Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE · Issue #13297 · apache/cloudstack · GitHub
Open Graph Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE · Issue #13297 · apache/cloudstack
X Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE · Issue #13297 · apache/cloudstack
Description: Advisory Details Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE Description: Summary A critical sensitive information disclosure vulnerability (CWE-532 / ...
Open Graph Description: Advisory Details Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE Description: Summary A critical sensitive informat...
X Description: Advisory Details Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE Description: Summary A critical sensitive informat...
Opengraph URL: https://github.com/apache/cloudstack/issues/13297
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE","articleBody":"### Advisory Details\n\n**Title**: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE\n\n**Description**:\n\n### Summary\n\nA critical sensitive information disclosure vulnerability (CWE-532 / CWE-209) exists in the Apache CloudStack Management Server due to flawed, position-dependent, and incomplete sanitization of SSH command logs. Highly sensitive credentials—specifically, dynamically-generated 16-character KVM keystore passwords and administrator-configured CIFS/Samba storage credentials—are logged in plaintext into the Management Server debug log files. Furthermore, during PXE command failures, the plaintext CIFS password is returned directly in the REST API error payload to the client.\n\n---\n\n### Details\n\nThe core command-logging desensitization mechanism in `SSHCmdHelper.java` employs a naive split-token sanitization method to prevent credentials from entering debug logs:\n```java\nLOGGER.debug(\"Executing cmd: \" + cmd.split(KeyStoreUtils.KS_FILENAME)[0]);\n```\nHere, `KeyStoreUtils.KS_FILENAME` is the hardcoded string `\"cloud.jks\"`. This sanitization model assumes that any sensitive parameter in the command string will always follow the `\"cloud.jks\"` token. This design fails under two distinct reachable paths in the codebase:\n\n#### 1. Core KVM Host CA Certificate Provisioning (`CAManagerImpl.java`)\nDuring forced agent certificate updates via the `provisionCertificate` admin API, the certificate import shell command is generated as follows:\n```java\n final SetupCertificateCommand certificateCommand = new SetupCertificateCommand(certificate);\n final SSHCmdHelper.SSHCmdResult setupCertResult = SSHCmdHelper.sshExecuteCmdWithResult(sshConnection,\n String.format(\"sudo /usr/share/cloudstack-common/scripts/util/%s \" +\n \"/etc/cloudstack/agent/agent.properties %s \" +\n \"/etc/cloudstack/agent/%s %s \" +\n ...\n KeyStoreUtils.KS_IMPORT_SCRIPT,\n keystorePassword, // \u003c-- Positional parameter before KS_FILENAME\n KeyStoreUtils.KS_FILENAME,\n KeyStoreUtils.SSH_MODE,\n ...));\n```\nBecause the dynamic plaintext `keystorePassword` is positioned *before* `\"cloud.jks\"`, `cmd.split(\"cloud.jks\")[0]` evaluates to a string that still contains the plaintext password, causing it to be written directly into the debug logs.\n\n#### 2. Baremetal PXE Template Operations (`BaremetalPingPxeResource.java`)\nWhen setting up or backing up baremetal PXE resources, helper scripts like `prepare_tftp_bootfile.py` are executed via SSH with the CIFS storage server password (`_cifsPassword`) passed as an argument:\n```java\n String script =\n String.format(\"python /usr/bin/prepare_tftp_bootfile.py restore %1$s %2$s %3$s %4$s %5$s %6$s %7$s %8$s %9$s %10$s %11$s\", _tftpDir, cmd.getMac(),\n _storageServer, _share, _dir, cmd.getTemplate(), _cifsUserName, _cifsPassword, cmd.getIp(), cmd.getNetMask(), cmd.getGateWay());\n```\nBecause these command strings do not contain the `\"cloud.jks\"` token, the naive `split` operation evaluates to the entire original command, fully exposing the `_cifsPassword` in the logs. Furthermore, if the command fails, the exception returned to the caller (`PreparePxeServerAnswer` or `Answer`) appends the raw command containing the password, propagating it back in the REST API payload to the administrator.\n\n---\n\n### PoC\n\n#### Prerequisites\n- A deployed instance of the CloudStack Management Server.\n- API Key and Secret Key for an administrator account.\n- A KVM host or Baremetal PXE server configured in the workspace.\n\n#### Reproduction Steps\n\n1. Download the isolated container database and helper environment config from: [docker-compose.yml](https://gist.github.com/YLChen-007/4e7962a97463dc8ec75269b89b8c2107)\n2. Download the active integration verification test script from: [verification_test.py](https://gist.github.com/YLChen-007/bb051953fbacf402d3b73a5f63029dee)\n3. Download the baseline control test script from: [control-masked_output.py](https://gist.github.com/YLChen-007/f78a0a1ef2d4a0a839a3db885d612044)\n4. Start the laboratory background services:\n ```bash\n docker compose up -d\n ```\n5. Execute the verification test to demonstrate the plaintext credential logging:\n ```bash\n python3 verification_test.py\n ```\n6. Execute the control test to verify that the split mechanism functions correctly under baseline conditions (i.e., when `cloud.jks` precedes the password):\n ```bash\n python3 control-masked_output.py\n ```\n\n---\n\n### Log of Evidence\n\n```text\n=========================================================================\n[*] Running Issue-cloudstack-12029 Keystore Password Exposure Verification\n=========================================================================\n[*] Stage 1: Attempting to connect to running CloudStack Management Server...\n[!] CloudStack Management Server is offline (Expected in isolated environment).\n[*] Switching to Academic/Logical Code-Path Verification...