JumpServer Remote Command Execution Vulnerability Threat Alert

JumpServer Remote Command Execution Vulnerability Threat Alert

January 21, 2021 | Mina Hao

Overview

On January 15, 2021, Beijing time, JumpServer released an emergency bulletin to announce a remote command execution vulnerability in its bastion host and advised users to fix it as soon as possible, especially those whose JumpServer can be accessed via the Internet.

About JumpServer

JumpServer is the first fully open-source bastion in the world. Based on the open-source protocol GNU GPL v2.0, Jumpserver is an O&M audit system that conforms to 4A specifications. Jumpserver is developed using Python/Django, conforms to the Web 2.0 specification, and is equipped with the industry-leading Web Terminal solution which has a beautiful user interface and great user experience. JumpServer adopts a distributed architecture to support multi-branch deployment across multiple areas. It can be scaled horizontally without restrictions on the number of assets and concurrent tasks

Affected Versions

  • < V 2.6.2
  • < V 2.5.4
  • < V 2.4.5
  • V1.5.9

Unaffected Version

  • >= V2.6.2
  • >= V2.5.4
  • >= V2.4.5
  • V1.5.9 (Unstander version, so no change)

How to Handle

JumpServer has released new versions to fix the preceding vulnerability. Users are advised to upgrade as soon as possible.

Users can apply the workaround provided by JumpServer:

  • Modify the Nginx configuration to disable the vulnerable API:

/api/v1/authentication/connection-token/

/api/v1/users/connection-token/

  •  Location of the Nginx configuration file

# Old community edition

/etc/nginx/conf.d/jumpserver.conf

# Old enterprise edition

jumpserver-release/nginx/http_server.conf

# New version

jumpserver-release/compose/config_static/http_server.conf

  • Modify the Nginx configuration file instance.

### make sure that it precedes /api and /

location /api/v1/authentication/connection-token/ {

   return 403;

}

location /api/v1/users/connection-token/ {

   return 403;

}

### Add the two locations above.

location /api/ {

    proxy_set_header X-Real-IP $remote_addr;

    proxy_set_header Host $host;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_pass http://core:8080;

  }

  • Restart Nginx after the modifications are completed.

Docker:

docker restart jms_nginx

Nginx:

systemctl restart nginx

Reference Links:

https://github.com/jumpserver/jumpserver/

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.