search

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
Apache License 2.0
869 stars 176 forks source link

PRP: Request Apache CloudStack XXE Vulnerability (CVE-2022-35741) #263

Closed thiscodecc closed 5 months ago

thiscodecc commented 2 years ago

Hello.

I want to start implementing a plugin to detect Apache CloudStack XXE vulnerabilities CVE-2022-35741

Reference

https://lists.apache.org/thread/hwhxvtwp1d5dsm156bsf1cnyvtmrfv3f https://nvd.nist.gov/vuln/detail/CVE-2022-35741

Description

Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.

Score: 9.8 CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

versions:

4.5.0 < version < 4.16.1.1

Vulnerability check

The vulnerability should be relatively new and have already been patched. yes The vulnerability should have a relatively large impact radius. yes The vulnerability should be remotely exploitable without authentication and user interaction. yes The detector should provide a reliable false-positive free detection report. yes The detector should have good unit test coverage. Google's open source projects should be thoroughly tested and there is no exception for the Tsunami project. yes The detection capability should be easy to verify using both vulnerable and fixed Docker images. yes

tooryx commented 6 months ago

Hi @thiscodecc,

We are currently not sure if we would like to pursue the development of this plugin. To have a better idea of the use of CloudStack, could you instead start by working on a the fingerprints? If you are still interested to contribute, please open a new issue for fingerprinting Apache CloudStack and then we will accept it.

~tooryx

tooryx commented 5 months ago

Closing as inactive. Please create a new issue for Cloudstack fingerprints if you are still interested to contribute.

~tooryx