[I] [Security] Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs [cloudstack]

Mon, 01 Jun 2026 00:04:09 -0700 


YLChen-007 opened a new issue, #13298:
URL: https://github.com/apache/cloudstack/issues/13298

   ### Advisory Details
   
   **Title**: Sensitive User Data and Storage Credentials Exposure in Baremetal 
PING PXE Resource Logs
   
   **Description**:
   
   A sensitive logging vulnerability exists in the Apache CloudStack PING PXE 
baremetal plugin. When orchestrating resources or preparing booting files on 
baremetal hosts, the CloudStack Management Server constructs commands 
containing raw VM user-data (`userdata`), public keys, and CIFS storage 
password configurations, executing them over SSH.
   However, the underlying execution logging helper 
`SSHCmdHelper.sshExecuteCmdOneShot` only attempts to sanitize command arguments 
using a crude split logic targeted at `KeyStoreUtils.KS_FILENAME` 
(`"cloud.jks"`). Since baremetal orchestration commands never contain 
`"cloud.jks"`, the split fails to mask any characters, logging the entire 
command—including raw plaintext credentials and user configuration 
details—directly into standard system debug logs (e.g., `vmops.log` or 
`management-server.log`).
   
   ### Summary
   
   An information exposure vulnerability (CWE-532) in the Apache CloudStack 
Baremetal PING PXE plugin allows any local actor or system administrator with 
access to debug logs to read plaintext sensitive VM initialization secrets 
(user-data), SSH keys, and CIFS network storage passwords.
   
   ### Details
   
   The vulnerability manifest itself in two critical variants in 
`BaremetalPingPxeResource.java`:
   
   #### Variant 1: VM Metadata Exposure via VmDataCommand
   In `BaremetalPingPxeResource.java` inside `execute(VmDataCommand cmd)`, VM 
custom metadata is assembled into a single string argument and formatted into a 
python script call:
   ```java
               String script = String.format("python 
/usr/bin/baremetal_user_data.py '%s'", arg);
               if (!SSHCmdHelper.sshExecuteCmd(sshConnection, script)) {
                   return new Answer(cmd, false, "Failed to add user data, 
command:" + script);
               }
   ```
   The variable `arg` contains the plaintext custom user-data (which often 
holds database passwords, configuration keys, or startup secrets) and public 
SSH keys.
   
   #### Variant 2: Plaintext CIFS Storage Credential Leakage
   Similarly, in `execute(PreparePxeServerCommand)` and 
`execute(PrepareCreateTemplateCommand)`, the resource's CIFS mount storage 
credential (`_cifsPassword`) is concatenated directly into the shell script 
format:
   ```java
               String script =
                   String.format("python /usr/bin/prepare_tftp_bootfile.py 
restore %1$s %2$s %3$s %4$s %5$s %6$s %7$s %8$s %9$s %10$s %11$s", _tftpDir, 
cmd.getMac(),
                       _storageServer, _share, _dir, cmd.getTemplate(), 
_cifsUserName, _cifsPassword, cmd.getIp(), cmd.getNetMask(), cmd.getGateWay());
   ```
   
   Both methods route their command execution through 
`SSHCmdHelper.sshExecuteCmd(sshConnection, script)`. This delegates to 
`SSHCmdHelper.sshExecuteCmdOneShot`, which implements the logging logic:
   ```java
   LOGGER.debug("Executing cmd: " + cmd.split(KeyStoreUtils.KS_FILENAME)[0]);
   ```
   Since `KeyStoreUtils.KS_FILENAME` is defined as `"cloud.jks"` in 
`KeyStoreUtils.java`, commands without `"cloud.jks"` do not match, evaluating 
`cmd.split("cloud.jks")[0]` to the original unsanitized string. Consequently, 
all custom user secrets, SSH public keys, and CIFS mount passwords flow 
directly into debug logs in plaintext.
   
   ### PoC
   
   #### Prerequisites
   
   * Debug logging level enabled on Apache CloudStack Management Server or 
Agent.
   * PING PXE baremetal plugin configured and active.
   
