www.belgium.be Logo of the federal government

Warning: CloudStack Patched Two Important Vulnerabilities That Can Lead To Remote Code Execution, Patch Immediately!

Reference: 
Advisory #2024-104
Version: 
1.0
Affected software: 
Apache CloudStack 4.0.0 through 4.18.2.0
Apache CloudStack 4.19.0.0 through 4.19.0.1
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-38346 : CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-39864 : CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1/

Risks

Apache CloudStack is an open-source software system designed to deploy and manage large networks of virtual machines, as a highly available, highly scalable Infrastructure as a Service (IaaS) cloud computing platform. Apache CloudStack patched two important vulnerabilities that can lead to Remote Code Execution. Both vulnerabilities have a High impact on Confidentiality, Integrity and Availability.

The compromise of this system could lead to a full compromise of the infrastructure managed by CloudStack.

Description

CVE-2024-38346: Unauthenticated cluster service port leads to remote execution

The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.

CVE-2024-39864: Integration API service uses dynamic port when disabled

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative.

Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.

Affected versions:

  • Apache CloudStack 4.0.0 through 4.18.2.0
  • Apache CloudStack 4.19.0.0 through 4.19.0.1

More information in the advisory from CloudStack: https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1/

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses these issues.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Tenable

ShapeBlue