that “in some cases, early access to patches requires a paid subscription,” has also been removed – Spark Development Network claims that early access is for new features, not patches.

YOU MAY ALSO LIKE T-Mobile data breach exposes customer call information