   #### Reproduction Steps
   
   1. Download the isolated container configuration script from: 
[docker-compose.yml](https://gist.github.com/YLChen-007/16de890d60948928ff4388ceb06a1f5a)
   2. Download the defect verification script from: 
[verification_test.py](https://gist.github.com/YLChen-007/d8077c9d6caebf62296f42df517b2dfc)
   3. Download the scientific control test script from: 
[control-masked_output.py](https://gist.github.com/YLChen-007/32b3be9a34f4a4498bc7b43abcc6f711)
   4. Execute the defect verification script:
      ```bash
      python3 verification_test.py
      ```
   5. Confirm that raw credentials (e.g., `PlaintextSuperSecretPassword123`, 
`StorageCIFSSuperSecurePassword789!`) are fully leaked under the logged 
commands section.
   
   ### Log of Evidence
   
   ```
   [*] Running Issue-cloudstack-12030-BaremetalPingPxe Sensitive Data Exposure 
Verification...
   [*] Defect Verification - Input Tracing:
       - Sensitive VM User-Data: PlaintextSuperSecretPassword123
       - Sensitive SSH Public Key: ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQCuVariantPublicSSHKey
       - Sensitive CIFS Storage Password: StorageCIFSSuperSecurePassword789!
   
   --- EXPERIMENT RESULTS (DEBUG LOGS) ---
   [*] Logged VmDataCommand: python /usr/bin/baremetal_user_data.py 
'10.0.0.10,metadata,userdata,PlaintextSuperSecretPassword123;10.0.0.10,metadata,sshkey,ssh-rsa
 AAAAB3NzaC1yc2EAAAADAQABAAABAQCuVariantPublicSSHKey'
   [*] Logged CIFS Command: python /usr/bin/prepare_tftp_bootfile.py restore 
/tftpboot 00:11:22:33:44:55 192.168.1.10 share dir template cifs_user 
StorageCIFSSuperSecurePassword789! 10.0.0.10 255.255.255.0 10.0.0.1
   ---------------------------------------
   
   [+] SUCCESS: Plaintext sensitive credentials leaked successfully in standard 
debug logs!
   [+] Status: DEFECT-CONFIRMED
   ```
   
   ### Impact
   
   This is a high-severity information exposure vulnerability (CWE-532).
   If successfully triggered:
   * Attackers with system log access can hijack virtual/baremetal environments 
by reading raw tenant configurations (user-data, containing startup 
credentials, database secrets, or API keys).
   * Tenant SSH keys can be exposed, bypassing VM shell access constraints.
   * Core infrastructure CIFS storage network credentials will be exposed, 
potentially allowing unauthorized actors to compromise and modify base 
operating system template files.
   
   ### Affected products
   
   - **Ecosystem**: maven
   - **Package name**: org.apache.cloudstack:cloudstack
   - **Affected versions**: <= 4.22.1.0
   - **Patched versions**: <None>
   
   ### Severity
   
   - **Severity**: High
   - **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
   
   ### Weaknesses
   
   - **CWE**: CWE-532: Insertion of Sensitive Information into Log File
   
   ### Occurrences
   
   | Permalink | Description |
   | :--- | :--- |
   | 
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L157-L162](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L157-L162)
 | CIFS password exposure during `PreparePxeServerCommand` execution in 
`BaremetalPingPxeResource.java`. |
   | 
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L185-L190](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L185-L190)
 | CIFS password exposure during `PrepareCreateTemplateCommand` execution in 
`BaremetalPingPxeResource.java`. |
   | 
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L217-L246](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L217-L246)
 | VM custom user-data and SSH public key exposure during `VmDataCommand` 
execution in `BaremetalPingPxeResource.java`. |
   | 
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L167](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L167)
 | Root cause split-based logging logic in `SSHCmdHelper.sshExecuteCmdOneShot` 
failing to sanitize commands lacking `"cloud.jks"`. |
   | 
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L230](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L230)
 | Command output logging in `SSHCmdHelper.sshExecuteCmdOneShot` failing to 
sanitize logs for commands lacking `"cloud.jks"`. |


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to