CVE-2024-45187
📋 TL;DR
This vulnerability allows guest users in Mage AI framework to retain high privileges after account deletion, enabling remote code execution through the AI terminal server. Any Mage AI deployment with guest user functionality is affected. Attackers can exploit this to gain unauthorized system access.
💻 Affected Systems
- Mage AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining persistent access, data exfiltration, and lateral movement across the network.
Likely Case
Unauthorized code execution leading to data theft, service disruption, or deployment of malware.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires a previously created guest account that has been deleted but remains logged in. Attack chain is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version
Vendor Advisory: https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602/
Restart Required: Yes
Instructions:
1. Check Mage AI version. 2. Apply latest security update from vendor. 3. Restart Mage AI services. 4. Force logout all existing sessions.
🔧 Temporary Workarounds
Disable Guest User Functionality
allTemporarily disable guest user accounts until patch is applied
# Check Mage AI configuration for guest settings
# Disable guest user creation and access
Session Timeout Enforcement
allImplement aggressive session timeout policies
# Configure session timeout in Mage AI settings
# Set maximum session duration to minimal value
🧯 If You Can't Patch
- Implement network segmentation to isolate Mage AI instances from critical systems
- Enable detailed logging and monitoring for suspicious terminal server activity
🔍 How to Verify
Check if Vulnerable:
Test if deleted guest accounts retain terminal server access. Check session management logic in code.Check Version:
# Check Mage AI version through admin interface or package managerVerify Fix Applied:
Verify that deleted guest accounts are immediately logged out and lose all privileges.📡 Detection & Monitoring
Log Indicators:
- Unexpected terminal server access by deleted users
- Guest user sessions persisting after account deletion
- Unusual code execution patterns in AI terminal
Network Indicators:
- Suspicious outbound connections from Mage AI server
- Unexpected network traffic to/from terminal server port
SIEM Query:
source="mage-ai" AND (event="terminal_execute" OR event="session_persist") AND user_status="deleted"