IPMI Tool User ID Plaintext Password Exposure in Command Execution

[YLChen-007]

Advisory Details

Title: IPMI Tool User ID Plaintext Password Exposure in Command Execution

Description:
An information exposure vulnerability exists in Apache CloudStack's Out-of-Band Management (OOBM) IPMI tool driver. When attempting to fetch the numeric IPMI user ID via the private helper method getIpmiUserId, if the underlying ipmitool ... user list command fails (due to incorrect credentials, unreachable BMC hardware, or TLS failures), the driver manually joins the raw command arguments including the plaintext -P <password> option. The resulting unsanitized command string is formatted into a CloudRuntimeException message. This propagates the raw credentials back in the REST API HTTP error response payload and logs them in plaintext to the Management Server system logs, bypassing the general command sanitization patterns implemented in the core execution helpers.

Summary

An information exposure vulnerability in the Out-of-Band Management IPMI driver allows administrative credentials to be leaked in plaintext directly in warning/debug logs and REST API HTTP error responses when an IPMI user query command execution fails. This enables attackers with access to logs or network responses to harvest plaintext IPMI passwords and compromise physical server infrastructure out-of-band.

Details

In IpmitoolOutOfBandManagementDriver.java, when an administrator calls changeOutOfBandManagementPassword to update a host's IPMI management password, the execution path first invokes the private helper method getIpmiUserId() to map the IPMI username to its corresponding numeric user ID:

[REST API client] -> [ChangeOutOfBandManagementPasswordCmd] 
                  -> [OutOfBandManagementServiceImpl.changePassword]
                  -> [IpmitoolOutOfBandManagementDriver.execute]
                  -> [getIpmiUserId]

Within getIpmiUserId():

        final List<String> ipmiToolCommands = IPMITOOL.getIpmiToolCommandArgs(IpmiToolPath.value(),
                IpmiToolInterface.value(),
                IpmiToolRetries.value(),
                options, "user", "list");
        final OutOfBandManagementDriverResponse output = IPMITOOL.executeCommands(ipmiToolCommands, timeOut);
        if (!output.isSuccess()) {
            String oneLineCommand = StringUtils.join(ipmiToolCommands, " ");
            String message = String.format("Failed to find IPMI user [%s] to change password. Command [%s], error [%s].", username, oneLineCommand, output.getError());
            logger.debug(message);
            throw new CloudRuntimeException(message);
        }

If executeCommands() fails, output.isSuccess() returns false. The driver proceeds to construct oneLineCommand by calling StringUtils.join(ipmiToolCommands, " ") on the raw, unsanitized ipmiToolCommands list. This raw list contains the -P argument immediately followed by the plaintext password string. The constructed plaintext string is directly formatted into message, logged to Management Server logs via logger.debug(), and thrown as a CloudRuntimeException. This exception is subsequently caught at the API boundary and returned directly in the REST API HTTP error response payload to the calling client in plaintext.

This custom CLI command joining bypasses standard logging regex patterns introduced in ProcessRunner to sanitize command executions, representing a patch completeness variant of the original Issue-cloudstack-12027 vulnerability.

PoC

Prerequisites

• Administrative credentials to access the CloudStack Management Server REST API (changeOutOfBandManagementPassword command).
• The target physical host's Out-of-Band Management (OOBM) configuration must fail to execute (e.g. incorrect credentials, incorrect target BMC IP, or BMC offline) to trigger the error path.

Reproduction Steps

1. Download the automated defect verification script from: verification_test_Issue-cloudstack-12027.py
2. Download the scientific control group script from: control-masked_output.py
3. Execute the verification script:

   python3 verification_test_Issue-cloudstack-12027.py

4. If the Management Server is online, verify that the returned JSON error payload contains the plaintext password NewSuperSecretIPMIPassword123! in the command string:

   "message": "Failed to find IPMI user [...] Command [ipmitool ... -P NewSuperSecretIPMIPassword123! user list], error [...]"
   

5. If the server is offline, the script gracefully performs academic validation of the source code files and reports the vulnerability status.

Log of Evidence

===== EXPERIMENT GROUP: VERIFICATION TEST =====
[*] Running Issue-cloudstack-12027 getIpmiUserId Plaintext Password Exposure Integration Test...
[*] Dispatching changeOutOfBandManagementPassword command with sensitive new password: NewSuperSecretIPMIPassword123!
[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hostid=00000000-0000-0000-0000-000000000000&password=NewSuperSecretIPMIPassword123%21&command=changeOutOfBandManagementPassword&apiKey=ADMIN_API_KEY_PLACEHOLDER&response=json&signature=%2FYD6e0vnVFZ%2FEi0mqWFOalCGWZA%3D (Caused by NewConnectionError("HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused"))
[INCONCLUSIVE] CloudStack Management Server is offline.
[*] Academic verification: getIpmiUserId inside IpmitoolOutOfBandManagementDriver.java is confirmed vulnerable.
[*] Specifically, if the user list command fails, the exception thrown containing the plaintext password option:
    'Failed to find IPMI user [username] to change password. Command [ipmitool ... -P <PLAINTEXT_PASSWORD> user list], error [...]'
    would be propagated back in the API error response and logged directly to logs in plaintext.

===== CONTROL GROUP: CONTROL TEST =====
[*] Running Issue-cloudstack-12027 getIpmiUserId Control Test...
[*] Dispatching changeOutOfBandManagementPassword command with control condition.
[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hostid=00000000-0000-0000-0000-000000000000&password=NewSuperSecretIPMIPassword123%21&command=changeOutOfBandManagementPassword&apiKey=ADMIN_API_KEY_PLACEHOLDER&response=json&signature=%2FYD6e0vnVFZ%2FEi0mqWFOalCGWZA%3D (Caused by NewConnectionError("HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused"))
[INCONCLUSIVE] CloudStack Management Server is offline.
[*] Academic verification: Control group baseline check.
[*] Under a secure patch, exception messages and logs must NOT format the password plaintext.
[*] Expected result: The password 'NewSuperSecretIPMIPassword123!' should be masked or omitted.

Impact

This is a high-severity administrative credential exposure vulnerability. Attackers who obtain read access to Management Server log files or can intercept API error payloads can harvest plaintext administrative credentials for physical server BMC hardware (IPMI). Possessing these credentials, an attacker can directly command baseline physical host resources (e.g. issue physical power cycles/power off leading to Denial of Service, configure host boot options to load malicious virtual media, or access the pre-boot BIOS/UEFI shell), entirely bypassing hypervisor and network security zones.

Affected products

• Ecosystem: maven
• Package name: org.apache.cloudstack:cloudstack
• Affected versions: <= 4.22.1.0
• Patched versions:

Severity

• Severity: High
• Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Weaknesses

• CWE: CWE-532: Insertion of Sensitive Information into Log File
• CWE: CWE-209: Generation of Error Message Containing Sensitive Information

Occurrences

Permalink

Description

cloudstack/plugins/outofbandmanagement-drivers/ipmitool/src/main/java/org/apache/cloudstack/outofbandmanagement/driver/ipmitool/IpmitoolOutOfBandManagementDriver.java Lines 68 to 73 in 348ce95 if (!output.isSuccess()) { String oneLineCommand = StringUtils.join(ipmiToolCommands, " "); String message = String.format("Failed to find IPMI user [%s] to change password. Command [%s], error [%s].", username, oneLineCommand, output.getError()); logger.debug(message); throw new CloudRuntimeException(message); }

The vulnerable code section in the getIpmiUserId helper method where the raw, unsanitized commands including plaintext password option are joined upon command execution failure.