Vulnerability Description
On August 18, 2020, the China National Vulnerability Database (CNVD) listed SANGFOR Endpoint Detection Response (EDR) remote command execution vulnerability (CNVD-2020-46552) as a new entry. An unauthenticated attacker could exploit this vulnerability to send a maliciously crafted HTTP request to a target server, thereby obtaining the privileges of the target server and causing remote system command execution.
NSFOCUS reproduced the vulnerability immediately after CNVD listed it as a new entry:
Reference link:Embed URLPaste a link to the content you want to display on your site.EmbedLearn more about embeds(opens in a new tab)Sorry, this content could not be embedded.Try again Convert to link
Scope of Impact
Affected versions
- EDR v3.2.16
- EDR v3.2.17
- EDR v3.2.19
Unaffected versions
- EDR v3.2.21 and other versions
Check for the Vulnerability
Detection with NSFOCUS Products
NSFOCUS Remote Security Assessment System (RSAS), Web Vulnerability Scanning System (WVSS), and Unified Threat Sensor (UTS) are capable of scanning and detecting the vulnerability. Please upgrade them to the latest versions.
| Version | Download Link | |
| RSAS V6 system plug-in package | V6.0R02F01.1908 | http://update.nsfocus.com/update/downloads/id/107583 |
| RSAS V6 web plug-in package | V6.0R02F00.1807 | http://update.nsfocus.com/update/downloads/id/107586 |
| WVSS 6.0 plug-in upgrade package | V6.0R03F00.173 | http://update.nsfocus.com/update/downloads/id/107587 |
| UTS | 6.0.7.1.46071 | http://update.nsfocus.com/update/downloads/id/107592 |
For how to upgrade NSFOCUS RSAS, click the following link:Embed URLPaste a link to the content you want to display on your site.EmbedLearn more about embeds(opens in a new tab)Sorry, this content could not be embedded.Try again Convert to link
Mitigation
Official Fix
The vendor has released the latest version and patches to fix this vulnerability. Affected users are advised to update to EDR 3.2.21 or load the patches.
1. SANGFOR has upgraded and patched the affected product through the online upgrade function. Users can upgrade to the latest version by enabling the online upgrade function.
2. Alternatively, users who have not enabled the online upgrade function can download the EDR 3.2.21 installation package manually from the following link:Embed URLPaste a link to the content you want to display on your site.EmbedLearn more about embeds(opens in a new tab)Sorry, this content could not be embedded.Try again Convert to link
Then, users can access the EDR management platform background to import the installation package under System Management > Upgrade Management > Platform and Endpoint Upgrade. After the installation package is imported, the management platform and the endpoint will upgrade to 3.2.21 automatically.
Workarounds
If affected users cannot upgrade for the time being, they can temporarily configure IP access permission policies for SANGFOR EDR system services to restrict access only to secure and controlled IP addresses.
Protection with NSFOCUS Products
NSFOCUS Web Application Firewall (WAF) has released related rules to defend against this vulnerability. Users are advised to update the rule base to the latest version to ensure that the security product can effectively protect against this vulnerability. The following table lists the rule base version of NSFOCUS WAF.
| Product | Rule Base Version | Download Link |
| WAF | 6.0.7.1.46071 | http://update.nsfocus.com/update/downloads/id/107592 |
For how to update product rules, click the following link:
WAF: https://mp.weixin.qq.com/s/oubjPqR4DURWPvrQ9W9mWA
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory.
NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
