{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/frappe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2023-54345"}],"_cs_exploited":false,"_cs_products":["ERPNext","Frappe Framework 13.4.0"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","rce","erpnext"],"_cs_type":"advisory","_cs_vendors":["Frappe"],"content_html":"\u003cp\u003eFrappe Framework is an open-source web application framework, and ERPNext is an ERP system built on top of it. A critical vulnerability, CVE-2023-54345, exists in Frappe Framework ERPNext version 13.4.0 related to a sandbox escape in the RestrictedPython environment. This allows authenticated users with the System Manager role to bypass intended security restrictions and execute arbitrary code on the server. The vulnerability is rooted in the improper handling of frame introspection within RestrictedPython, enabling attackers to traverse the call stack and invoke dangerous functions like \u003ccode\u003eos.popen\u003c/code\u003e. Exploitation involves crafting malicious server-side scripts through the \u003ccode\u003e/app/server-script\u003c/code\u003e endpoint. Successful exploitation leads to complete server compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ERPNext system with a System Manager role.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new server script via the \u003ccode\u003e/app/server-script\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Python script designed to exploit the RestrictedPython sandbox.\u003c/li\u003e\n\u003cli\u003eThe malicious script uses frame introspection to access the \u003ccode\u003egi_frame\u003c/code\u003e attribute, allowing traversal of the call stack.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003eos.popen\u003c/code\u003e (or a similar function) to execute arbitrary system commands.\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker-supplied commands with the privileges of the ERPNext application user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the server, potentially installing malware, exfiltrating data, or causing denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the server hosting the Frappe Framework ERPNext application. This can lead to full system compromise, data breaches, and denial of service. The vulnerability affects version 13.4.0 of ERPNext. If successfully exploited, threat actors can leverage the compromised system to pivot to other internal resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a patched version of Frappe Framework ERPNext to address CVE-2023-54345.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the \u003ccode\u003e/app/server-script\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential exploitation attempts based on \u003ccode\u003eos.popen\u003c/code\u003e usage within server scripts.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions of the System Manager role to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the second Sigma rule to detect suspicious process execution initiated by the ERPNext application user.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-frappe-rce/","summary":"Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability allowing authenticated users with System Manager role to execute arbitrary code via frame introspection and `os.popen`.","title":"Frappe Framework ERPNext 13.4.0 Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-frappe-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Frappe","version":"https://jsonfeed.org/version/1.1"}