CVE-2024-45219 – Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
https://notcve.org/view.php?id=CVE-2024-45219
Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVE-2024-45462 – Apache CloudStack: Incomplete session invalidation on web interface logout
https://notcve.org/view.php?id=CVE-2024-45462
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. La operación de cierre de sesión en la interfaz web de CloudStack no hace que la sesión del usuario caduque por completo, lo que es válido hasta que caduque por tiempo o se reinicie el servicio de backend. Un atacante que tenga acceso al navegador de un usuario puede usar una sesión vigente para obtener acceso a los recursos que posee la cuenta de usuario que cerró la sesión. • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo • CWE-613: Insufficient Session Expiration •
CVE-2024-45693 – Apache CloudStack: Request origin validation bypass makes account takeover possible
https://notcve.org/view.php?id=CVE-2024-45693
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Los usuarios que hayan iniciado sesión en la interfaz web de Apache CloudStack pueden ser engañados para que envíen solicitudes CSRF maliciosas debido a la falta de validación del origen de las solicitudes. Esto puede permitir que un atacante obtenga privilegios y acceso a los recursos de los usuarios autenticados y puede provocar la apropiación de cuentas, interrupciones, exposición de datos confidenciales y comprometer la integridad de los recursos propiedad de la cuenta de usuario que son administrados por la plataforma. Este problema afecta a Apache CloudStack desde la versión 4.15.1.0 hasta la 4.18.2.3 y desde la versión 4.19.0.0 hasta la 4.19.1.1. • https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-42062 – Apache CloudStack: User Key Exposure to Domain Admins
https://notcve.org/view.php?id=CVE-2024-42062
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated. • https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1 • CWE-863: Incorrect Authorization •
CVE-2024-41107 – Apache CloudStack: SAML Signature Exclusion
https://notcve.org/view.php?id=CVE-2024-41107
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue. La autenticación SAML de CloudStack (deshabilitada de forma predeterminada) no exige la verificación de firmas. En entornos de CloudStack donde la autenticación SAML está habilitada, un atacante que inicia la autenticación de inicio de sesión único SAML de CloudStack puede omitir la autenticación SAML enviando una respuesta SAML falsificada sin firma y con un nombre de usuario conocido o adivinado y otros detalles de usuario de un usuario de CloudStack habilitado para SAML. cuenta. • https://github.com/d0rb/CVE-2024-41107 http://www.openwall.com/lists/oss-security/2024/07/19/1 http://www.openwall.com/lists/oss-security/2024/07/19/2 https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107 https://github.com/apache/cloudstack/issues/4519 https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3 https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107 • CWE-290: Authentication Bypass by Spoofing •