cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Animesh Chaturvedi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5232) Unauthenticated API allows Admin password reset
Date Tue, 21 Jan 2014 19:03:24 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13877742#comment-13877742
] 

Animesh Chaturvedi commented on CLOUDSTACK-5232:
------------------------------------------------

Alena can you commit your patch into 4.3  and master

> Unauthenticated API allows Admin password reset
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-5232
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5232
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.2.0
>            Reporter: John Kinsella
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> The "unauthenticated API" allows a caller to reset CCP administrator passwords. This
presents a security risk because it allows for privilege escalation attacks. First, if the
unauthenticated API is listening on the network (instead of locally) than any user on the
network can reset admin passwords. If, the API is only listening locally, then any user with
access to the local box can reset admin passwords. This would allow them to access other hosts
within the CloudStack deployment.
> While it may be important to provide a recovery mechanism for admin passwords that have
been lost or hijacked, such a solution needs to be secure. We should either remove this feature
from the Unauthenticated API, or provide a solution that is less open to abuse.
> Identified by: Demetrius Tsitrelis from Citrix 
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message