Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs · Issue #13305 · apache/cloudstack · GitHub
Open Graph Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs · Issue #13305 · apache/cloudstack
X Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs · Issue #13305 · apache/cloudstack
Description: Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache CloudStack, the KVM host agent (cloud-age...
Open Graph Description: Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache C...
X Description: Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache C...
Opengraph URL: https://github.com/apache/cloudstack/issues/13305
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs","articleBody":"### Advisory Details\n\n**Title**: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs\n\n**Description**:\nDuring KVM host certificate setup or renewal procedures in Apache CloudStack, the KVM host agent (`cloud-agent`) utilizes the `com.cloud.utils.script.Script` wrapper to invoke external certificate management scripts. These command executions are logged in plain text on script failures, timeouts (300 seconds), or process exceptions.\n\nAlthough CloudStack possesses a robust password masking feature (`script.addSensitive(String param)`) that redacts arguments as `\"******\"`, the `com.cloud.agent.Agent.java` component registers the administrative keystore password (`storedPassword`), the keystore passphrase (`ksPassphrase`), and the raw, unencrypted client SSL certificate private key (`privateKey`) via the insecure `script.add(String param)` method.\n\nConsequently, if the setup script fails or times out, the KVM host agent writes the complete, unsanitized command line containing these administrative passwords and the raw private SSL key in plain text directly to the agent's log file (e.g., `/var/log/cloudstack/agent/agent.log`). An unauthorized local user with read access to the KVM host logs can retrieve these credentials, completely compromising the SSL channel and the KVM compute node.\n\n### Summary\nAn unmasked command logging vulnerability in the Apache CloudStack KVM host agent allows administrative keystore passwords, passphrases, and raw unencrypted SSL private keys to be leaked in plain text to agent log files on script failure or execution timeout. This enables local users with access to host logs to completely compromise node-to-management communication integrity.\n\n### Details\nIn `com.cloud.agent.Agent.java`, KVM host cert and keystore setups are handled in the `setupAgentKeystore` and `setupAgentCertificate` methods. \n\nThe `Script` class logs all command lines at `WARN` or `DEBUG` level when the executed processes encounter exceptions, fail, or run over the 300,000ms timeout limit. To protect credentials, `Script` supports `addSensitive()` to flag and mask arguments:\n```java\n// utils/src/main/java/com/cloud/utils/script/Script.java\npublic void addSensitive(String param) {\n _command.add(param);\n sensitiveArgIndices.add(_command.size() - 1);\n}\n```\n\nHowever, `Agent.java` still registers cryptographic secrets using the standard `add()` call:\n\n#### Keystore Password Added via Insecure `add()` in `setupAgentKeystore`\n```java\n// agent/src/main/java/com/cloud/agent/Agent.java (Lines 875-881)\n Script script = new Script(keystoreSetupSetupPath, 300000, logger);\n script.add(agentFile.getAbsolutePath());\n script.add(keyStoreFile);\n script.add(storedPassword); // ❌ Plaintext password added via regular add()\n script.add(String.valueOf(validityDays));\n script.add(csrFile);\n String result = script.execute();\n```\n\n#### Passphrase \u0026 Private Key Added via Insecure `add()` in `setupAgentCertificate`\n```java\n// agent/src/main/java/com/cloud/agent/Agent.java (Lines 920-931)\n Script script = new Script(keystoreCertImportScriptPath, 300000, logger);\n script.add(agentFile.getAbsolutePath());\n script.add(ksPassphrase); // ❌ Plaintext passphrase added via regular add()\n script.add(keyStoreFile);\n script.add(KeyStoreUtils.AGENT_MODE);\n script.add(certFile);\n script.add(\"\");\n script.add(caCertFile);\n script.add(\"\");\n script.add(privateKeyFile);\n script.add(privateKey); // ❌ Raw unencrypted private key added via regular add()\n String result = script.execute();\n```\n\nWhen execution of the certificate setup or import processes fails or times out, the `Script` class formats the full command line with all plain parameters and logs it to `agent.log`.\n\n---\n\n### PoC\n\n#### Prerequisites\n- A running KVM compute host running the `cloud-agent`.\n- Local access to KVM host logs or administrative access to the CloudStack Management Server REST API.\n\n#### Reproduction Steps\n\n1. Configure the local database and management environment:\n Download the Docker Compose configuration from: [docker-compose.yml](https://gist.github.com/YLChen-007/f177019b8faf5026082be2f7fa0e621a)\n ```bash\n docker compose up -d\n ```\n\n2. Download the active integration test script:\n [verification_test.py](https://gist.github.com/YLChen-007/a5e30e399953aa3452208d52a02cb0c5)\n \n3. Execute the automated verification tool simulating a certificate provisioning command:\n ```bash\n python3 verification_test.py\n ```\n *(Note: The integration test validates the KVM agent configuration. If the management server is offline, it executes an academic verification proving the presence of plain `add()` calls in `Agent.java` for `storedPassword`, `ksPassphrase`, and `privateKey` in place of `addSensitive()`.)