Executive Summary

CVE-2023-54345 is a sandbox escape vulnerability in the Frappe Framework ERPNext version 13.4.0. It affects the Server Script functionality, where authenticated users with the System Manager role can execute arbitrary Python code on the server. This is possible because the restricted execution environment, implemented using RestrictedPython, can be bypassed by exploiting frame introspection via the gi_frame attribute. Attackers can create malicious server scripts through the /app/server-script endpoint and traverse the call stack to invoke system commands using os.popen.

The vulnerability arises due to insufficient restrictions in the Server Scripts, allowing code injection attacks despite the intended sandboxing.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to severe impacts including unauthorized access to the server, execution of arbitrary system commands, data manipulation, and potential full system compromise. Since attackers with System Manager privileges can run arbitrary code, they can bypass security controls, access sensitive data, and disrupt normal operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for the creation or execution of server scripts via the /app/server-script endpoint by authenticated users with the System Manager role. Since the exploit involves using the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands, suspicious server scripts or unusual command executions originating from the Frappe Framework environment should be investigated.

Specific commands to detect exploitation attempts are not provided in the available resources. However, general detection could involve auditing server script creation logs, monitoring HTTP requests to /app/server-script, and checking for unexpected processes or commands executed by the Frappe application user.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Frappe Framework ERPNext installation to the latest patched version that addresses this vulnerability.

Additionally, restrict access to the /app/server-script endpoint to only trusted users and review permissions to ensure only necessary users have the System Manager role.

Disabling or limiting the use of server scripts until a patch is applied can also reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

CVE-2023-54345 allows authenticated users with the System Manager role to execute arbitrary code on the server, potentially leading to unauthorized access and manipulation of sensitive data.

Such unauthorized access and data manipulation can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Exploitation of this vulnerability could lead to data breaches, unauthorized disclosure, or alteration of protected health information or personal data, thereby impacting compliance with these standards.

Organizations using affected versions of Frappe Framework ERPNext should apply patches promptly to mitigate risks and maintain compliance.

Useful 0 Not Useful 0