Advisory Details
Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access
Description:
An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent causes VM graphics/VNC console passwords to be permanently stripped when VM snapshots are created or redefined. Reverting a VM to these snapshots restores the VM using the password-less XML configuration, allowing unauthorized network-adjacent attackers to connect to the VM's guest OS console without VNC authentication.
Summary
An incomplete fix for CVE-2015-3252 (specifically, missing the VM snapshot definition/restoration path) allows attackers to bypass VNC authentication controls on KVM-managed guest virtual machines. When a KVM hypervisor agent restores VM snapshot metadata, it calls dm.getXMLDesc(0), which strips the graphics tag's password property (passwd='...'). Subsequent reversion to this snapshot re-registers the VM with libvirt without a VNC password, leaving the virtual machine console wide open to unauthenticated users.
Details
During patch completeness audits of Apache CloudStack, we analyzed the patch commit 5d29b63cfa98a15d7734798c5b29a43658d7f112 for CVE-2015-3252. The original issue stripped VNC passwords because the domain XML was retrieved using dm.getXMLDesc(0) (the default flag 0 explicitly removes all security-sensitive credentials).
While the developers successfully fixed the VM reboot and VM migration paths by using dm.getXMLDesc(1) and dm.getXMLDesc(8) respectively, they missed the snapshot definition and restoration path in LibvirtRestoreVMSnapshotCommandWrapper.java.
Inside LibvirtRestoreVMSnapshotCommandWrapper.java:
Domain dm = null;
try {
final LibvirtUtilitiesHelper libvirtUtilitiesHelper = libvirtComputingResource.getLibvirtUtilitiesHelper();
Connect conn = libvirtUtilitiesHelper.getConnection();
dm = libvirtComputingResource.getDomain(conn, vmName);
if (dm == null) {
return new RestoreVMSnapshotAnswer(cmd, false,
"Restore Instance Snapshot Failed due to can not find Instance: " + vmName);
}
String xmlDesc = dm.getXMLDesc(0); // <--- 💥 Insecure Flag 0 strips VNC passwd!This insecure XML description is then used to generate the snapshot metadata via libvirtUtilitiesHelper.generateVMSnapshotXML(...) and persisted on the host with dm.snapshotCreateXML(vmSnapshotXML, flags).
Because getXMLDesc(0) was called, the <graphics type='vnc' ...> tag has no passwd attribute inside the stored snapshot. When a tenant user later reverts the VM to this snapshot, libvirt restores the graphics configuration from this stripped definition, permanently erasing VNC password protection and exposing the VNC port (ports 5900+) to unauthenticated console connections.
PoC
Prerequisites
- Apache CloudStack KVM Agent installed on a KVM hypervisor.
- A virtual machine configured with VNC password protection.
- Docker & Python 3 installed locally.
Reproduction Steps
-
Set up the local test simulation by downloading the Docker Compose file: docker-compose.yml
-
Start the simulation environment:
-
Download the automated static codebase audit script: verification_test.py
-
Execute the verification script:
python3 verification_test.py
-
Download the control group verification script: control-secure_xml_flag.py
-
Execute the control group script:
python3 control-secure_xml_flag.py
Log of Evidence
==========================================================================
CVE-2015-3252 VM Snapshot VNC Password Loss Variant Verification Test
==========================================================================
[*] Vulnerable Source File Path: /root/distributed-project/cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java
[*] CloudStack Management Server API URL: http://localhost:8080/client/api
[*] Attempting to connect to live CloudStack Management Server...
[-] Live CloudStack Management Server is not reachable at localhost:8080.
[*] Falling back to static/bytecode audit verification on the compiled/source environment...
--- Static Source Audit Flow ---
[*] Analyzing source code file for unpatched CVE-2015-3252 variant pattern...
[+] Match found! Found vulnerable pattern 'dm.getXMLDesc(0)' in source file.
Line 59: String xmlDesc = dm.getXMLDesc(0);
==========================================================================
[DEFECT CONFIRMED] - The VNC password loss variant in LibvirtRestoreVMSnapshotCommandWrapper is present!
Explanation: The Domain XML is fetched using dm.getXMLDesc(0) which strips the sensitive VNC password.
Redefining the snapshot with this XML will cause permanent loss of the password upon snapshot revert.
==========================================================================
==========================================================================
CVE-2015-3252 VM Snapshot VNC Password Loss Variant - Control Group Test
==========================================================================
[*] Control Source File Path: /root/distributed-project/cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtGetRemoteVmsCommandWrapper.java
--- Control Group Static Source Audit Flow ---
[*] Analyzing control source code file for correct security mechanism usage (flag 1)...
[+] Match found! Found secure pattern 'getXMLDesc(1)' in control source file.
Line 89: parser.parseDomainXML(domain.getXMLDesc(1));
==========================================================================
[CONTROL SUCCESSFUL] - The security mechanism (VIR_DOMAIN_XML_SECURE flag 1)
is correctly functioning and implemented in standard control components.
This confirms that the secure behavior is fully supported and expected by design,
making the 'getXMLDesc(0)' pattern in the snapshot flow a genuine security defect.
==========================================================================
Impact
- Vulnerability Category: Cryptographic credential loss / Unauthenticated Access / Information Disclosure (CWE-200 / CWE-250)
- Compromised Assets: Entire Guest Virtual Machine OS.
- Security Impact: High. Any network-adjacent attacker or unauthorized console proxy user can fully hijack the guest OS console via the hypervisor's unprotected VNC port (usually
5900+) without needing credentials, bypassing all VM-level console authentication mechanisms.
Affected products
- Ecosystem: maven
- Package name: org.apache.cloudstack:cloudstack-plugins-hypervisor-kvm
- Affected versions: <= 4.22.1.0
- Patched versions:
Severity
- Severity: High
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses
- CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Occurrences
| Permalink |
Description |
|
String xmlDesc = dm.getXMLDesc(0); |
|
The vulnerable execute method retrieves domain XML with a flag value of 0 in LibvirtRestoreVMSnapshotCommandWrapper.java, stripping the graphics/VNC password. |
Advisory Details
Title: VM Snapshot VNC Password Loss Variant leading to Unauthenticated Console Access
Description:
An incomplete security audit fix in Apache CloudStack's KVM hypervisor agent causes VM graphics/VNC console passwords to be permanently stripped when VM snapshots are created or redefined. Reverting a VM to these snapshots restores the VM using the password-less XML configuration, allowing unauthorized network-adjacent attackers to connect to the VM's guest OS console without VNC authentication.
Summary
An incomplete fix for CVE-2015-3252 (specifically, missing the VM snapshot definition/restoration path) allows attackers to bypass VNC authentication controls on KVM-managed guest virtual machines. When a KVM hypervisor agent restores VM snapshot metadata, it calls
dm.getXMLDesc(0), which strips the graphics tag's password property (passwd='...'). Subsequent reversion to this snapshot re-registers the VM with libvirt without a VNC password, leaving the virtual machine console wide open to unauthenticated users.Details
During patch completeness audits of Apache CloudStack, we analyzed the patch commit
5d29b63cfa98a15d7734798c5b29a43658d7f112for CVE-2015-3252. The original issue stripped VNC passwords because the domain XML was retrieved usingdm.getXMLDesc(0)(the default flag0explicitly removes all security-sensitive credentials).While the developers successfully fixed the VM reboot and VM migration paths by using
dm.getXMLDesc(1)anddm.getXMLDesc(8)respectively, they missed the snapshot definition and restoration path inLibvirtRestoreVMSnapshotCommandWrapper.java.Inside
LibvirtRestoreVMSnapshotCommandWrapper.java:This insecure XML description is then used to generate the snapshot metadata via
libvirtUtilitiesHelper.generateVMSnapshotXML(...)and persisted on the host withdm.snapshotCreateXML(vmSnapshotXML, flags).Because
getXMLDesc(0)was called, the<graphics type='vnc' ...>tag has nopasswdattribute inside the stored snapshot. When a tenant user later reverts the VM to this snapshot, libvirt restores the graphics configuration from this stripped definition, permanently erasing VNC password protection and exposing the VNC port (ports5900+) to unauthenticated console connections.PoC
Prerequisites
Reproduction Steps
Set up the local test simulation by downloading the Docker Compose file: docker-compose.yml
Start the simulation environment:
Download the automated static codebase audit script: verification_test.py
Execute the verification script:
Download the control group verification script: control-secure_xml_flag.py
Execute the control group script:
Log of Evidence
Impact
5900+) without needing credentials, bypassing all VM-level console authentication mechanisms.Affected products
Severity
Weaknesses
Occurrences
cloudstack/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtRestoreVMSnapshotCommandWrapper.java
Line 59 in 348ce95
executemethod retrieves domain XML with a flag value of0inLibvirtRestoreVMSnapshotCommandWrapper.java, stripping the graphics/VNC password.