Impact
Apache Cloudstack contains a privileged escalation vulnerability in the invite to project logic due to a predictable seed used in a PRNG.
Details
When inviting a user or account to a project via the email, the methods ProjectManagerImpl.inviteAccountToProject or ProjectManagerImpl.inviteUserToProject are invoked, and a random token is emailed to the invitee to allow them to join the project.
However, this random token is generated predictably using the method generateToken with the value of 10 using System.currentTimeMillis() as the seed for the random number generator.
As such, if an attacker knows around the time an invite was generated to invite another user, that attacker would be able to leverage the invite token to impersonate the invited user's invite acceptance.
The invite is stored in the database, but other than "having the secret token" there is no further checks that occur to ensure that the user taking advantage of the token is the user that the token was assigned to.
The site where the project invite is looked up form the database:
The user that is the current caller is pulled from the request here:
Then, that accepted invite is assigned to the calling user here:
As such, an attacker is able to leverage an invite a project that they were never sent because they can compute the value of the invite token.
Proof Of Concept
The following code will print out all of the possible secret tokens for the next hour:
public static String generateToken(long time, int length) {
String charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
Random rand = new Random(time);
StringBuffer sb = new StringBuffer();
for (int i = 0; i < length; i++) {
int pos = rand.nextInt(charset.length());
sb.append(charset.charAt(pos));
}
return sb.toString();
}
public static void main(String[] args) {
long startTime = System.currentTimeMillis();
LongStream
.rangeClosed(startTime + 0, startTime + (long) (3_600_000))
.parallel()
.mapToObj(time -> generateToken(time, 10))
.forEach(System.out::println);
}Patches
Workarounds
When executing the addAccountToProject API call, don't invite by email. Only invite by existing account or user.
Mitigating Factors
project.invite.required is false by default and is something that must be enabled by end-users explicitly.
References
For more information
Open an issue with the Apache Cloudstack team here: https://github.com/apache/cloudstack/issues
JLLeitschuh Analyst
Impact
Apache Cloudstack contains a privileged escalation vulnerability in the invite to project logic due to a predictable seed used in a PRNG.
Details
When inviting a user or account to a project via the email, the methods
ProjectManagerImpl.inviteAccountToProjectorProjectManagerImpl.inviteUserToProjectare invoked, and a random token is emailed to the invitee to allow them to join the project.However, this random token is generated predictably using the method
generateTokenwith the value of10usingSystem.currentTimeMillis()as the seed for the random number generator.As such, if an attacker knows around the time an invite was generated to invite another user, that attacker would be able to leverage the invite token to impersonate the invited user's invite acceptance.
The invite is stored in the database, but other than "having the secret token" there is no further checks that occur to ensure that the user taking advantage of the token is the user that the token was assigned to.
The site where the project invite is looked up form the database:
Notice how the account of the current user making the request isn't included in the lookup.
The user that is the current caller is pulled from the request here:
Then, that accepted invite is assigned to the calling user here:
As such, an attacker is able to leverage an invite a project that they were never sent because they can compute the value of the invite token.
Proof Of Concept
The following code will print out all of the possible secret tokens for the next hour:
Patches
Workarounds
When executing the
addAccountToProjectAPI call, don't invite by email. Only invite by existing account or user.Mitigating Factors
project.invite.requiredis false by default and is something that must be enabled by end-users explicitly.References
For more information
Open an issue with the Apache Cloudstack team here: https://github.com/apache/cloudstack/issues