The required feature described as a wish
Description: CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deleting or expunging resources or resetting and revealing secrets, such as API keys of other user accounts. Once a user is authenticated for a session, all actions are permitted without additional verification.
Affected Components: Management UI
Impact: If a valid user session is hijacked (e.g., through XSS, session token theft, or an unattended workstation), an attacker can immediately perform irreversible, destructive actions or extract sensitive credentials without any additional authentication barrier. Requiring TOTP verification as a step-up factor would block this attack vector, whereas a Static PIN would not, as it offers no time-bound or replay-resistant protection.
Steps to Reproduce:
- Log in to the CloudStack Management UI as a Root Admin.
- Navigate to Compute > Instances > Select any instance > Click on Delete.
- Observe that the action proceeds to a confirmation dialog without any prompt for TOTP verification.
Recommended Remediation: Implement step-up authentication for a defined list of sensitive or destructive operations. Require the user to enter their current TOTP code before executing the operation. Log all step-up authentication events for auditing.
The required feature described as a wish
Description: CloudStack does not require users to re-verify their identity (step-up authentication) before performing high-impact operations such as deleting or expunging resources or resetting and revealing secrets, such as API keys of other user accounts. Once a user is authenticated for a session, all actions are permitted without additional verification.
Affected Components: Management UI
Impact: If a valid user session is hijacked (e.g., through XSS, session token theft, or an unattended workstation), an attacker can immediately perform irreversible, destructive actions or extract sensitive credentials without any additional authentication barrier. Requiring TOTP verification as a step-up factor would block this attack vector, whereas a Static PIN would not, as it offers no time-bound or replay-resistant protection.
Steps to Reproduce:
Recommended Remediation: Implement step-up authentication for a defined list of sensitive or destructive operations. Require the user to enter their current TOTP code before executing the operation. Log all step-up authentication events for auditing.