Apache CloudStack Releases Security Update for KVM Infrastructure Vulnerability – CVE-2024-50386

The Apache CloudStack project has issued an important security advisory alongside the release of Long-Term Support (LTS) updates, versions 4.18.2.5 and 4.19.1.3, addressing a critical vulnerability, CVE-2024-50386 (CVSS 8.5), affecting KVM-based environments. This vulnerability, if unpatched, could enable malicious actors to exploit template downloads to compromise the host filesystem, putting the integrity and confidentiality of the KVM infrastructure at significant risk.

According to the advisory, “Directly downloaded templates can be used to abuse KVM-based infrastructure” due to inadequate validation checks in CloudStack versions 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2. By default, Apache CloudStack allows account users to register templates directly to primary storage for instance deployment. This opens a potential gateway for attackers to deploy malicious instances that can access and compromise host filesystems.

The advisory highlights, “an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments,” which could lead to risks like data loss, denial of service, and a breach of resource integrity. Unsecured templates could enable attackers to escalate privileges, potentially allowing them to manipulate storage environments and access sensitive data.

The discovery of CVE-2024-50386 is credited to security researcher Kiran Chavala, whose responsible disclosure has enabled Apache to address the flaw proactively.

Apache CloudStack strongly advises users to upgrade to the newly released versions 4.18.2.5 or 4.19.1.3 to patch the vulnerability. The project also provides guidance for verifying the integrity of KVM-compatible templates.

For those using older versions, the advisory recommends skipping version 4.19.1.0 due to a known issue, noting that “users on a version older than 4.19.1.0 are advised to skip 4.19.1.0 and upgrade to 4.19.1.3 instead.”

In addition to updating, Apache CloudStack advises administrators to conduct rigorous scans of user-registered KVM templates, ensuring they do not contain unnecessary features that could be exploited. Operators are encouraged to use specific commands for template validation:

• To check for potential host filesystem compromises

  for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done
• To examine the full template/volume features

  for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done

While these commands can help identify potential risks, the advisory cautions that “the command execution for the primary storages can show both false positives and false negatives,” particularly as templates evolve or consolidate.

Related Posts:

• CVE-2024-41107: Apache CloudStack Vulnerability Exposes User Accounts to Compromise
• Apache CloudStack Releases Critical Security Patches – Update Immediately
• Apache CloudStack Releases Critical Patches (CVE-2024-42062 and CVE-2024-42222)
• Apache CloudStack SAML Single Sign-On XXE Vulnerability