Listen to this Post
How the CVE Works:
CVE-2024-38585 affects Jupyter Core on Windows systems where the `%PROGRAMDATA%` directory is improperly secured. The vulnerability arises because Jupyter Core searches this shared directory for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH). An attacker with write access to `%PROGRAMDATA%` can plant malicious configuration files, leading to arbitrary code execution or privilege escalation when other users launch Jupyter applications. This impacts multi-user Windows environments where directory permissions are misconfigured, allowing unauthorized modifications.
DailyCVE Form:
Platform: Windows
Version: <5.8.1
Vulnerability: Insecure Config Loading
Severity: Medium
Date: 2024-06-05
Prediction: Patch expected by 2024-07-15
What Undercode Say:
Exploitation:
1. Check Permissions:
icacls "%PROGRAMDATA%\jupyter"
2. Plant Malicious Config:
echo '{"key": "malicious_code"}' > "%PROGRAMDATA%\jupyter\jupyter_config.json"
Protection:
1. Update Jupyter Core:
pip install --upgrade jupyter_core>=5.8.1
2. Restrict Directory Permissions:
icacls "%PROGRAMDATA%\jupyter" /deny "Users:(W)"
3. Custom Config Path:
setx PROGRAMDATA "C:\Secure\JupyterConfig"
Detection:
1. Audit Logs:
Get-EventLog -LogName Security -InstanceId 4663 -Where "Message LIKE '%PROGRAMDATA%'"
2. Verify Configs:
import jupyter_core.paths print(jupyter_core.paths.SYSTEM_CONFIG_PATH)
Mitigation Script:
Create secure directory mkdir "C:\Secure\JupyterConfig" icacls "C:\Secure\JupyterConfig" /grant "Administrators:(F)" setx JUPYTER_CONFIG_DIR "C:\Secure\JupyterConfig"
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
