A series of critical vulnerabilities discovered in JumpServer, an open-source Privileged Access Management (PAM) tool developed by Fit2Cloud, has raised significant security concerns.
JumpServer serves as a bastion host to internal networks, offering a centralized point for accessing internal resources through SSH, RDP, database, and FTP tunneling via a user-friendly web interface.
The discovered flaws could allow unauthenticated attackers to bypass authentication and gain complete control of the JumpServer infrastructure.
.png
)
Sonar researchers identified multiple authentication bypass vulnerabilities (CVE-2023-43650, CVE-2023-43652, CVE-2023-42818, CVE-2023-46123) that could allow attackers to impersonate legitimate users.
The centralized nature of JumpServer makes these vulnerabilities particularly dangerous, as compromising this system could grant attackers access to an organization’s entire internal network.
The vulnerabilities stem from architectural mistakes, particularly inadequate microservice isolation.
JumpServer’s architecture consists of several components including a Core API (written in Python-Django), a database, Koko (developed in Go for tunneling functions), Celery (task manager), and a Web Proxy as the entry point for web-based connections.
One critical issue is that the public key authentication system lacks verification that requests come from the authorized Koko service. As seen in the vulnerable code:
def authenticate(self, request, username=None, public_key=None, **kwargs): प
if not public_key:
return None
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
try:
user = UserModel._default_manager.get_by_natural_key(username)
except UserModel.DoesNotExist:
return None
else:
if user.check_public_key(public_key) and \
self.user_can_authenticate(user):
return userThis allowed attackers to execute the same request directly via the HTTP interface, effectively impersonating the Koko container without key validation.
.webp)
Even accounts with MFA enabled were vulnerable due to flawed implementation of two-factor authentication in the SSH context, where attackers could manipulate the “remote_addr” parameter to bypass rate-limiting mechanisms.
.webp)
The vulnerabilities have been addressed in JumpServer versions 3.10.12 and 4.0.0. Organizations using JumpServer should immediately update to these patched versions.
The fixes include separating the public key authentication API from token generation, introducing state tracking mechanisms for authentication, and implementing a signature-based verification system for the remote_addr parameter.
These vulnerabilities highlight the importance of secure coding practices, thorough testing, and continuous security assessments, especially in systems that serve as gateways to sensitive resources.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
