Share
-----------------------------------------------------------------  
SuiteCRM <= 7.11.11 Multiple Phar Deserialization Vulnerabilities  
-----------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://suitecrm.com/  
  
  
[-] Affected Versions:  
  
Version 7.11.11 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) User input passed through the "backup_dir" parameter when handling   
the "Backups" action  
within the "Administration" module is not properly sanitized before   
being used in a file  
operation. This can be exploited by malicious users to inject arbitrary   
PHP objects into  
the application scope (PHP Object Injection via phar:// stream wrapper),   
allowing them to  
carry out a variety of attacks, such as executing arbitrary PHP code.   
Successful  
exploitation of this vulnerability requires a System Administrator   
account.  
  
2) User input passed through the "file_name" parameter when handling the   
"step3โ€ณ action  
within the "Import" module is not properly sanitized before being used   
in a file operation.  
This can be exploited by malicious users to inject arbitrary PHP objects   
into the application  
scope (PHP Object Injection via phar:// stream wrapper), allowing them   
to carry out a variety  
of attacks, such as executing arbitrary PHP code.  
  
3) User input passed through the "load_module_from_dir" parameter when   
handling the  
"UpgradeWizard" action within the "Administration" module is not   
properly sanitized before  
being used in a file operation. This can be exploited by malicious users   
to inject arbitrary  
PHP objects into the application scope (PHP Object Injection via phar://   
stream wrapper),  
allowing them to carry out a variety of attacks, such as executing   
arbitrary PHP code.  
Successful exploitation of this vulnerability requires a System   
Administrator account.  
  
4) User input passed through the "file_name" parameter when handling the   
"UploadFileCheck"  
action within the "UpgradeWizard" module is not properly sanitized   
before being used in a  
file operation. This can be exploited by malicious users to inject   
arbitrary PHP objects  
into the application scope (PHP Object Injection via phar:// stream   
wrapper), allowing them  
to carry out a variety of attacks, such as executing arbitrary PHP code.   
Successful  
exploitation of this vulnerability would require a System Administrator   
account.  
However, due to KIS-2020-04 it could be exploited by any user.  
  
  
[-] Solution:  
  
No official solution is currently available.  
  
  
[-] Disclosure Timeline:  
  
[19/09/2019] - Vendor notified  
[20/09/2019] - Vendor acknowledgement  
[12/11/2019] - Vendor contacted again asking for updates, no response  
[20/01/2020] - Vendor notified about public disclosure intention, no   
response  
[07/02/2020] - CVE number assigned  
[12/02/2020] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2020-8801 to these vulnerabilities.  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2020-02