{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/perfex-crm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Perfex CRM"],"_cs_severities":["critical"],"_cs_tags":["perfex-crm","rce","insecure-deserialization","php"],"_cs_type":"advisory","_cs_vendors":["Perfex"],"content_html":"\u003cp\u003ePerfex CRM, a customer relationship management software, is susceptible to an unauthenticated remote code execution vulnerability. This vulnerability stems from the application's handling of autologin cookies. The autologin cookie is directly passed into PHP's \u003ccode\u003eunserialize()\u003c/code\u003e function without proper sanitization. This allows an attacker to inject arbitrary PHP objects into the application's context, leading to remote code execution. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. Given the widespread use of CRM software and the ease of exploitation, this vulnerability poses a significant risk to organizations using Perfex CRM.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Perfex CRM instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP object designed to execute arbitrary code. This object could leverage existing classes within the Perfex CRM codebase, or potentially utilize PHP's built-in functions for code execution.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is serialized using PHP's \u003ccode\u003eserialize()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe serialized object is base64 encoded.\u003c/li\u003e\n\u003cli\u003eThe base64 encoded string is set as the value of the \u003ccode\u003eautologin\u003c/code\u003e cookie in an HTTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the Perfex CRM instance, targeting a page that processes the \u003ccode\u003eautologin\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe Perfex CRM application receives the request and passes the value of the \u003ccode\u003eautologin\u003c/code\u003e cookie directly to the \u003ccode\u003eunserialize()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize()\u003c/code\u003e function reconstructs the malicious PHP object, triggering the execution of the attacker's arbitrary code. This can lead to complete system compromise, including data exfiltration, installation of malware, or defacement of the CRM system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the server hosting Perfex CRM. This could lead to complete system compromise, including sensitive customer data exfiltration, installation of ransomware, or defacement of the CRM system. Organizations using vulnerable Perfex CRM instances are at high risk of data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for requests with unusually long \u003ccode\u003eautologin\u003c/code\u003e cookie values to identify potential exploitation attempts (reference: web server logs).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts based on the structure of the \u003ccode\u003eautologin\u003c/code\u003e cookie (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003eautologin\u003c/code\u003e cookie to prevent the injection of serialized PHP objects (reference: vulnerability details).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T12:00:00Z","date_published":"2024-02-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-02-29-perfex-rce/","summary":"Perfex CRM is vulnerable to unauthenticated remote code execution (RCE) due to an autologin cookie being fed into unserialize().","title":"Perfex CRM Unauthenticated Remote Code Execution via Insecure Deserialization","url":"https://feed.craftedsignal.io/briefs/2024-02-29-perfex-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Perfex-Crm","version":"https://jsonfeed.org/version/1.1"}