FortiGuard Outbreak Alert: Sunhillo SureLine Command Injection Attack

kcheung · ‎04-15-2024

Description

Sunhillo specializes in surveillance data distribution and conversion for the Federal Aviation Administration, US Military, civil aviation authorities, and national defense organizations across the globe.

Sunhillo SureLine has a command injection vulnerability which allows attacker to execute arbitrary commands, which can result into an interactive root reverse shell.

Sunhillo SureLine prior to 8.7.0.1.1 is vulnerable to CVE-2021-36380

CVE ID

CVE-2021-36380 (https://nvd.nist.gov/vuln/detail/CVE-2021-36380)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.3+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)	Attack: Exploitation	T1190 - Exploit Public-Facing Application

Playbook 

N/A

Threat hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Sunhillo SureLine Command Injection Attack” related activities
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=sunhillo%20sureline%20attack

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2033459 → ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/sunhillo-sureline-attack

FortiGuard Outbreak Alert: Sunhillo SureLine Command Injection Attack

You are leaving our website