René's URL Explorer Experiment


Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access · Issue #13302 · apache/cloudstack · GitHub

Open Graph Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access · Issue #13302 · apache/cloudstack

X Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access · Issue #13302 · apache/cloudstack

Description: Advisory Details Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access Description: An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent causes VM graphics/VNC console passwords to...

Open Graph Description: Advisory Details Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access Description: An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent cau...

X Description: Advisory Details Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access Description: An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent...

Opengraph URL: https://github.com/apache/cloudstack/issues/13302

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access","articleBody":"### Advisory Details\n\n**Title**: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access\n\n**Description**:\n\nAn incomplete security audit fix in Apache CloudStack's KVM hypervisor agent causes VM graphics/VNC console passwords to be permanently stripped when VM snapshots are created or redefined. Reverting a VM to these snapshots restores the VM using the password-less XML configuration, allowing unauthorized network-adjacent attackers to connect to the VM's guest OS console without VNC authentication.\n\n### Summary\n\nAn incomplete fix for **CVE-2015-3252** (specifically, missing the VM snapshot definition/restoration path) allows attackers to bypass VNC authentication controls on KVM-managed guest virtual machines. When a KVM hypervisor agent restores VM snapshot metadata, it calls `dm.getXMLDesc(0)`, which strips the graphics tag's password property (`passwd='...'`). Subsequent reversion to this snapshot re-registers the VM with libvirt without a VNC password, leaving the virtual machine console wide open to unauthenticated users.\n\n### Details\n\nDuring patch completeness audits of Apache CloudStack, we analyzed the patch commit `5d29b63cfa98a15d7734798c5b29a43658d7f112` for **CVE-2015-3252**. The original issue stripped VNC passwords because the domain XML was retrieved using `dm.getXMLDesc(0)` (the default flag `0` explicitly removes all security-sensitive credentials).\n\nWhile the developers successfully fixed the VM reboot and VM migration paths by using `dm.getXMLDesc(1)` and `dm.getXMLDesc(8)` respectively, they **missed the snapshot definition and restoration path** in `LibvirtRestoreVMSnapshotCommandWrapper.java`.\n\nInside `LibvirtRestoreVMSnapshotCommandWrapper.java`:\n```java\nDomain dm = null;\ntry {\n    final LibvirtUtilitiesHelper libvirtUtilitiesHelper = libvirtComputingResource.getLibvirtUtilitiesHelper();\n    Connect conn = libvirtUtilitiesHelper.getConnection();\n    dm = libvirtComputingResource.getDomain(conn, vmName);\n\n    if (dm == null) {\n        return new RestoreVMSnapshotAnswer(cmd, false,\n                \"Restore Instance Snapshot Failed due to can not find Instance: \" + vmName);\n    }\n    String xmlDesc = dm.getXMLDesc(0); // \u003c--- 💥 Insecure Flag 0 strips VNC passwd!\n```\n\nThis insecure XML description is then used to generate the snapshot metadata via `libvirtUtilitiesHelper.generateVMSnapshotXML(...)` and persisted on the host with `dm.snapshotCreateXML(vmSnapshotXML, flags)`.\nBecause `getXMLDesc(0)` was called, the `\u003cgraphics type='vnc' ...\u003e` tag has no `passwd` attribute inside the stored snapshot. When a tenant user later reverts the VM to this snapshot, libvirt restores the graphics configuration from this stripped definition, permanently erasing VNC password protection and exposing the VNC port (ports `5900+`) to unauthenticated console connections.\n\n### PoC\n\n#### Prerequisites\n\n- Apache CloudStack KVM Agent installed on a KVM hypervisor.\n- A virtual machine configured with VNC password protection.\n- Docker \u0026 Python 3 installed locally.\n\n#### Reproduction Steps\n\n1. Set up the local test simulation by downloading the Docker Compose file: [docker-compose.yml](https://gist.github.com/YLChen-007/3b65889cb69a220624ccc84ed7157681)\n\n2. Start the simulation environment:\n   ```bash\n   docker compose up -d\n   ```\n\n3. Download the automated static codebase audit script: [verification_test.py](https://gist.github.com/YLChen-007/d08d29a49aed92d1b8c7c73d7883321a)\n\n4. Execute the verification script:\n   ```bash\n   python3 verification_test.py\n   ```\n\n5. Download the control group verification script: [control-secure_xml_flag.py](https://gist.github.com/YLChen-007/45d77061579e39f233761f32d1ac10bf)\n\n6. Execute the control group script:\n   ```bash\n   python3 control-secure_xml_flag.py\n   ```\n\n### Log of Evidence\n\n```\n==========================================================================\nCVE-2015-3252 VM Snapshot VNC Password Loss Variant Verification Test\n==========================================================================\n[*] Vulnerable Source File Path: /root/distributed-project/cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java\n[*] CloudStack Management Server API URL: http://localhost:8080/client/api\n[*] Attempting to connect to live CloudStack Management Server...\n[-] Live CloudStack Management Server is not reachable at localhost:8080.\n[*] Falling back to static/bytecode audit verification on the compiled/source environment...