*\n\n4. Run the scientific control baseline script:\n [control-masked_output.py](https://gist.github.com/YLChen-007/4bcdd4e45c8a6c3e545df8b1c7109b85)\n ```bash\n python3 control-masked_output.py\n ```\n *(Note: The control script demonstrates that when `addSensitive()` is properly utilized by developers—such as in `LibvirtUpdateHostPasswordCommandWrapper.java`—the password arguments are successfully redacted as `******` during logged command execution.)*\n\n---\n\n### Log of Evidence\n\n```\n=== VERIFICATION TEST ===\n[*] Running Issue-cloudstack-12005 Inadequate Password Masking in Script Execution Integration Test...\n[*] Attempting to dispatch provisionCertificate command...\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?...\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: com.cloud.agent.Agent is confirmed vulnerable to credential leak via Script execution.\n[*] Vulnerability Details:\n In com.cloud.agent.Agent.java:\n - Line 878: script.add(storedPassword); where storedPassword is the keystore password.\n - Line 922: script.add(ksPassphrase); where ksPassphrase is the keystore passphrase.\n - Line 930: script.add(privateKey); where privateKey is the raw private key of the SSL certificate.\n - These parameters are added using the generic script.add() instead of script.addSensitive().\n - On KVM host agent, if keystore setup or import scripts time out, fail, or encounter an exception,\n the com.cloud.utils.script.Script class logs the complete unsanitized command line containing the private key and password in plaintext.\n[DEFECT CONFIRMED] Plaintext sensitive cryptographic keys and passwords leaked in KVM agent logs due to missing addSensitive usage.\n\n=== CONTROL TEST ===\n[*] Running Control Group Experiment - Verifying Password Masking Security Mechanism...\n[*] Attempting to dispatch updateHostPassword command (Control Baseline)...\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?...\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: The password-masking security mechanism (Script.addSensitive) is verified.\n[*] Scientific Control Group Analysis:\n 1. Under normal/correct implementation of the masking feature:\n - com.cloud.hypervisor.kvm.resource.wrapper.LibvirtUpdateHostPasswordCommandWrapper.java correctly utilizes script.addSensitive(newPassword) at Line 41.\n - com.cloud.utils.script.ScriptTest.java (Line 86) explicitly verifies that script.addSensitive(\"sensitive-arg\") masks values to \"******\".\n 2. When the masking is active, any script failure or log output shows '******' instead of the raw credentials.\n 3. Therefore, the password masking mechanism is fully functional and operates correctly when called.\n[CONTROL SUCCESS] Password masking is confirmed working as designed in the control baseline.\n```\n\n---\n\n### Impact\n- **Vulnerability Category**: CWE-532 (Insertion of Sensitive Information into Log File)\n- **Compromised Assets**: KVM Host SSL Certificates, Node Private Keys, administrative keystore passwords and passphrases.\n- **Consequences**: This exposure completely compromises the TLS communication channel between the KVM compute node (`cloud-agent`) and the Management Server. Using the raw SSL private key and keystore passwords, an attacker can launch Man-in-the-Middle (MITM) attacks, hijack or inject arbitrary management commands, read sensitive hypervisor communications, and fully compromise KVM compute resources.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloud-agent\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L875-L881](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L875-L881) | The vulnerable command script creation in `setupAgentKeystore` passing the `storedPassword` to the shell script using standard `script.add()` instead of `script.addSensitive()`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L920-L931](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L920-L931) | The vulnerable command script creation in `setupAgentCertificate` passing the `ksPassphrase` and raw `privateKey` via standard `script.add()` instead of `script.addSensitive()`. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:12:37.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13305/cloudstack/issues/13305"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:d304aa90-5b08-e7c9-48df-f7892638c2c2 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 86EC:38F182:F22249:14B5389:6A4DD1D6 |
| html-safe-nonce | f6434f0cc244b0d9449db98b5ac6ab998fc9046d9ce3f0cdd32d60eb007d03d9 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NkVDOjM4RjE4MjpGMjIyNDk6MTRCNTM4OTo2QTRERDFENiIsInZpc2l0b3JfaWQiOiI0ODcwOTg0NDE0MzI0OTY5OTQyIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 3ffc5a6cf650d19a4849f16533f7666f5a106713a24371e4c8d1a94460686ae8 |
| hovercard-subject-tag | issue:4561094447 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13305/issue_layout |
| twitter:image | https://opengraph.githubassets.com/b8cf0f86ccd48df29d8c620e1ec27eaf4ce55b92bf43b58e6aa32019eb6c1d57/apache/cloudstack/issues/13305 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/b8cf0f86ccd48df29d8c620e1ec27eaf4ce55b92bf43b58e6aa32019eb6c1d57/apache/cloudstack/issues/13305 |
| og:image:alt | Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache C... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width