Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover

Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host.

Three critical-severity vulnerabilities in the Judge0 open source service could allow attackers to perform sandbox escapes and completely take over the host machine, according to a warning from cybersecurity firm Tanto Security.

The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, three issues that allow attackers to achieve code execution outside the sandbox and escalate their privileges to completely take over the Judge0 system.

The company said CVE-2024-28185 (CVSS 10/10) exists because the application does not account for symlinks stored in the sandbox directory, allowing an attacker to create the symlink and exploit a Judge0 function where a run_script is written to the sandbox directory when executing a submission.

The flaws allow an attacker to overwrite scripts on the system and execute code on the Docker container running the submission job. The attacker could then escalate their privileges outside the container and gain full access “to the Judge0 system including the database, internal networks, the Judge0 webserver, and any other applications running on the Linux host.”

Tanto Security said CVE-2024-28189 (CVSS 10/10) exists because the UNIX chown command is used on an untrusted file within the sandbox. By creating a symlink to a file outside the sandbox, an attacker could run the command on arbitrary files outside of the sandbox.

According to Tanto Security’s Daniel Cooper, CVE-2024-28189 is effectively a bypass for the patch Judge0 rolled out for CVE-2024-28185. Once the attacker can run the chown command, the exploitation follows the same path.

The third bug – CVE-2024-29021 (CVSS 9.1/10 ) – exists because a configuration option allows applications to perform network requests such as communicating with Judge0’s PostgreSQL database. A server-side request forgery (SSRF) bug allows an attacker to connect to the database and change the datatype of specific columns to achieve command injection and execute code on the Docker container.

While Judge0 version 1.13.1 resolves all three vulnerabilities, Cooper believes the underlying command execution issue might still exist, likely exploitable using other venues. Users with self-hosted Judge0 instances are advised to update as soon as possible.

Advertisement. Scroll to continue reading.

An online service for executing arbitrary code inside a secure sandbox, Judge0 supports the development of applications that require online code execution, such as programming, ecommerce, and recruitment platforms, online code editors, and more.

Judge0 says it is used by more than 20 customers, with over 300 self-hosted instances currently online, with paid options available for clients who want additional features.

Related: Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking

Related: OpenMetadata Flaws Exploited to Abuse Kubernetes Clusters 

Related: US Gov Urges Software Makers to Eliminate SQL Injection Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights