Friday, May 24, 2013

CloudStack IaaS insecure password reset

CloudStack is one of the major and popular IaaS  (Infrastructure as a Servile)  platform.
http://en.wikipedia.org/wiki/Apache_CloudStack

Below small review of the password reset process in the CloudStack.

The purpose of password reset procedure - to allow user during deployment of the VM (virtual machine) template or after this to reset root (administrator password) of VM. Because of the main idea of IaaS to give user ability to help himself  this is one of the key functionality.

From user perspective process looks like:
1. start new VM or click reset password on any stopped VM
2. Get popup with new root password
3. Log in using console, rdp or ssh using new password.

Let's see what behind the scene:
Each network in CloudStack has dedicated router (VR) which doing dhcp, dns, loadbalancing, firewalling and password reset for whole subnet.

On VR we have following components of password reset service:
1. Process listening on port 8080:
 socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=10.0.146.2 SYSTEM:/opt/cloud/bin/serve_password.sh "$SOCAT_PEERADDR"
it actually waiting for request like : DomU_Request: send_my_password

2. script actually doing the job: /opt/cloud/bin/serve_password.sh

3. and password file: /var/cache/cloud/passwords having all passwords in clear text with filesystem permissions -rw-r--r--
  10.0.146.15=rD7nudcze
 10.0.146.13=jB9kbknvq
 10.0.146.181=saved_password

after each password request VR replace corresponding password in password file  by "saved_password"

On VM template and  VM instance you have script: /etc/init.d/cloud-set-guest-password
This script automatically request root password from VR at each system startup and update it .

The password request procedure is:
1. Client VM parse local  network setting and getting DHCP server IP.
2. Client send clear text  request like wget -q -t 3 -T 20 -O - --header "DomU_Request: send_my_password" $PASSWORD_SERVER_IP:8080
3. If it get password it will use it. If it gets "saved_password" it won't do anything.


Security problems:
1. clear text password storage on VR
2. Clear text password transmission over the network
3. Missing password sever authentication (only by IP)
4. auto-starting password reset service.

Conclusion:

If attacker has access to the one instance into cloudstack network by spoofing password server(VR) IP he will able to compromise other instances int this subnet after their reboot. Having access to VR - will be able to compromise all nodes.

5 comments: