CloudStack is one of the major and popular IaaS (Infrastructure as a Servile) platform.
http://en.wikipedia.org/wiki/Apache_CloudStack
http://en.wikipedia.org/wiki/Apache_CloudStack
Below small review of the password reset process in the CloudStack.
The purpose of password reset procedure - to allow user during deployment of the VM (virtual machine) template or after this to reset root (administrator password) of VM. Because of the main idea of IaaS to give user ability to help himself this is one of the key functionality.
From user perspective process looks like:
1. start new VM or click reset password on any stopped VM
2. Get popup with new root password
3. Log in using console, rdp or ssh using new password.
2. Get popup with new root password
3. Log in using console, rdp or ssh using new password.
Let's see what behind the scene:
Each network in CloudStack has dedicated router (VR) which doing dhcp, dns, loadbalancing, firewalling and password reset for whole subnet.
On VR we have following components of password reset service:
1. Process listening on port 8080:
socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.0.146.2 SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
it actually waiting for request like : DomU_Request: send_my_password
socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.0.146.2 SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
it actually waiting for request like : DomU_Request: send_my_password
2. script actually doing the job: /opt/cloud/bin/serve_password.sh
3. and password file: /var/cache/cloud/passwords having all passwords in clear text with filesystem permissions -rw-r--r--
10.0.146.15=rD7nudcze
10.0.146.13=jB9kbknvq
10.0.146.181=saved_password
after each password request VR replace corresponding password in password file by "saved_password"
On VM template and VM instance you have script: /etc/init.d/cloud-set-guest-password
This script automatically request root password from VR at each system startup and update it .
The password request procedure is:
1. Client VM parse local network setting and getting DHCP server IP.
2. Client send clear text request like wget -q -t 3 -T 20 -O - --header "DomU_Request: send_my_password" $PASSWORD_SERVER_IP:8080
3. If it get password it will use it. If it gets "saved_password" it won't do anything.
Security problems:
1. clear text password storage on VR
2. Clear text password transmission over the network
3. Missing password sever authentication (only by IP)
4. auto-starting password reset service.
Conclusion:
If attacker has access to the one instance into cloudstack network by spoofing password server(VR) IP he will able to compromise other instances int this subnet after their reboot. Having access to VR - will be able to compromise all nodes.
Awesome article! You are providing us very valid information. This is worth reading. Keep sharing more such articles.
ReplyDeleteData Science Course in Chennai
Data Science Course in Coimbatore
Data Science Online Course
Useful Information..!!! Best blog with effective information’s..!!
ReplyDeleteJAVA Training in Chennai
Selenium Training in Chennai
Python Training in Chennai
AWS Training in Chennai
Data Science Course in Chennai
DevOps Training in Chennai
ReplyDeleteNice blog! Thanks for sharing this valuable information
DevOps Training in Bangalore
Devops Training in Pune
Devops Training in Hyderabad
devops training in gurgaon
Big data training in chennai
ReplyDeleteBig Data Course in Chennai
Great post. keep sharing such a worthy information
ReplyDeleteAndroid Training in Chennai
Android Training in Bangalore
Great post. keep sharing such a worthy information
ReplyDeletecyber security course in bangalore
cyber security training in chennai