A recent security assessment of vtenext CRM version 25.02 has uncovered multiple critical vulnerabilities that enable unauthenticated attackers to bypass authentication mechanisms through three distinct attack vectors, potentially leading to remote code execution on affected systems. vtenext, an Italian Customer Relationship Management (CRM) solution widely adopted by small and medium enterprises across Italy, is now under scrutiny due to these significant security flaws.
Key Findings:
1. Authentication Bypass via XSS and Session Hijacking:
– An exploitable chain of vulnerabilities combining reflected Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) token bypass, and session cookie disclosure has been identified.
– The flaw resides in `modules/Home/HomeWidgetBlockList.php`, where the `widgetId` parameter is insufficiently sanitized before being reflected in server responses.
– Attackers can inject malicious scripts through crafted requests, exploiting the application’s reliance on the `$_REQUEST` superglobal to convert POST requests to GET requests, thereby circumventing CSRF protection mechanisms in `include/utils/VteCsrf.php`.
2. SQL Injection Leading to Credential Extraction:
– A SQL injection vulnerability in `modules/Fax/EditView.php` allows attackers to extract sensitive user credentials and authentication tokens.
– The vulnerable code constructs database queries by directly concatenating user-controlled input, specifically the `$fieldname` parameter, which remains unsanitized.
– Attackers can leverage subquery injection to extract password reset tokens, facilitating immediate password reset operations without user interaction and leading to complete account takeover.
3. Arbitrary Password Reset Vulnerability:
– An endpoint at `hub/rpwd.php` exposes a `change_password` action lacking adequate security validation, permitting password modification for any user account using only the target username.
– The vulnerable code path in `modules/Users/RecoverPwd.php` processes password change requests without proper authentication verification.
– Setting the `skipOldPwdCheck` parameter to `true` bypasses password verification, enabling attackers to reset any user’s credentials through a single HTTP request.
Remote Code Execution (RCE) Exploitation:
After bypassing authentication, attackers can escalate their actions to achieve remote code execution through various methods:
– Local File Inclusion (LFI): By exploiting LFI vulnerabilities, attackers can include and execute arbitrary files on the server.
– Module Upload Flaws: Vulnerabilities in the module upload functionality allow attackers to upload malicious modules containing executable code.
Vendor Response and Mitigation:
Despite attempts to notify the vendor, only the password reset issue was silently patched in version 25.02.1 following the research disclosure. The other identified vulnerabilities remain unaddressed, leaving systems at risk.
Recommendations:
– Immediate Patching: Users should update to version 25.02.1 to mitigate the password reset vulnerability.
– Temporary Workarounds: Until comprehensive patches are released, administrators should implement temporary measures such as:
– Disabling the vulnerable endpoints.
– Enhancing input validation and sanitization.
– Monitoring logs for suspicious activities.
– Vendor Engagement: Organizations using vtenext should contact the vendor to inquire about the status of patches for the remaining vulnerabilities and request timely updates.
Conclusion:
The discovery of these critical vulnerabilities in vtenext CRM underscores the importance of regular security assessments and prompt patch management. Organizations relying on vtenext should take immediate action to secure their systems and protect sensitive customer data from potential exploitation.
