Warning: CloudStack Patched Two Important Vulnerabilities That Can Lead To Remote Code Execution, Patch Immediately!
CVE-2024-38346 : CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-39864 : CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1/
Risks
Apache CloudStack is an open-source software system designed to deploy and manage large networks of virtual machines, as a highly available, highly scalable Infrastructure as a Service (IaaS) cloud computing platform. Apache CloudStack patched two important vulnerabilities that can lead to Remote Code Execution. Both vulnerabilities have a High impact on Confidentiality, Integrity and Availability.
The compromise of this system could lead to a full compromise of the infrastructure managed by CloudStack.
Description
CVE-2024-38346: Unauthenticated cluster service port leads to remote execution
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.
CVE-2024-39864: Integration API service uses dynamic port when disabled
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative.
Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.
Affected versions:
- Apache CloudStack 4.0.0 through 4.18.2.0
- Apache CloudStack 4.19.0.0 through 4.19.0.1
More information in the advisory from CloudStack: https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1/
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses these issues.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Tenable
ShapeBlue