Apache CloudStack provides a registerUserKeys API that allows a user to create or recreate a secret key and an API key to use for authentication when using the CloudStack API. A malicious user can request this API action in conjunction with the ID of another CloudStack user/account. The newly created or re-generated API keys for this other user would then be returned to the malicious user, giving them access the other user’s account and resources. The issue affects all users of CloudStack 4.1 and above.
NOTE: In order to exploit this vulnerability the malicious user must themselves have authenticated API access.
ShapeBlue have worked with the security team to create these instructions and security release(s), and all CloudStack operators are advised to follow these instructions or upgrade. It is thought that this vulnerability also affects commercial distributions of Apache CloudStack.
Credit: This vulnerability was reported by Marc-Aurèle Brothier at Exoscale.
CloudStack operators should upgrade to one of the following security release versions, based on releases they are currently using: 220.127.116.11, 18.104.22.168, or 22.214.171.124. Please ensure that you upgrade to the relevant version.
These versions contain only security updates, and no other functionality change. The rpm and debian packages for these versions are available from ShapeBlue’s CloudStack repositories that can be used to upgrade the cloudstack-management package. Stopping the management service(s), upgrading all management servers and then restarting them is sufficient.
Short Term Mitigation
Performing the following steps will restrict the API to use by your root-admin account users only. USERS and DOMAIN ADMINS will NO LONGER be able to create or re-generate API keys themselves.
Affected users can restrict this API to only the root admin user/accounts by setting the API to octet 1 (i.e. only root-admin accounts are allowed). To do this, open and edit the ‘commands.properties’ file (usually found at /etc/cloudstack/management/commands.properties or at /usr/share/cloudstack-management/webapps/client/WEB-INF/classes/commands.properties), then search and replace the API config to:
Save the file and restart your management server.
Users of CloudStack 4.9 who are using dynamic roles feature, can navigate to UI->Roles and go to Rules section of each of the non-admin role, and delete a configured ‘Allow’ rule for ‘registerUserKeys’.
For ShapeBlue support customers, please contact the support team for further information.
For other CloudStack users, please use the community mailing lists.
For users of commercial distribution of CloudStack, please contact your vendor