Skip to content

Security: HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components #11988

New issue
New issue
Open
Task
#12021
Open
Security: HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components#11988
Task
#12021
Labels
component:logging
Milestone
4.20.3
@YLChen-007

Description

@YLChen-007
YLChen-007
opened on Nov 5, 2025

Description:

Summary

Multiple authentication components log sensitive cryptographic material (HMAC signatures, API keys, timestamps) at DEBUG and INFO levels without masking. This exposes shared secret derivatives that can be used for request replay attacks, signature analysis, and authentication bypass attempts.

Severity

Critical - Exposure of HMAC signatures and API keys enables request replay attacks and potential compromise of the authentication mechanism.

Vulnerability Details

1. SSO Authentication Signature Leakage

Location

  • File: server/src/main/java/com/cloud/user/AccountManagerImpl.java
  • Method: getUserAccountForSSO()
  • Line:

cloudstack/server/src/main/java/com/cloud/user/AccountManagerImpl.java

Line 3009 in dbda673

logger.debug("Missing parameters in login request, signature = " + signature + ", timestamp = " + timestamp);

2. Console Proxy API Authentication Leakage

Location

  • File: client/tomcatconf/ConsoleProxyServlet.java (or similar path)
  • Method: verifyRequest()

cloudstack/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java

Line 537 in dbda673

LOGGER.debug("expired session, missing signature, or missing apiKey -- ignoring request...sig: " + signature + ", apiKey: " + apiKey);

Exposed Data

  • API Key (plaintext)
  • Incoming HMAC signature
  • Computed HMAC signature (on mismatch)
  • Request validation context

Security Impact

Why Signature Exposure is Critical

The signature is an HMAC digest generated from:

signature = HMAC(shared_secret, request_parameters)

This makes it cryptographically sensitive material. Even at DEBUG level, exposure enables:

1. Request Replay Attacks

  • Attacker captures signature + timestamp from logs
  • Replays the exact request to impersonate legitimate client
  • Bypasses authentication if timestamp validation is weak

2. Signature Analysis & Cryptanalysis

  • Collecting multiple signature samples reveals patterns
  • May expose weaknesses in HMAC implementation
  • Could lead to shared secret recovery if implementation is flawed
  • Helps identify signature generation algorithm details

3. Information Disclosure

  • Reveals which requests fail validation (signature mismatch scenarios)
  • Exposes expected signature values (when both supplied and computed are logged)
  • Provides attackers with oracle for testing signature generation

4. API Key Compromise

  • Direct exposure of API keys enables full account impersonation
  • Combined with signature, gives complete authentication context
  • Permanent credential (unlike session tokens)

Metadata

Metadata

Assignees

No one assigned

    Labels

    component:logging

    Type

    Task

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions