Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution · Issue #13296 · apache/cloudstack · GitHub
Open Graph Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution · Issue #13296 · apache/cloudstack
X Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution · Issue #13296 · apache/cloudstack
Description: Advisory Details Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution Description: An information exposure vulnerability exists in Apache CloudStack's Out-of-Band Management (OOBM) IPMI tool driver. When attempting t...
Open Graph Description: Advisory Details Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution Description: An information exposure vulnerability exists in Apache CloudStack's Out-of-Band Management (O...
X Description: Advisory Details Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution Description: An information exposure vulnerability exists in Apache CloudStack's Out-of-Band Managemen...
Opengraph URL: https://github.com/apache/cloudstack/issues/13296
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"IPMI Tool User ID Plaintext Password Exposure in Command Execution","articleBody":"### Advisory Details\n\n**Title**: IPMI Tool User ID Plaintext Password Exposure in Command Execution\n\n**Description**:\nAn information exposure vulnerability exists in Apache CloudStack's Out-of-Band Management (OOBM) IPMI tool driver. When attempting to fetch the numeric IPMI user ID via the private helper method `getIpmiUserId`, if the underlying `ipmitool ... user list` command fails (due to incorrect credentials, unreachable BMC hardware, or TLS failures), the driver manually joins the raw command arguments including the plaintext `-P \u003cpassword\u003e` option. The resulting unsanitized command string is formatted into a `CloudRuntimeException` message. This propagates the raw credentials back in the REST API HTTP error response payload and logs them in plaintext to the Management Server system logs, bypassing the general command sanitization patterns implemented in the core execution helpers.\n\n### Summary\nAn information exposure vulnerability in the Out-of-Band Management IPMI driver allows administrative credentials to be leaked in plaintext directly in warning/debug logs and REST API HTTP error responses when an IPMI user query command execution fails. This enables attackers with access to logs or network responses to harvest plaintext IPMI passwords and compromise physical server infrastructure out-of-band.\n\n### Details\nIn `IpmitoolOutOfBandManagementDriver.java`, when an administrator calls `changeOutOfBandManagementPassword` to update a host's IPMI management password, the execution path first invokes the private helper method `getIpmiUserId()` to map the IPMI username to its corresponding numeric user ID:\n\n```\n[REST API client] -\u003e [ChangeOutOfBandManagementPasswordCmd] \n -\u003e [OutOfBandManagementServiceImpl.changePassword]\n -\u003e [IpmitoolOutOfBandManagementDriver.execute]\n -\u003e [getIpmiUserId]\n```\n\nWithin `getIpmiUserId()`:\n```java\n final List\u003cString\u003e ipmiToolCommands = IPMITOOL.getIpmiToolCommandArgs(IpmiToolPath.value(),\n IpmiToolInterface.value(),\n IpmiToolRetries.value(),\n options, \"user\", \"list\");\n final OutOfBandManagementDriverResponse output = IPMITOOL.executeCommands(ipmiToolCommands, timeOut);\n if (!output.isSuccess()) {\n String oneLineCommand = StringUtils.join(ipmiToolCommands, \" \");\n String message = String.format(\"Failed to find IPMI user [%s] to change password. Command [%s], error [%s].\", username, oneLineCommand, output.getError());\n logger.debug(message);\n throw new CloudRuntimeException(message);\n }\n```\n\nIf `executeCommands()` fails, `output.isSuccess()` returns `false`. The driver proceeds to construct `oneLineCommand` by calling `StringUtils.join(ipmiToolCommands, \" \")` on the raw, unsanitized `ipmiToolCommands` list. This raw list contains the `-P` argument immediately followed by the plaintext password string. The constructed plaintext string is directly formatted into `message`, logged to Management Server logs via `logger.debug()`, and thrown as a `CloudRuntimeException`. This exception is subsequently caught at the API boundary and returned directly in the REST API HTTP error response payload to the calling client in plaintext.\n\nThis custom CLI command joining bypasses standard logging regex patterns introduced in `ProcessRunner` to sanitize command executions, representing a patch completeness variant of the original `Issue-cloudstack-12027` vulnerability.\n\n### PoC\n\n#### Prerequisites\n* Administrative credentials to access the CloudStack Management Server REST API (`changeOutOfBandManagementPassword` command).\n* The target physical host's Out-of-Band Management (OOBM) configuration must fail to execute (e.g. incorrect credentials, incorrect target BMC IP, or BMC offline) to trigger the error path.\n\n#### Reproduction Steps\n1. Download the automated defect verification script from: [verification_test_Issue-cloudstack-12027.py](https://gist.github.com/YLChen-007/f10a30f00d269c594fcf9426581bca21)\n2. Download the scientific control group script from: [control-masked_output.py](https://gist.github.com/YLChen-007/9ff8c0a4d5e4be8e8ddf728ffee9a4d2)\n3. Execute the verification script:\n ```bash\n python3 verification_test_Issue-cloudstack-12027.py\n ```\n4. If the Management Server is online, verify that the returned JSON error payload contains the plaintext password `NewSuperSecretIPMIPassword123!