\n\n--- Flow 1: CA Certificate Provisioning ---\nOriginal constructed command:\n sudo /usr/share/cloudstack-common/scripts/util/keystore-cert-import /etc/cloudstack/agent/agent.properties SecretRandomPassword123! /etc/cloudstack/agent/cloud.jks ssh /etc/cloudstack/agent/cloud.crt \"CERT_DATA\"\nLogged command after split(KS_FILENAME)[0]:\n sudo /usr/share/cloudstack-common/scripts/util/keystore-cert-import /etc/cloudstack/agent/agent.properties SecretRandomPassword123! /etc/cloudstack/agent/\n🔴 [DEFECT-CONFIRMED] Plaintext password is fully exposed in Flow 1 log output!\n\n--- Flow 2: Baremetal PXE template preparation ---\nOriginal constructed command:\n python /usr/bin/prepare_tftp_bootfile.py restore /var/lib/tftpboot 00:11:22:33:44:55 192.168.1.100 share_name /tftp_dir template_name admin_user CifsSecretPassword999! 192.168.1.101 255.255.255.0 192.168.1.254\nLogged command after split(KS_FILENAME)[0]:\n python /usr/bin/prepare_tftp_bootfile.py restore /var/lib/tftpboot 00:11:22:33:44:55 192.168.1.100 share_name /tftp_dir template_name admin_user CifsSecretPassword999! 192.168.1.101 255.255.255.0 192.168.1.254\n🔴 [DEFECT-CONFIRMED] Plaintext CIFS password is fully exposed in Flow 2 log output!\n\n=========================================================================\nRESULT: DEFECT-CONFIRMED (TRUE POSITIVE)\n=========================================================================\n=========================================================================\n[*] Running Issue-cloudstack-12029 Control Group Test: Masked Output Baseline\n=========================================================================\nControl group command (cloud.jks placed before password):\n sudo /usr/share/cloudstack-common/scripts/util/keystore-cert-setup /etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/cloud.jks SecretRandomPassword123! 365 /etc/cloudstack/agent/cloud.csr\nLogged command after split(KS_FILENAME)[0]:\n sudo /usr/share/cloudstack-common/scripts/util/keystore-cert-setup /etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/\n\n--- Control Group Verification ---\n🟢 [CONTROL-SUCCESS] Plaintext password is successfully masked/omitted from the log!\nThe security mechanism functions correctly under normal/baseline conditions.\n=========================================================================\n```\n\n---\n\n### Impact\n\n- **Vulnerability Type**: CWE-532 (Insertion of Sensitive Information into Log File) / CWE-209 (Generation of Error Message Containing Sensitive Information)\n- **Compromised Assets**: KVM host CA keystore private keys, administrative CIFS/Samba storage credentials.\n- **Severity Impact**: High. Exposure of keystore passwords allows remote actors with system read access to decrypt agent TLS private keys and compromise hypervisor agent communication (e.g. performing MITM and executing arbitrary VM manipulation commands). Exposure of CIFS credentials gives complete read-write access to private cloud system template repositories on the corporate network.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: `\u003c= 4.22.1.0` (up to unreleased pre-release state on the `main` branch)\n- **Patched versions**: \u003cNone\u003e\n\n---\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\n\n---\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n- **CWE**: CWE-209: Generation of Error Message Containing Sensitive Information\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L167](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L167) | Naive command sanitization using `cmd.split(KeyStoreUtils.KS_FILENAME)[0]` in `sshExecuteCmdOneShot()`. |\n| [utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L230](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L230) | Naive command sanitization in the standard output/error logging statement in `sshExecuteCmdOneShot()`. |\n| [server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java#L278-L294](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java#L278-L294) | Certificate import command creation in `provisionCertificateViaSsh()`, positioning `keystorePassword` before the split-token. |\n| [plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L155-L160](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L155-L160) | Construction and execution of Baremetal PXE TFTP restore command passing `_cifsPassword` without split-token and returning it in answer payload on failure. |\n| [plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L184-L189](https://github.com/apache/cloudstack/blob/3f6866d70a6e4eb8a12dd257d33bde5aae79aacf/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L184-L189) | Construction and execution of Baremetal PXE TFTP backup command passing `_cifsPassword` without split-token and returning it in answer payload on failure. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:03:45.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13297/cloudstack/issues/13297"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:924890f8-e810-46e5-8a28-febf2b167dc3 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 9DBC:1A1F1B:2B1000:3D9F2A:6A4E69AF |
| html-safe-nonce | 01bb8db2aee0899e573c3eb909bb8e260004ac44c7093eca6c2e8988122242b9 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5REJDOjFBMUYxQjoyQjEwMDA6M0Q5RjJBOjZBNEU2OUFGIiwidmlzaXRvcl9pZCI6IjEzODM3NzI1ODgzNDYzMzc3MTEiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 4d4e9111c3eb91e1820550a45d1db09bae1546aae77df073a063cffcdf8107a6 |
| hovercard-subject-tag | issue:4561046896 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13297/issue_layout |
| twitter:image | https://opengraph.githubassets.com/e3dd8ca31c45926aa6f67f638f423a0442781b506be1d0bac8f0da279caa9415/apache/cloudstack/issues/13297 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/e3dd8ca31c45926aa6f67f638f423a0442781b506be1d0bac8f0da279caa9415/apache/cloudstack/issues/13297 |
| og:image:alt | Advisory Details Title: Keystore Password and CIFS Credentials Plaintext Exposure via SSH Command Logging in KVM CA Provisioning and Baremetal PXE Description: Summary A critical sensitive informat... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 41b6ab3ba6d20a71766ac245b5a4a94c6fc672a9cd4da7d44c1b33ab8bf6a21c |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | e6a744804e8e70f97b4d5a18a94dcc63db22f97a |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width