YLChen-007 opened a new issue, #13302:
URL: https://github.com/apache/cloudstack/issues/13302
### Advisory Details
**Title**: VM Snapshot VNC Password Loss Variant leading to Unauthenticated
Console Access
**Description**:
An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent
causes VM graphics/VNC console passwords to be permanently stripped when VM
snapshots are created or redefined. Reverting a VM to these snapshots restores
the VM using the password-less XML configuration, allowing unauthorized
network-adjacent attackers to connect to the VM's guest OS console without VNC
authentication.
### Summary
An incomplete fix for **CVE-2015-3252** (specifically, missing the VM
snapshot definition/restoration path) allows attackers to bypass VNC
authentication controls on KVM-managed guest virtual machines. When a KVM
hypervisor agent restores VM snapshot metadata, it calls `dm.getXMLDesc(0)`,
which strips the graphics tag's password property (`passwd='...'`). Subsequent
reversion to this snapshot re-registers the VM with libvirt without a VNC
password, leaving the virtual machine console wide open to unauthenticated
users.
### Details
During patch completeness audits of Apache CloudStack, we analyzed the patch
commit `5d29b63cfa98a15d7734798c5b29a43658d7f112` for **CVE-2015-3252**. The
original issue stripped VNC passwords because the domain XML was retrieved
using `dm.getXMLDesc(0)` (the default flag `0` explicitly removes all
security-sensitive credentials).
While the developers successfully fixed the VM reboot and VM migration paths
by using `dm.getXMLDesc(1)` and `dm.getXMLDesc(8)` respectively, they **missed
the snapshot definition and restoration path** in
`LibvirtRestoreVMSnapshotCommandWrapper.java`.
Inside `LibvirtRestoreVMSnapshotCommandWrapper.java`:
```java
Domain dm = null;
try {
final LibvirtUtilitiesHelper libvirtUtilitiesHelper =
libvirtComputingResource.getLibvirtUtilitiesHelper();
Connect conn = libvirtUtilitiesHelper.getConnection();
dm = libvirtComputingResource.getDomain(conn, vmName);
if (dm == null) {
return new RestoreVMSnapshotAnswer(cmd, false,
"Restore Instance Snapshot Failed due to can not find
Instance: " + vmName);
}
String xmlDesc = dm.getXMLDesc(0); // <--- 💥 Insecure Flag 0 strips VNC
passwd!
```
This insecure XML description is then used to generate the snapshot metadata
via `libvirtUtilitiesHelper.generateVMSnapshotXML(...)` and persisted on the
host with `dm.snapshotCreateXML(vmSnapshotXML, flags)`.
Because `getXMLDesc(0)` was called, the `<graphics type='vnc' ...>` tag has
no `passwd` attribute inside the stored snapshot. When a tenant user later
reverts the VM to this snapshot, libvirt restores the graphics configuration
from this stripped definition, permanently erasing VNC password protection and
exposing the VNC port (ports `5900+`) to unauthenticated console connections.
### PoC
#### Prerequisites
- Apache CloudStack KVM Agent installed on a KVM hypervisor.
- A virtual machine configured with VNC password protection.
- Docker & Python 3 installed locally.
#### Reproduction Steps
1. Set up the local test simulation by downloading the Docker Compose file:
[docker-compose.yml](https://gist.github.com/YLChen-007/3b65889cb69a220624ccc84ed7157681)
2. Start the simulation environment:
```bash
docker compose up -d
```
3. Download the automated static codebase audit script:
[verification_test.py](https://gist.github.com/YLChen-007/d08d29a49aed92d1b8c7c73d7883321a)
4. Execute the verification script:
```bash
python3 verification_test.py
```
5. Download the control group verification script:
[control-secure_xml_flag.py](https://gist.github.com/YLChen-007/45d77061579e39f233761f32d1ac10bf)
6. Execute the control group script:
```bash
python3 control-secure_xml_flag.py
```
### Log of Evidence
```
==========================================================================
CVE-2015-3252 VM Snapshot VNC Password Loss Variant Verification Test
==========================================================================
[*] Vulnerable Source File Path:
/root/distributed-project/cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java
[*] CloudStack Management Server API URL: http://localhost:8080/client/api
[*] Attempting to connect to live CloudStack Management Server...
[-] Live CloudStack Management Server is not reachable at localhost:8080.
[*] Falling back to static/bytecode audit verification on the
compiled/source environment...
--- Static Source Audit Flow ---
[*] Analyzing source code file for unpatched CVE-2015-3252 variant pattern...
[+] Match found! Found vulnerable pattern 'dm.getXMLDesc(0)' in source file.
Line 59: String xmlDesc = dm.getXMLDesc(0);
==========================================================================
[DEFECT CONFIRMED] - The VNC password loss variant in
LibvirtRestoreVMSnapshotCommandWrapper is present!
Explanation: The Domain XML is fetched using dm.getXMLDesc(0) which strips
the sensitive VNC password.
Redefining the snapshot with this XML will cause permanent loss of the
password upon snapshot revert.
==========================================================================
==========================================================================
CVE-2015-3252 VM Snapshot VNC Password Loss Variant - Control Group Test
==========================================================================
[*] Control Source File Path:
/root/distributed-project/cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java
--- Control Group Static Source Audit Flow ---
[*] Analyzing control source code file for correct security mechanism usage
(flag 1)...
[+] Match found! Found secure pattern 'getXMLDesc(1)' in control source file.
Line 89: parser.parseDomainXML(domain.getXMLDesc(1));
==========================================================================
[CONTROL SUCCESSFUL] - The security mechanism (VIR_DOMAIN_XML_SECURE flag 1)
is correctly functioning and implemented in standard control components.
This confirms that the secure behavior is fully supported and expected by
design,
making the 'getXMLDesc(0)' pattern in the snapshot flow a genuine security
defect.
==========================================================================
```
### Impact
- **Vulnerability Category**: Cryptographic credential loss /
Unauthenticated Access / Information Disclosure (CWE-200 / CWE-250)
- **Compromised Assets**: Entire Guest Virtual Machine OS.
- **Security Impact**: High. Any network-adjacent attacker or unauthorized
console proxy user can fully hijack the guest OS console via the hypervisor's
unprotected VNC port (usually `5900+`) without needing credentials, bypassing
all VM-level console authentication mechanisms.
### Affected products
- **Ecosystem**: maven
- **Package name**: org.apache.cloudstack:cloudstack-plugins-hypervisor-kvm
- **Affected versions**: <= 4.22.1.0
- **Patched versions**: <None>
### Severity
- **Severity**: High
- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
### Weaknesses
- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized
Actor
### Occurrences
| Permalink | Description |
| :--- | :--- |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java#L59](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java#L59)
| The vulnerable `execute` method retrieves domain XML with a flag value of
`0` in `LibvirtRestoreVMSnapshotCommandWrapper.java`, stripping the
graphics/VNC password. |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
