CVE-2024-50386

Improper Input Validation (CWE-20)

Published: Nov 12, 2024 / Updated: 7d ago

010
CVSS 8.5EPSS 0.05%High
CVE info copied to clipboard

Summary

A vulnerability in Apache CloudStack versions 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2 allows attackers to compromise KVM-based environments due to missing validation checks for KVM-compatible templates. This affects the template registration process for account users, potentially leading to the deployment of malicious instances.

Impact

The exploitation of this vulnerability can result in: 1. Unauthorized access to host filesystems 2. Compromise of resource integrity and confidentiality 3. Data loss 4. Denial of service 5. Reduced availability of KVM-based infrastructure managed by CloudStack The CVSS v3.1 base score is 8.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. Users are recommended to upgrade to Apache CloudStack versions 4.18.2.5, 4.19.1.3, or later, which address this issue.

Mitigation

1. Upgrade to the patched versions (4.18.2.5, 4.19.1.3, or later) of Apache CloudStack. 2. Scan and check all user-registered KVM-compatible templates to ensure they are flat files without additional or unnecessary features. 3. Run the provided command on file-based primary storage to inspect for potential compromised disks: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done 4. For a more comprehensive check of template/volume features, use: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done Note: These checks may produce false positives and false negatives, so careful analysis is required.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-50386. See article

Nov 12, 2024 at 3:02 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 3:03 PM
CVE Assignment

NVD published the first details for CVE-2024-50386

Nov 12, 2024 at 3:15 PM
CVSS

A CVSS base score of 8.5 has been assigned.

Nov 12, 2024 at 3:27 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.9%)

Nov 15, 2024 at 6:33 AM
Static CVE Timeline Graph

Affected Systems

Apache/cloudstack
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

Remote code execution in Apache CloudStack
Security Bulletin 13 Nov 2024 - Cyber Security Agency of Singapore
This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges. 10, https:// nvd . nist .gov/vuln/detail/ CVE -2024-44102. CVE ...
Apache CloudStack Releases Security Update for KVM Infrastructure Vulnerability – CVE-2024-50386
This vulnerability, if unpatched, could enable malicious actors to exploit template downloads to compromise the host filesystem, putting the integrity and confidentiality of the KVM infrastructure at significant risk. The Apache CloudStack project has issued an important security advisory alongside the release of Long-Term Support (LTS) updates, versions 4.18.2.5 and 4.19.1.3, addressing a critical vulnerability, CVE-2024-50386 (CVSS 8.5), affecting KVM-based environments.
CVE-2024-50386 - Apache CloudStack KVM Template Upload Vulnerability November 12, 2024 at 03:15PM https:// ift.tt/tynrBSz # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
CVE-2024-50386
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the...
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI