Attack Chain

1. An attacker authenticates to the ERPNext system with a System Manager role.
2. The attacker creates a new server script via the /app/server-script endpoint.
3. The attacker crafts a malicious Python script designed to exploit the RestrictedPython sandbox.
4. The malicious script uses frame introspection to access the gi_frame attribute, allowing traversal of the call stack.
5. The script invokes os.popen (or a similar function) to execute arbitrary system commands.
6. The server executes the attacker-supplied commands with the privileges of the ERPNext application user.
7. The attacker gains control over the server, potentially installing malware, exfiltrating data, or causing denial of service.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary code on the server hosting the Frappe Framework ERPNext application. This can lead to full system compromise, data breaches, and denial of service. The vulnerability affects version 13.4.0 of ERPNext. If successfully exploited, threat actors can leverage the compromised system to pivot to other internal resources.

Recommendation

• Apply available patches or upgrade to a patched version of Frappe Framework ERPNext to address CVE-2023-54345.
• Monitor web server logs for unusual activity related to the /app/server-script endpoint.
• Implement the provided Sigma rule to detect potential exploitation attempts based on os.popen usage within server scripts.
• Review and restrict the permissions of the System Manager role to minimize the attack surface.
• Deploy the second Sigma rule to detect suspicious process execution initiated by the ERPNext application user.