Skip to content

Security update for Lime CRM Server

Bulletin ID LCSEC18-01 Date published 2018-07-05 Priority 2 Severity Critical

Priority and severity ratings are determined as described here.

Summary

This security update resolves a vulnerability in Lime CRM Server. The vulnerability could allow remote code execution in Lime CRM Server if an attacker alters the system configuration in a malicious way. However, an attacker would need access to a user account with administrator privileges in order to succeed with exploiting the vulnerability.

Affected versions

Product Version Platform
Lime CRM Server 12.25 - 12.41.1.5 All platforms

Solution

Lime categorizes this update with the following priority rating and recommends customers to either install the provided hotfix or update their installation to the newest version:

Product Type Updated version Priority rating Availability
Lime CRM Server Hotfix for any affected version - 2 Download
Lime CRM Server Product release 12.41.2.5 2 Download

Vulnerability information

Detailed summary

A remote code execution vulnerability exists in Lime CRM Server software when the software fails to properly validate configuration data input by users with administrator privileges. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the user running the Lime CRM Web Server service. If that user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Mitigating factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in this situation:

  • Running the Lime CRM Web Server service under an account configured to have fewer user rights on the system could be less impacted than running as a user operating with full administrative rights.

Workarounds

Workaround refers to a setting or configuration change that would help block known attack vectors before you apply the update.

  • Update firewall/proxy rules to deny HTTP requests using the PUT verb for the following endpoints: 
    https://lime.example.com/<appname>/api/v1/activitytype/
https://lime.example.com/<appname>/widgets/widget-salespipe/config
https://lime.example.com/<appname>/webclient/add/config

The impact of this workaround is that it will not be possible to update Lime CRM Web Client configuration until rules are disabled or removed.