EUVD-2024-25309

Description

Judge0 is an open-source online code execution system. The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. When executing a submission, Judge0 writes a `run_script` to the sandbox directory. The security issue is that an attacker can create a symbolic link (symlink) at the path `run_script` before this code is executed, resulting in the `f.write` writing to an arbitrary file on the unsandboxed system. An attacker can leverage this vulnerability to overwrite scripts on the system and gain code execution outside of the sandbox.

CVE-2024-28185

EPSS Score:

67%

Comprehensive Technical Analysis of EUVD-2024-25309

1. Vulnerability Assessment and Severity Evaluation

The vulnerability described in EUVD-2024-25309 pertains to the Judge0 open-source online code execution system. The issue arises from the application's failure to properly handle symbolic links (symlinks) within the sandbox directory. This oversight allows an attacker to manipulate the run_script path, leading to arbitrary file writes and potential code execution outside the sandbox environment.

Severity Evaluation:

CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The CVSS score of 10.0 indicates a critical vulnerability. The high severity is due to the ease of exploitation (low complexity, no privileges required, and no user interaction needed) and the significant impact on confidentiality, integrity, and availability.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Remote Code Execution (RCE): An attacker can create a symlink at the run_script path before the code execution, redirecting the write operation to an arbitrary file on the system.
Privilege Escalation: By overwriting critical system files or scripts, an attacker can gain elevated privileges and execute arbitrary code outside the sandbox.
Data Exfiltration: The vulnerability can be exploited to read sensitive files by redirecting the output to a location accessible to the attacker.

Exploitation Methods:

Symlink Creation: The attacker creates a symlink in the sandbox directory pointing to a target file outside the sandbox.
File Overwrite: When Judge0 writes to the run_script, it actually writes to the target file due to the symlink, allowing the attacker to overwrite it.
Code Execution: The attacker can inject malicious code into the overwritten file, leading to arbitrary code execution.

3. Affected Systems and Software Versions

Affected Systems:

Judge0 versions ≤ 1.13.0

Software Versions:

All versions of Judge0 up to and including 1.13.0 are vulnerable. Users are advised to update to a patched version as soon as it becomes available.

4. Recommended Mitigation Strategies

Patch Management:
- Immediately update to the latest version of Judge0 that addresses this vulnerability.
Access Controls:
- Implement strict access controls to limit who can create symlinks within the sandbox directory.
Input Validation:
- Ensure that all inputs are validated and sanitized to prevent the creation of malicious symlinks.
Monitoring and Logging:
- Enhance monitoring and logging to detect any unusual file operations within the sandbox directory.
Sandbox Hardening:
- Strengthen the sandbox environment to prevent any unauthorized file operations outside the designated directory.

5. Impact on European Cybersecurity Landscape

The vulnerability in Judge0 poses a significant risk to organizations and educational institutions that rely on online code execution systems for coding challenges, interviews, and educational purposes. Given the critical nature of the vulnerability, it could be exploited to compromise sensitive data, disrupt services, and gain unauthorized access to systems. This underscores the importance of robust security practices and timely patch management in the European cybersecurity landscape.

6. Technical Details for Security Professionals

Vulnerability Details:

CWE ID: CWE-59 (Improper Link Resolution Before File Access)
Exploitability: The vulnerability can be exploited by creating a symlink in the sandbox directory that points to a target file outside the sandbox. When Judge0 writes to the run_script, it writes to the target file instead.

Code Reference:

The vulnerability is located in the isolate_job.rb file, specifically in lines 197-201 of version 1.13.0.

Mitigation Code Example:

# Ensure the run_script path is not a symlink
if File.symlink?('run_script')
  raise "Security error: run_script is a symlink"
end

# Proceed with writing to run_script
File.open('run_script', 'w') do |f|
  f.write(script_content)
end

References:

By addressing this vulnerability promptly and implementing robust security measures, organizations can mitigate the risk of exploitation and ensure the integrity of their code execution environments.

Description

CVE-2024-28185

EPSS Score:

67%

Comprehensive Technical Analysis of EUVD-2024-25309

1. Vulnerability Assessment and Severity Evaluation

Severity Evaluation:

CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Remote Code Execution (RCE): An attacker can create a symlink at the run_script path before the code execution, redirecting the write operation to an arbitrary file on the system.
Privilege Escalation: By overwriting critical system files or scripts, an attacker can gain elevated privileges and execute arbitrary code outside the sandbox.
Data Exfiltration: The vulnerability can be exploited to read sensitive files by redirecting the output to a location accessible to the attacker.

Exploitation Methods:

Symlink Creation: The attacker creates a symlink in the sandbox directory pointing to a target file outside the sandbox.
File Overwrite: When Judge0 writes to the run_script, it actually writes to the target file due to the symlink, allowing the attacker to overwrite it.
Code Execution: The attacker can inject malicious code into the overwritten file, leading to arbitrary code execution.

3. Affected Systems and Software Versions

Affected Systems:

Judge0 versions ≤ 1.13.0

Software Versions:

All versions of Judge0 up to and including 1.13.0 are vulnerable. Users are advised to update to a patched version as soon as it becomes available.

4. Recommended Mitigation Strategies

Patch Management:
- Immediately update to the latest version of Judge0 that addresses this vulnerability.
Access Controls:
- Implement strict access controls to limit who can create symlinks within the sandbox directory.
Input Validation:
- Ensure that all inputs are validated and sanitized to prevent the creation of malicious symlinks.
Monitoring and Logging:
- Enhance monitoring and logging to detect any unusual file operations within the sandbox directory.
Sandbox Hardening:
- Strengthen the sandbox environment to prevent any unauthorized file operations outside the designated directory.

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Vulnerability Details:

CWE ID: CWE-59 (Improper Link Resolution Before File Access)
Exploitability: The vulnerability can be exploited by creating a symlink in the sandbox directory that points to a target file outside the sandbox. When Judge0 writes to the run_script, it writes to the target file instead.

Code Reference:

The vulnerability is located in the isolate_job.rb file, specifically in lines 197-201 of version 1.13.0.

Mitigation Code Example:

# Ensure the run_script path is not a symlink
if File.symlink?('run_script')
  raise "Security error: run_script is a symlink"
end

# Proceed with writing to run_script
File.open('run_script', 'w') do |f|
  f.write(script_content)
end

References:

By addressing this vulnerability promptly and implementing robust security measures, organizations can mitigate the risk of exploitation and ensure the integrity of their code execution environments.

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-25309

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

References

Affected Products

Vendors

EUVD-2024-25309

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-25309

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

References

Affected Products

Vendors