\n\n--- Static Source Audit Flow ---\n[*] Analyzing source code file for unpatched CVE-2015-3252 variant pattern...\n[+] Match found! Found vulnerable pattern 'dm.getXMLDesc(0)' in source file.\n    Line 59: String xmlDesc = dm.getXMLDesc(0);\n\n==========================================================================\n[DEFECT CONFIRMED] - The VNC password loss variant in LibvirtRestoreVMSnapshotCommandWrapper is present!\nExplanation: The Domain XML is fetched using dm.getXMLDesc(0) which strips the sensitive VNC password.\nRedefining the snapshot with this XML will cause permanent loss of the password upon snapshot revert.\n==========================================================================\n\n==========================================================================\nCVE-2015-3252 VM Snapshot VNC Password Loss Variant - Control Group Test\n==========================================================================\n[*] Control Source File Path: /root/distributed-project/cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java\n\n--- Control Group Static Source Audit Flow ---\n[*] Analyzing control source code file for correct security mechanism usage (flag 1)...\n[+] Match found! Found secure pattern 'getXMLDesc(1)' in control source file.\n    Line 89: parser.parseDomainXML(domain.getXMLDesc(1));\n\n==========================================================================\n[CONTROL SUCCESSFUL] - The security mechanism (VIR_DOMAIN_XML_SECURE flag 1)\nis correctly functioning and implemented in standard control components.\nThis confirms that the secure behavior is fully supported and expected by design,\nmaking the 'getXMLDesc(0)' pattern in the snapshot flow a genuine security defect.\n==========================================================================\n```\n\n### Impact\n\n- **Vulnerability Category**: Cryptographic credential loss / Unauthenticated Access / Information Disclosure (CWE-200 / CWE-250)\n- **Compromised Assets**: Entire Guest Virtual Machine OS.\n- **Security Impact**: High. Any network-adjacent attacker or unauthorized console proxy user can fully hijack the guest OS console via the hypervisor's unprotected VNC port (usually `5900+`) without needing credentials, bypassing all VM-level console authentication mechanisms.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack-plugins-hypervisor-kvm\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n### Weaknesses\n\n- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java#L59](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java#L59) | The vulnerable `execute` method retrieves domain XML with a flag value of `0` in `LibvirtRestoreVMSnapshotCommandWrapper.java`, stripping the graphics/VNC password. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:04:54.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13302/cloudstack/issues/13302"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:8be96fc1-a03d-7835-b432-5caab66f8244
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idAEAC:A2022:3FD76C:5A2B40:6A4E6DF1
html-safe-nonce15cf0709aa3c71b71321291db8e55f47347a8ef936852ab77b31e4492abd4d86
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBRUFDOkEyMDIyOjNGRDc2Qzo1QTJCNDA6NkE0RTZERjEiLCJ2aXNpdG9yX2lkIjoiMTI2MzQ5OTk5NjM4NjE5Mjg4MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmacdae767144a7d82fa42b1292facc823b8de9bfaa5cadf3817fd9a0e4cd55e3932
hovercard-subject-tagissue:4561052622
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13302/issue_layout
twitter:imagehttps://opengraph.githubassets.com/d435a6fe12408540f9afde50a10bf5a8595b1ddfb4970f02f0537c60c75254a5/apache/cloudstack/issues/13302
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/d435a6fe12408540f9afde50a10bf5a8595b1ddfb4970f02f0537c60c75254a5/apache/cloudstack/issues/13302
og:image:altAdvisory Details Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access Description: An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent cau...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
None41b6ab3ba6d20a71766ac245b5a4a94c6fc672a9cd4da7d44c1b33ab8bf6a21c
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releasee6a744804e8e70f97b4d5a18a94dcc63db22f97a
ui-targetcanary-2
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13302#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13302
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/open-source/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/open-source/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/enterprise/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13302
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13302
Reloadhttps://github.com/apache/cloudstack/issues/13302
Reloadhttps://github.com/apache/cloudstack/issues/13302
Please reload this pagehttps://github.com/apache/cloudstack/issues/13302
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 265 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Accesshttps://github.com/apache/cloudstack/issues/13302#top
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13302#issue-4561052622
CVE-2015-3252https://github.com/advisories/GHSA-c98j-mqm3-22r6
CVE-2015-3252https://github.com/advisories/GHSA-c98j-mqm3-22r6
docker-compose.ymlhttps://gist.github.com/YLChen-007/3b65889cb69a220624ccc84ed7157681
verification_test.pyhttps://gist.github.com/YLChen-007/d08d29a49aed92d1b8c7c73d7883321a
control-secure_xml_flag.pyhttps://gist.github.com/YLChen-007/45d77061579e39f233761f32d1ac10bf
cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java#L59
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.