Skip to content

Security: Host Password Exposed in Command-Line Logging During Password Update Operations #11989

New issue
New issue
Open
Task
#12016
Open
Security: Host Password Exposed in Command-Line Logging During Password Update Operations#11989
Task
#12016
Labels
component:logging
Milestone
4.20.3
@YLChen-007

Description

@YLChen-007
YLChen-007
opened on Nov 5, 2025

Description:

Summary

The UpdateHostPasswordCommand execution path logs the complete command line containing plaintext passwords at DEBUG level. The password is concatenated into a shell command string and logged before execution, exposing both old and new host credentials to anyone with log access.

Severity

Critical - Direct exposure of host administrator passwords in logs enables unauthorized host access and complete infrastructure compromise.

Vulnerability Details

Issue Description

Vulnerable Code Flow

Step 1: Command Line Construction

buildCommandLine implementation.

cloudstack/plugins/hypervisors/xenserver/src/main/java/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/XenServerUtilitiesHelper.java

Lines 40 to 45 in dbda673

public String buildCommandLine(final String scriptPath, final String script, final String username, final String newPassword) {
final StringBuilder cmdLine = new StringBuilder();
cmdLine.append(scriptPath).append(script).append(' ').append(username).append(' ').append(newPassword);
return cmdLine.toString();
}

Step 2: Password Logged at DEBUG Level (Line 48)

invoke buildCommandLine method (Line 44) to construct cmd with password, then log out at Line 48

cloudstack/plugins/hypervisors/xenserver/src/main/java/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixUpdateHostPasswordCommandWrapper.java

Lines 38 to 57 in dbda673

public Answer execute(final UpdateHostPasswordCommand command, final CitrixResourceBase citrixResourceBase) {
final String hostIp = command.getHostIp();
final String username = command.getUsername();
final String newPassword = command.getNewPassword();
final XenServerUtilitiesHelper xenServerUtilitiesHelper = citrixResourceBase.getXenServerUtilitiesHelper();
final String cmdLine = xenServerUtilitiesHelper.buildCommandLine(SCRIPT_CMD_PATH, VRScripts.UPDATE_HOST_PASSWD, username, newPassword);
Pair<Boolean, String> result;
try {
logger.debug("Executing command in Host: " + cmdLine);
final String hostPassword = citrixResourceBase.getPwdFromQueue();
result = xenServerUtilitiesHelper.executeSshWrapper(hostIp, 22, username, null, hostPassword, cmdLine.toString());
} catch (final Exception e) {
return new Answer(command, false, e.getMessage());
}
// Add new password to the queue.
citrixResourceBase.replaceOldPasswdInQueue(newPassword);
return new Answer(command, result.first(), result.second());
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    component:logging

    Type

    Task

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions