SANGFOR Endpoint Detection Response Remote Command Execution Vulnerability Handling Guide

SANGFOR Endpoint Detection Response Remote Command Execution Vulnerability Handling Guide

September 16, 2020 | Mina Hao

Vulnerability Description

On August 18, 2020, the China National Vulnerability Database (CNVD) listed SANGFOR Endpoint Detection Response (EDR) remote command execution vulnerability (CNVD-2020-46552) as a new entry. An unauthenticated attacker could exploit this vulnerability to send a maliciously crafted HTTP request to a target server, thereby obtaining the privileges of the target server and causing remote system command execution.

NSFOCUS reproduced the vulnerability immediately after CNVD listed it as a new entry:

This image has an empty alt attribute; its file name is 0916-1-1.jpg

Reference link:Embed URLPaste a link to the content you want to display on your site.EmbedLearn more about embeds(opens in a new tab)Sorry, this content could not be embedded.Try again Convert to link

Scope of Impact

Affected versions

  • EDR v3.2.16
  • EDR v3.2.17
  • EDR v3.2.19

Unaffected versions

  • EDR v3.2.21 and other versions

Check for the Vulnerability

Detection with NSFOCUS Products

NSFOCUS Remote Security Assessment System (RSAS), Web Vulnerability Scanning System (WVSS), and Unified Threat Sensor (UTS) are capable of scanning and detecting the vulnerability. Please upgrade them to the latest versions.

VersionDownload Link
RSAS V6 system plug-in packageV6.0R02F01.1908http://update.nsfocus.com/update/downloads/id/107583
RSAS V6 web plug-in packageV6.0R02F00.1807http://update.nsfocus.com/update/downloads/id/107586
WVSS 6.0 plug-in upgrade packageV6.0R03F00.173http://update.nsfocus.com/update/downloads/id/107587
UTS6.0.7.1.46071http://update.nsfocus.com/update/downloads/id/107592

For how to upgrade NSFOCUS RSAS, click the following link:Embed URLPaste a link to the content you want to display on your site.EmbedLearn more about embeds(opens in a new tab)Sorry, this content could not be embedded.Try again Convert to link

Mitigation

Official Fix

The vendor has released the latest version and patches to fix this vulnerability. Affected users are advised to update to EDR 3.2.21 or load the patches.

1. SANGFOR has upgraded and patched the affected product through the online upgrade function. Users can upgrade to the latest version by enabling the online upgrade function.

2. Alternatively, users who have not enabled the online upgrade function can download the EDR 3.2.21 installation package manually from the following link:Embed URLPaste a link to the content you want to display on your site.EmbedLearn more about embeds(opens in a new tab)Sorry, this content could not be embedded.Try again Convert to link

Then, users can access the EDR management platform background to import the installation package under System Management > Upgrade Management > Platform and Endpoint Upgrade. After the installation package is imported, the management platform and the endpoint will upgrade to 3.2.21 automatically.

Workarounds

If affected users cannot upgrade for the time being, they can temporarily configure IP access permission policies for SANGFOR EDR system services to restrict access only to secure and controlled IP addresses.

Protection with NSFOCUS Products

NSFOCUS Web Application Firewall (WAF) has released related rules to defend against this vulnerability. Users are advised to update the rule base to the latest version to ensure that the security product can effectively protect against this vulnerability. The following table lists the rule base version of NSFOCUS WAF.

ProductRule Base VersionDownload Link
WAF6.0.7.1.46071http://update.nsfocus.com/update/downloads/id/107592

For how to update product rules, click the following link:

WAF: https://mp.weixin.qq.com/s/oubjPqR4DURWPvrQ9W9mWA

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory.

NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS                                                

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.