You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Animesh Chaturvedi (JIRA)" <ji...@apache.org> on 2014/01/21 20:03:22 UTC

[jira] [Updated] (CLOUDSTACK-5232) Unauthenticated API allows Admin password reset

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-5232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Animesh Chaturvedi updated CLOUDSTACK-5232:
-------------------------------------------

    Security: Public  (was: Non-Public)

> Unauthenticated API allows Admin password reset
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-5232
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5232
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.2.0
>            Reporter: John Kinsella
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> The "unauthenticated API" allows a caller to reset CCP administrator passwords. This presents a security risk because it allows for privilege escalation attacks. First, if the unauthenticated API is listening on the network (instead of locally) than any user on the network can reset admin passwords. If, the API is only listening locally, then any user with access to the local box can reset admin passwords. This would allow them to access other hosts within the CloudStack deployment.
> While it may be important to provide a recovery mechanism for admin passwords that have been lost or hijacked, such a solution needs to be secure. We should either remove this feature from the Unauthenticated API, or provide a solution that is less open to abuse.
> Identified by: Demetrius Tsitrelis from Citrix 
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)