CVE-2024-42062 – A privilege escalation vulnerability in Apache ... (How to Fix)

Q: What is the severity of CVE-2024-42062?

CVE-2024-42062 has a CVSS score of 7.2 (HIGH). A privilege escalation vulnerability in Apache CloudStack allows domain admin accounts to query API and secret keys of all account-users, including root admin. This enables attackers with domain admin access to gain root privileges and compromise CloudStack-managed infrastructure. Affects CloudStack versions 4.10.0 through 4.19.1.0.

📋 TL;DR

A privilege escalation vulnerability in Apache CloudStack allows domain admin accounts to query API and secret keys of all account-users, including root admin. This enables attackers with domain admin access to gain root privileges and compromise CloudStack-managed infrastructure. Affects CloudStack versions 4.10.0 through 4.19.1.0.

💻 Affected Systems

Products:

Apache CloudStack

Versions: 4.10.0 up to 4.19.1.0

Operating Systems: All platforms running CloudStack

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with domain admin accounts. The vulnerability exists in the permission validation logic for API key queries.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CloudStack infrastructure: root admin privileges obtained, allowing full control over all resources, data exfiltration, resource destruction, and denial of service.

🟠

Likely Case

Domain admin escalates to root admin, accesses sensitive data, modifies configurations, and potentially deploys malicious resources across the cloud environment.

🟢

If Mitigated

Limited to domain admin's existing scope if proper key rotation and monitoring are in place, but still represents significant privilege escalation risk.

🌐 Internet-Facing: MEDIUM - Requires domain admin credentials, but if those are compromised via other means, the vulnerability could be exploited from external sources.

🏢 Internal Only: HIGH - Domain admins (legitimate or compromised) can exploit this from within the network to gain root privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only domain admin credentials and API access to query keys.

Exploitation requires domain admin access. No public exploit code has been released as of the advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.18.2.3 or 4.19.1.1 or later

Vendor Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

Restart Required: Yes

Instructions:

1. Backup CloudStack configuration and database. 2. Download patched version from Apache CloudStack website. 3. Stop CloudStack services. 4. Apply the update according to CloudStack upgrade documentation. 5. Restart services. 6. Regenerate all account-user API and secret keys.

🔧 Temporary Workarounds

Restrict Domain Admin API Access

all

Temporarily limit or monitor domain admin API usage to detect suspicious key query activities.

# Monitor API logs for key queries
# grep 'listKeys' /var/log/cloudstack/management/*.log
# Review domain admin API permissions in CloudStack UI

🧯 If You Can't Patch

Immediately regenerate all account-user API and secret keys to invalidate any potentially compromised credentials.
Implement strict monitoring of domain admin activities, particularly API key queries, and consider temporary reduction of domain admin privileges.

🔍 How to Verify

Check if Vulnerable:

Check CloudStack version via management server: # cat /etc/cloudstack-release or check CloudStack UI admin dashboard for version number.

Check Version:

# cat /etc/cloudstack-release 2>/dev/null || grep version /usr/share/cloudstack-management/version 2>/dev/null

Verify Fix Applied:

Confirm version is 4.18.2.3, 4.19.1.1, or later. Test that domain admin can no longer query API keys of users outside their domain.

📡 Detection & Monitoring

Log Indicators:

Unusual API key query patterns from domain admin accounts
Multiple listKeys API calls in short timeframes
Domain admin accounts accessing root admin resources

Network Indicators:

Increased API traffic from domain admin accounts to key management endpoints
Unusual authentication patterns following key queries

SIEM Query:

source="cloudstack" AND (api_call="listKeys" OR message="*API key*query*") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2024-42062

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: August 7, 2024

Last Updated: November 21, 2024

🔗 References

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 Vendor Advisory
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj Mailing List,Release Notes
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/08/06/5

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42062, you might also want to check these: