CVE-2019-18641
📋 TL;DR
CVE-2019-18641 is an access control vulnerability in Rock RMS that allows unauthorized access to vCard data through the People/GetVCard/REST controller. This affects all Rock RMS installations before version 1.8.6, potentially exposing sensitive personal information.
💻 Affected Systems
- Rock RMS
📦 What is this software?
Rock Rms by Sparkdevnetwork
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all vCard data containing personal contact information, potentially leading to identity theft, phishing campaigns, or further targeted attacks.
Likely Case
Unauthorized access to contact information for organization members, staff, and volunteers, leading to privacy violations and potential social engineering attacks.
If Mitigated
Limited exposure of non-sensitive contact information if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Public exploit details available in security advisories. The vulnerability requires minimal technical skill to exploit as it involves direct API endpoint access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.6
Vendor Advisory: https://github.com/SparkDevNetwork/Rock/commit/576f5ec22b1c43f123a377612981c68538167c61
Restart Required: Yes
Instructions:
1. Backup your Rock RMS database and application files. 2. Download Rock RMS version 1.8.6 or later from the official repository. 3. Follow the standard upgrade procedure for your deployment. 4. Restart the application server and verify functionality.
🔧 Temporary Workarounds
Block vCard Endpoint Access
allTemporarily block access to the vulnerable People/GetVCard/REST endpoint using web server or firewall rules.
# For Apache: RewriteRule ^/People/GetVCard/REST - [F]
# For Nginx: location ~ /People/GetVcard/REST { return 403; }
# For IIS: Add URL rewrite rule to block the path
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the Rock RMS application
- Deploy a web application firewall (WAF) with rules to detect and block vCard enumeration attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Rock RMS version is below 1.8.6 by examining the application version in the admin panel or checking the assembly version.Check Version:
Check the Rock.dll assembly version or view the version in the Rock RMS admin interface under System ConfigurationVerify Fix Applied:
After upgrading to 1.8.6 or later, verify that unauthorized access to vCard data is prevented by testing the People/GetVCard/REST endpoint with unauthenticated requests.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful vCard access
- Unusual patterns of requests to /People/GetVCard/REST endpoint
- Access to vCard data from unexpected IP addresses or user accounts
Network Indicators:
- Unusual volume of requests to the vCard endpoint
- Requests to vCard endpoint without proper authentication headers
- Patterns of sequential ID enumeration in vCard requests
SIEM Query:
source="rockrms" AND (uri_path="/People/GetVCard/REST" AND NOT user_authenticated="true")🔗 References
- http://packetstormsecurity.com/files/160766/Rock-RMS-File-Upload-Account-Takeover-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2021/Jan/1
- https://github.com/SparkDevNetwork/Rock/commit/576f5ec22b1c43f123a377612981c68538167c61
- https://github.com/SparkDevNetwork/Rock/compare/1.7.6...1.8.6
- http://packetstormsecurity.com/files/160766/Rock-RMS-File-Upload-Account-Takeover-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2021/Jan/1
- https://github.com/SparkDevNetwork/Rock/commit/576f5ec22b1c43f123a377612981c68538167c61
- https://github.com/SparkDevNetwork/Rock/compare/1.7.6...1.8.6
