YLChen-007 opened a new issue, #11988: URL: https://github.com/apache/cloudstack/issues/11988
## **Description:** ### Summary Multiple authentication components log sensitive cryptographic material (HMAC signatures, API keys, timestamps) at DEBUG and INFO levels without masking. This exposes shared secret derivatives that can be used for request replay attacks, signature analysis, and authentication bypass attempts. ### Severity **Critical** - Exposure of HMAC signatures and API keys enables request replay attacks and potential compromise of the authentication mechanism. --- ## **Vulnerability Details** ### 1. SSO Authentication Signature Leakage #### Location - **File**: `server/src/main/java/com/cloud/user/AccountManagerImpl.java` - **Method**: `getUserAccountForSSO()` - **Line**: https://github.com/apache/cloudstack/blob/dbda673e1fa813856deb0f0b6328dad0222b702c/server/src/main/java/com/cloud/user/AccountManagerImpl.java#L3009 --- ### 2. Console Proxy API Authentication Leakage #### Location - **File**: `client/tomcatconf/ConsoleProxyServlet.java` (or similar path) - **Method**: `verifyRequest()` https://github.com/apache/cloudstack/blob/dbda673e1fa813856deb0f0b6328dad0222b702c/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java#L537 #### Exposed Data - API Key (plaintext) - Incoming HMAC signature - Computed HMAC signature (on mismatch) - Request validation context --- ## **Security Impact** ### Why Signature Exposure is Critical The `signature` is an **HMAC digest** generated from: ``` signature = HMAC(shared_secret, request_parameters) ``` This makes it cryptographically sensitive material. Even at DEBUG level, exposure enables: #### 1. **Request Replay Attacks** - Attacker captures signature + timestamp from logs - Replays the exact request to impersonate legitimate client - Bypasses authentication if timestamp validation is weak #### 2. **Signature Analysis & Cryptanalysis** - Collecting multiple signature samples reveals patterns - May expose weaknesses in HMAC implementation - Could lead to shared secret recovery if implementation is flawed - Helps identify signature generation algorithm details #### 3. **Information Disclosure** - Reveals which requests fail validation (signature mismatch scenarios) - Exposes expected signature values (when both supplied and computed are logged) - Provides attackers with oracle for testing signature generation #### 4. **API Key Compromise** - Direct exposure of API keys enables full account impersonation - Combined with signature, gives complete authentication context - Permanent credential (unlike session tokens) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
