Overview
The SonicWall Capture Labs threat research team became aware of a couple of remote code execution vulnerabilities in JumpServer, assessed their impact and developed mitigation measures. JumpServer is an open-source bastion host and a professional operation and maintenance security audit system with a substantial presence in the China region. A bastion host is a specialized computer, intentionally exposed on a public network, designed to withstand attacks on a network named after a military fortification.
Identified as CVE-2024-29201 and CVE-2024-29202, JumpServer before version 3.10.7 allows low-privileged threat actors to execute arbitrary code within the Celery container with root privileges, earning a critical CVSS score of 9.9.
Technical Overview
CVE-2024-29201
This vulnerability arises due to a flaw in the input validation mechanism in JumpServer’s Ansible (An IT automation engine), which allows a threat actor with a low-privileged user account to execute arbitrary code in the context of a root user within one of its containers named ‘jms_celery’.
JumpServer enforces a mechanism to disallow the usage of a set of unsafe keywords to prevent users from running local injection commands while running a playbook job, as seen in Figure 1 (left). However, it can be circumvented using the Unicode representation of the character in place of the actual character, for instance, ‘u0064’ instead of the character ‘d’. Figure 1 (right) illustrates an example of a malicious template that could exploit this vulnerability by running the command specified in the ‘shell’ field. It can be used to create a playbook job and then run a job to execute a specified command.
Figure 1: The set of defined unsafe keywords (left) and the playbook template to bypass validation (right).
CVE-2024-29202
This vulnerability allows the threat actor with a low-privileged user account to inject a malicious Jinja2 template in JumpServer’s Ansible that leads to the execution of arbitrary code within the ‘jms_celery’ container with root privileges. The malicious template, as seen in Figure 2 can be used to create a playbook job and then run the same to execute the desired command.
Figure 2: Malicious jinja2 template
Triggering the Vulnerability
Leveraging the vulnerabilities mentioned above requires the attacker to meet the following prerequisites:
- The attacker must have network access to the target vulnerable system along with the low-privileged user account.
- The attacker must have permission to access at least a single valid asset.
- A playbook needs to be fabricated using any of the above templates from the ‘Job > Template > Playbook manage’ section.
- A playbook job needs to be created from the ‘Job > Job list’ section, leveraging the playbook created in the previous step.
- The created job needs to be run.
Exploitation
While steps to trigger the vulnerability look tricky, the exploitation is straightforward. Since the Celery container runs with the root privileges, it yields the threat actor database access and access to the sensitive information across all the managed assets, such as hosts, devices, database, cloud service, web and GPT. Additionally, considering the crucial functionality of the jump host, it can lead to the exposure and compromise of the private network. Achieving remote code execution by leveraging the discussed vulnerabilities is demonstrated in the video below.
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 19849 JumpServer Ansible Playbook Input Validation Bypass
- IPS: 19850 JumpServer Ansible Playbook Jinja2 Template Injection
Remediation Recommendations
Considering the pivotal position of a bastion host on a network, JumpServer users are strongly encouraged to upgrade their instances to the latest version (v3.10.7). If one cannot upgrade immediately, then the feature ‘Operation Center’ can be disabled temporarily by visiting System Settings > Features > Task Center.
Relevant Links
Source: Original Post