CVE-2024-28189

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Apr 18, 2024 / Updated: 7mo ago

Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine.

Although it is possible to execute code outside of the submission, it doesn’t help us as this is run inside the isolate sandbox. Tanto Security disclosed vulnerabilities in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine.

In view of this weakness, the agency has declared immediate action such as patching up any vulnerable systems with updates from official sources while monitoring them closely among other recommended mitigations against potential attacks exploiting this vulnerability according to another report published by CISA, who also said we should use some methods like enhanced monitoring which may include logging and analysis tools. A state-sponsored threat actor called “UAT4356” has been identified as the group behind the ArcaneDoor campaign that exploited Cisco Firewall zero-days and targeted government perimeter network devices worldwide, according to an analysis of the report on ArcaneDoor hackers and their link to China.

In view of this weakness, the agency has declared immediate action such as patching up any vulnerable systems with updates from official sources while monitoring them closely among other recommended mitigations against potential attacks exploiting this vulnerability according to another report published by CISA, who also said we should use some methods like enhanced monitoring which may include logging and analysis tools. A state-sponsored threat actor called “UAT4356” has been identified as the group behind the ArcaneDoor campaign that exploited Cisco Firewall zero-days and targeted government perimeter network devices worldwide, according to an analysis of the report on ArcaneDoor hackers and their link to China.

According to Dropbox, a threat actor gained access to the Sign production environment and accessed customer information, including email addresses, usernames, phone numbers, hashed passwords, data on general account settings, and authentication data such as API keys, OAuth tokens and multi-factor authentication. " The DPRK [Democratic People's Republic of Korea] leverages these spear-phishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets' private documents, research, and communications, " NSA said .

These vulnerabilities, namely CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, pose significant threats by enabling attackers to execute code outside the sandbox environment, escalate privileges, and ultimately gain full control over the Judge0 system. The CVE-2024-27322 (CVSS score of 8.8 ), vulnerability poses a severe threat to the security of the R programming language by permitting arbitrary code execution through the deserialization of untrusted data [1] .

CVE-2024-28185 (CVSS score: 10.0) – The application does not account for symlinks placed inside the sandbox directory, which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox. A threat actor could leverage this flaw to overwrite scripts on the system and gain code execution outside of the sandbox and on the Docker container running the submission job.