Archives For security

Earlier today, we received information about a lengthy post from a member of our community regarding security issues in SugarCRM’s products and operations. Let me start by saying that SugarCRM takes product and IT security very seriously and has enjoyed a long and productive history of working with the security community. These engagements have helped improve our products and operational processes immensely. Our security protocols and policies include a prompt response to any report of security vulnerabilities or incidents by researching, analyzing, scoring, correcting and providing public notification of the issue(s), and corresponding remediation and product improvements.

Regarding today’s post, the content and issues cited are currently under review by our security, product and operations teams. As we analyze the issues, I’ll continue to post updates on this blog.

4 PM PT Update

Quick update: Our technical and operations folks are doing a line-by-line analysis of the blog post to determine the accuracy and status of the issues cited. We’ll have a more detailed update as quickly as we can work through all of them, but I’d like to shed some light on the history and structure of our SugarCRM technology and solutions.

As noted in the original post, the security issues found were based on an analysis of Sugar CE (Community Edition) open source. The Sugar CE code base comes from our previous generation of CRM product (Sugar 6.x). Four years ago, Sugar released the next and current generation of our CRM solutions (Sugar 7.x), simultaneously ending the evolution of our open source program. Thus, the current version of Sugar (version 7.9 will be available shortly) is neither the same architecture or code represented in our old CE edition. That said, there is some code that is shared between the two, so the comments raised must be reviewed in the context of the current generation of solutions as well. Regardless of version, technology or time frame, we err on the side of safety and analyze all reports, checking against all supported versions of our CRM product.

6 PM PT Update

Analysis: First results are in

Our research is ongoing, but I want to keep folks updated here.

The vulnerabilities cited in part one of the researcher’s post are described as PHP Object injection vulnerabilities. We have made a series of changes over a period of time to fully address these issues, and we were able to mitigate them through a combination of an update provided in SugarCRM 6.5.24, released in July 2016, and the PHP 5.6.25 upstream release, which occurred in September 2016. Notwithstanding, we recognize that the usage of unserialize has an elevated risk and we already have plans to move away from it in a future release.

12 PM PT Update (4/25/17)

The vulnerabilities disclosed in the second section of the researcher’s post were addressed as part of the Sugar release, which went live October 2016. When potential issues are initially reported, we score them using the CVSS (Common Vulnerability Scoring System).  Based on impact and reach, none of the vulnerabilities in in the second section scored higher than ‘medium’. Per our security policy, issues in the medium category are addressed in the next regularly scheduled patch release. SugarCRM’s On-Demand customers have all been upgraded to or successor versions. This release was provided to our on-premise customers as well. It’s important to note that updates based on issues scored as ‘medium’ are no longer provided to our last-generation open source Community Edition (CE), so the bloggers post no longer aligns with our current commercial products and solutions.

I should add that our prior policies reflected our view that security issues ranked ‘medium’ (in CVSS) or lower did not merit inclusion in release notes. We recognize that we can further improve transparency and will be amending this policy going forward.  

4 PM Update (4/27/17)

Three separate vulnerabilities were disclosed in part three of the post that bear on our internal support infrastructure. Two of those vulnerabilities were initially identified by the blogger in September 2016, and the third was newly reported in the post.

The first vulnerability, which enabled access to FTP account information, was fixed within 24 hours of the report.  Per our policy, we immediately notified the two affected customers of the disclosure. For each customer, we identified what information was accessed, reviewed our process and actions, and asked the customers to make certain adjustments to mitigate future risks. We also reviewed our logs for irregularities and forced the rotation of all FTP credentials to mitigate the risk of illegitimate access.  After thorough and detailed reviews, we believe that no active customer (CRM) data was accessed. In order to help mitigate these types of attacks in the future, we also immediately instituted a new customer support policy to ensure that FTP credentials are no longer accessible to customers in the context of support cases and that usernames and passwords are appropriately isolated.

The second vulnerability referred to by the researcher as “stored XSS Vulnerability” was resolved within 10 days of his September report.   

The third vulnerability, which potentially could have enabled the blogger to access cases without authentication, was newly disclosed by the researcher in his recent blog post and we promptly fixed the issue within 24 hours (on April 25, 2017).

If last year’s Sony hack reminded everyone that not securing your own data can be embarrassing, the recent Ashley Madison fiasco proved that failing to secure your customers’ data can be a whole lot worse.

The frequent headlines about cyber security breaches and hacking, along with concerns about data snooping by governments around the world, have caused many to inquire just how secure the data inside their CRM solution might be. They are right to ask. With so much customer data at stake, there is a lot to think about with CRM security.

Let’s look at what can go wrong:

Earlier this year, the FCC fined AT&T $25 million for data security and privacy violations that exposed about 280,000 U.S. customers’ names and full or partial Social Security numbers. The breaches occurred when employees at call centers used by AT&T in Mexico, Colombia and the Philippines accessed sensitive customer data without adequate authorization. According to the FCC, the employees took payment from third parties who were looking to use customer names and Social Security numbers to unlock stolen cell phones for sale on secondary markets.

More than 68,000 accounts were accessed without authorization, and more than 290,000 unlock requests were submitted by third parties through an AT&T online portal. The FCC also discovered that roughly 40 company employees in the Philippines and Colombia had accessed about 211,000 customer accounts for the same illicit purposes.

The $25 million fine is just the beginning of trouble. Even more painful and costly are the remediation and communication efforts with affected customers, and lost business that results when breaches are disclosed.

Hosting customer data in someone else’s cloud raises justifiable concerns about security. Customers need to know what levels of security the host is providing and need to address some critical questions:

  • What protection mechanisms are in place to prevent someone from hacking into the host?
  • Is there 24/7 monitoring to make sure that employees are not accessing data that should be off limits to them?

Deploying SugarCRM via the SaaS model (Sugar On-Demand) means multiple layers of protection and security. The Sugar application is hosted in Tier 1 data center facilities around the world. These data centers are protected by powerful physical security mechanisms such as 24/7 secured access with motion sensors, video surveillance, and security breach alarms. SugarCRM security and infrastructure components include: firewalls, robust encryption and sophisticated user authentication layers.

SugarCRM understands that data is a critical component of the daily business operations of its customers and that it is essential to ensure the privacy and protection of data regardless of where it resides. SugarCRM takes a holistic, layered and systematic approach to safeguarding that data and is constantly evaluating, evolving and improving the privacy and security measures it has in place. SugarCRM also offers customers the option to deploy Sugar on-premise, as well as in hosted and hybrid configurations, flexing to meet the broadest range of security and regulatory requirements.

For more information about our security related policies, please click here.