Overview
Recently, NSFOCUS CERT monitored that JumpServer officially issued a notice to fix multiple security vulnerabilities. The vulnerabilities are detailed below.
JumpServer Reset Password Vulnerability (CVS 2023-42820):
There is a password reset vulnerability in JumpServer, as third-party libraries expose random seed numbers to APIs, which may cause random verification codes to be replayed. Unauthenticated remote attackers can construct malicious requests to reset passwords.
Reference connection: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp
JumpServer password reset brute force vulnerability (CVC-2023-43650):
Due to the lack of rate limit for resetting user passwords, unauthenticated remote attackers can hijack non MFA accounts by requesting password reset and blasting the received 6-digit verification code (ranging from 000000 to 999999).
Reference link: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-mwx4-8fwc-2xvw
JumpServer Arbitrary File Read Vulnerability (CVS 2023-42819):
There is a remote code execution vulnerability in JumpServer, which allows remote attackers with low privileges to successfully log in and access the system, ultimately enabling the execution of arbitrary code or modification of arbitrary file content on the target system.
Reference link: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-ghg2-2whp-6m33
Logical flaw vulnerability in JumpServer SSH public key authentication (CVS 2023-42818):
When a user enables MFA and uses a public key for authentication, the Koko SSH server will not verify the corresponding SSH private key. Attackers may exploit the vulnerability by attempting brute force authentication of SSH services using publicly available public keys.
Reference link: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-jv3c-27cv-w8jv
JumpServer SSH Public Key Creation Access Token Vulnerability (CVS 2023-43652)
JumpServer provides an API for the KoKoKo component to verify user private key login. This API does not verify the source of the request and will generate a personal authentication token. Given that public keys are easily leaked, attackers can use the leaked public key and username for authentication, and subsequently gain access to the current user information and authorization operations.
Reference link: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-fr8h-xh5x-r8g9
JumpServer MongoDB Remote Code Execution Vulnerability (CVS 2023-43651):
Authenticated users can exploit vulnerabilities in MongoDB sessions to execute arbitrary commands, and attackers who successfully exploit this vulnerability can gain root privileges on the target system, ultimately enabling remote code execution.
Reference link: https://github.com/jumpserver/jumpserver/security/advisories/GHSA-4r5x-x283-wm96
Scope of Impact
CVE-2023-42820
- 2.24<=JumpServer<3.6.4
CVE-2023-43650/CVE-2023-43652/CVE-2023-43651
- 2.0.0<=JumpServer<2.28.19
- 3.0.0<=JumpServer<3.7.0
CVE-2023-42819
- 3.0.0<=JumpServer<3.6.4
CVE-2023-42818
- JumpServer<3.6.4
Unaffected version
CVE-2023-42820
- JumpServer>=2.28.19
- JumpServer>=3.6.5
CVE-2023-43650/CVE-2023-43652/CVE-2023-43651
- JumpServer>=2.28.20
- JumpServer>=3.7.1
CVE-2023-42819
- JumpServer>=3.6.5
CVE-2023-42818
- JumpServer>=3.6.5
Mitigation
At present, the official has fixed this vulnerability in the latest version. Affected users are advised to upgrade the version as soon as possible:
https://github.com/jumpserver/jumpserver/releases
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyberattacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