` in the command string:\n ```\n \"message\": \"Failed to find IPMI user [...] Command [ipmitool ... -P NewSuperSecretIPMIPassword123! user list], error [...]\"\n ```\n5. If the server is offline, the script gracefully performs academic validation of the source code files and reports the vulnerability status.\n\n### Log of Evidence\n\n```\n===== EXPERIMENT GROUP: VERIFICATION TEST =====\n[*] Running Issue-cloudstack-12027 getIpmiUserId Plaintext Password Exposure Integration Test...\n[*] Dispatching changeOutOfBandManagementPassword command with sensitive new password: NewSuperSecretIPMIPassword123!\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hostid=00000000-0000-0000-0000-000000000000\u0026password=NewSuperSecretIPMIPassword123%21\u0026command=changeOutOfBandManagementPassword\u0026apiKey=ADMIN_API_KEY_PLACEHOLDER\u0026response=json\u0026signature=%2FYD6e0vnVFZ%2FEi0mqWFOalCGWZA%3D (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: getIpmiUserId inside IpmitoolOutOfBandManagementDriver.java is confirmed vulnerable.\n[*] Specifically, if the user list command fails, the exception thrown containing the plaintext password option:\n 'Failed to find IPMI user [username] to change password. Command [ipmitool ... -P \u003cPLAINTEXT_PASSWORD\u003e user list], error [...]'\n would be propagated back in the API error response and logged directly to logs in plaintext.\n\n===== CONTROL GROUP: CONTROL TEST =====\n[*] Running Issue-cloudstack-12027 getIpmiUserId Control Test...\n[*] Dispatching changeOutOfBandManagementPassword command with control condition.\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hostid=00000000-0000-0000-0000-000000000000\u0026password=NewSuperSecretIPMIPassword123%21\u0026command=changeOutOfBandManagementPassword\u0026apiKey=ADMIN_API_KEY_PLACEHOLDER\u0026response=json\u0026signature=%2FYD6e0vnVFZ%2FEi0mqWFOalCGWZA%3D (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: Control group baseline check.\n[*] Under a secure patch, exception messages and logs must NOT format the password plaintext.\n[*] Expected result: The password 'NewSuperSecretIPMIPassword123!' should be masked or omitted.\n```\n\n### Impact\nThis is a high-severity administrative credential exposure vulnerability. Attackers who obtain read access to Management Server log files or can intercept API error payloads can harvest plaintext administrative credentials for physical server BMC hardware (IPMI). Possessing these credentials, an attacker can directly command baseline physical host resources (e.g. issue physical power cycles/power off leading to Denial of Service, configure host boot options to load malicious virtual media, or access the pre-boot BIOS/UEFI shell), entirely bypassing hypervisor and network security zones.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n- **CWE**: CWE-209: Generation of Error Message Containing Sensitive Information\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/outofbandmanagement-drivers/ipmitool/src/main/java/org/apache/cloudstack/outofbandmanagement/driver/ipmitool/IpmitoolOutOfBandManagementDriver.java#L68-L73](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/outofbandmanagement-drivers/ipmitool/src/main/java/org/apache/cloudstack/outofbandmanagement/driver/ipmitool/IpmitoolOutOfBandManagementDriver.java#L68-L73) | The vulnerable code section in the `getIpmiUserId` helper method where the raw, unsanitized commands including plaintext password option are joined upon command execution failure. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:03:19.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13296/cloudstack/issues/13296"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:82824910-0dd0-724c-f2c9-d01a1ca2e699 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | E546:50919:100658D:164D04C:6A4E8FD3 |
| html-safe-nonce | b73428aef2a75fc3dd874af8c8d884ef243a389f1cf378e211b39964399e9ab4 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFNTQ2OjUwOTE5OjEwMDY1OEQ6MTY0RDA0Qzo2QTRFOEZEMyIsInZpc2l0b3JfaWQiOiIzNjI5ODIxMjMzNTM1NzUzNzkiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 471f3d24bdd50969a5b198b8468809f090b75f622a4762ee31f37ee7a4fcba88 |
| hovercard-subject-tag | issue:4561044657 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13296/issue_layout |
| twitter:image | https://opengraph.githubassets.com/4bb5a4adefe25aba5dd023438250d5d86ca96f7be1ca4d4200dafc014443cd48/apache/cloudstack/issues/13296 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/4bb5a4adefe25aba5dd023438250d5d86ca96f7be1ca4d4200dafc014443cd48/apache/cloudstack/issues/13296 |
| og:image:alt | Advisory Details Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution Description: An information exposure vulnerability exists in Apache CloudStack's Out-of-Band Management (O... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 41b6ab3ba6d20a71766ac245b5a4a94c6fc672a9cd4da7d44c1b33ab8bf6a21c |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | e6a744804e8e70f97b4d5a18a94dcc63db22f97a |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width