A Need for Vigilance in Open Source Software: Dolibarr CRM Advisory Release

Used by millions of users worldwide, the Dolibarr ERP CRM has become a major integrated solution in the Open Source world. Its user and developer community is growing (source).

Depended on by both large-scale corporations and individual freelancers, Dolibarr ERP CRM supports human resources, marketing, finance and other groups by offering an array of useful modules – everything from sales management to project management capabilities is covered by this software.

Bishop Fox researcher Priyank Nigam recently found three critical vulnerabilities (see technical advisory for more information) in version 9.01 of this open source software. We contacted Dolibarr immediately and partnered together in the responsible disclosure process. As of this publication, all issues have been remediated.

Open Source Security: A Need for Vigilance

The issues we identified in Dolibarr are not unique – open source software is especially susceptible to vulnerabilities. IT managers and developers need to avoid falling prey to a fallacy about open source: that it’s more secure because there are more eyes on the code because it’s freely available for examination.

This is not always the case, though. In reality, it’s likely much of the code is outdated, or the project behind it, regardless of how popular it may be, could be run by a few otherwise busy people on their spare time.

Open source libraries and third-party code are integral parts of our modern environment, and vigilance about the security of both is paramount to the safety and the privacy of people who use the internet.

The Issues: CVE-2019-11199, CVE-2019-11200, CVE-2019-11201

Bishop Fox identified two instances of remote code execution and one instance of stored cross-site scripting in the Dolibarr application. For a quick TLDR, here’s what that means in broken-down terms.

• Remote code execution: RCE involves an attacker taking over a user’s machine
• Stored cross-site scripting: Stored XSS occurs when an application receives data from an untrusted source and includes that data in its later HTTP response in an unsafe way

RCE #1: CVE-2019-11200

The Dolibarr ERP/CRM application backs up its database content to a dump file, but the application performs insufficient checks on the export parameters mysqldump. This can lead to the execution of arbitrary code on the server. It’s then possible to upload malicious code by abusing the application’s other functionalities.

Once the code is executed – and dependent on the server’s configuration – an attacker can escalate privileges to the root user. From this point, an attacker can gain access to the domain admin account – and gain visibility into the entire network.

RCE #2: CVE-2019-11201

The other instance is found within the module of the application that allows for the creation of public websites with a WYSIWG editor. The editor also allows inclusion of dynamic code, which can lead to code execution on a host machine.

An attacker simply checks a setting on the same page; this then specifies the inclusion of dynamic content. This allows a lower privileged user to execute code under the underlying web server’s context and permissions.

XSS: CVE-2019-11199

The XSS issue in Dolibarr ERP/CRM is stored in the uploaded files. This allows the execution of a JavaScript payload any time a regular or administrative user clicked the malicious link hosted on the same domain. The vulnerabilities can be exploited by low privileged users to target administrators and further exploit the remote code execution vulnerabilities described earlier. Alternatively, the vulnerabilities can also be used to add any user(s) to the administrators group.

The Solution

Dolibarr released a fix in the latest version of their ERP/CRM 9.0.3; please update your software ASAP.