Analysis Summary

Multiple critical security vulnerabilities have recently been uncovered within the Judge0 open-source online code execution system, posing significant risks of code execution exploitation on targeted systems.

Researchers highlighted three critical flaws in a report, emphasizing the potential for adversaries to achieve sandbox escapes and gain root permissions on host machines. These vulnerabilities include CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, each carrying a high CVSS score of 9.1 to 10.0.

The first flaw, CVE-2024-28185, arises from the application's failure to recognize symbolic links within the sandbox directory, enabling attackers to write to arbitrary files and execute code outside the sandbox. Subsequently, CVE-2024-28189 exacerbates this issue by presenting a bypass patch for CVE-2024-28185, permitting attackers to manipulate the UNIX chown command on untrusted files within the sandbox, thereby facilitating unauthorized access to files outside the sandbox. Moreover, CVE-2024-29021 underscores a default configuration vulnerability in Judge0 rendering the service susceptible to a sandbox escape via Server-Side Request Forgery (SSRF), allowing attackers to execute unsandboxed code as root on the target machine.

The underlying problem lies within the "isolate_job.rb" Ruby script, responsible for sandbox setup and code execution. Exploiting these vulnerabilities involves creating symbolic links in directories before executing a bash script, enabling attackers to overwrite scripts and execute code outside the sandbox including within Docker containers running the submission job.

Additionally, due to the privileged flag set in the docker-compose.yml file, threat actors can escalate their privileges beyond the Docker container, potentially compromising the entire Judge0 system, including its database and internal networks. CVE-2024-29021 further underscores the potential for adversaries to exploit misconfigurations, allowing communication with Judge0's PostgreSQL database via SSRF, potentially leading to command injection and database manipulation.

Following responsible disclosure, these vulnerabilities have been addressed in version 1.13.1, released on April 18, 2024. To mitigate potential threats, users are strongly advised to update to the latest version promptly.

Impact

• Code Execution
• File Manipulation
• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-28185
• CVE-2024-28189
• CVE-2024-29021

Remediation

• Refer to Judge0 GIT Repository for patch, upgrade, or suggested workaround information.
• Conduct regular security audits and vulnerability assessments to proactively identify and mitigate any potential weaknesses in the system.
• Review and adjust the configuration settings of Judge0 to ensure secure defaults and minimize the risk of exploitation, particularly regarding sandboxing and access controls.
• Implement privilege separation mechanisms to restrict access rights and limit the impact of potential breaches, preventing adversaries from gaining root privileges or accessing sensitive resources.
• Educate users and administrators on best practices for secure coding, safe execution of code, and recognizing and reporting security incidents to enhance overall system security posture.