CVE-2024-35178
📋 TL;DR
CVE-2024-35178 allows unauthenticated attackers to leak NTLMv2 password hashes from Windows users running vulnerable Jupyter Server instances. This affects Jupyter Server deployments on Windows systems. Attackers can crack these hashes or use them in NTLM relay attacks to compromise the host machine or other network resources.
💻 Affected Systems
- Jupyter Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Windows host running Jupyter Server, lateral movement to other network systems, and potential domain compromise via credential reuse.
Likely Case
Unauthenticated attackers extract NTLMv2 hashes, which can be cracked offline or used in relay attacks against vulnerable internal services.
If Mitigated
Limited to hash exposure without successful cracking or relay opportunities due to network segmentation and strong password policies.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to trigger NTLM authentication. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.14.1
Vendor Advisory: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62
Restart Required: Yes
Instructions:
1. Stop the Jupyter Server. 2. Upgrade using pip: 'pip install --upgrade jupyter-server==2.14.1'. 3. Restart the Jupyter Server.
🔧 Temporary Workarounds
Disable NTLM authentication
windowsConfigure Windows to disable NTLM authentication for the Jupyter Server process
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
Network segmentation
windowsRestrict network access to Jupyter Server to trusted IPs only
New-NetFirewallRule -DisplayName "Block Jupyter External" -Direction Inbound -Protocol TCP -LocalPort 8888 -RemoteAddress "NotLocalSubnet" -Action Block
🧯 If You Can't Patch
- Move Jupyter Server to Linux/macOS platform where this vulnerability does not exist
- Implement strict network access controls and monitor for NTLM authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Jupyter Server version and OS: 'jupyter-server --version' and verify if running on Windows with version < 2.14.1Check Version:
jupyter-server --versionVerify Fix Applied:
Confirm version is 2.14.1 or higher: 'jupyter-server --version' should show >= 2.14.1📡 Detection & Monitoring
Log Indicators:
- Unexpected NTLM authentication attempts in Windows Event Logs (Event ID 4624, 4648)
- Jupyter Server logs showing authentication failures
Network Indicators:
- Unusual HTTP requests to Jupyter Server endpoints triggering authentication
- NTLM authentication traffic from Jupyter Server to unexpected destinations
SIEM Query:
source="windows" EventID=4624 OR EventID=4648 | where AuthenticationPackageName="NTLM" | where ProcessName contains "jupyter"🔗 References
- https://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62
- https://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62
