CVE CyberSecurity Database News

CVE-2024-53865 - Sensitive Passwords Logged in Clear Text in zhmcclient Python Package

Poster -

Date disclosed: June 2024
Severity: High
Affected package: zhmcclient (versions before 1.18.1)
Upgrade now: zhmcclient 1.18.1 released
CWE: CWE-532: Insertion of Sensitive Information into Log File

What Is CVE-2024-53865?

CVE-2024-53865 is a security vulnerability in the zhmcclient Python package. If you use IBM Z HMC (Hardware Management Console) and interact with it in Python, chances are you might be using zhmcclient. This package is meant to simplify working with mainframe systems, but a serious bug in versions up to 1.18. can leak passwords to your logs in plain, readable text.

Impact: Who Is Affected?

Anyone using zhmcclient versions before 1.18.1 AND enabling the zhmcclient.api or zhmcclient.hmc loggers will have password-like fields written in clear text to their logs if they perform certain actions, such as:

Configuring LDAP servers

Your logs might be leaving out *easy-to-grab* secrets like admin passwords or boot FTP credentials for attackers, risk auditors, or even curious insiders.

Property: 'bind-password'

The problem occurs only if you have enabled these loggers:

Demonstration: How It Leaks Passwords

Here's a simplified code snippet that shows roughly where the trouble lies (the real vulnerable code is more complex, this illustrates the issue):

import logging
logger = logging.getLogger("zhmcclient.api")
logger.setLevel(logging.DEBUG)

# User creates a partition, passes secret in properties
partition_properties = {
    'boot-ftp-password': 'SUper5ecret!',
    'ssc-master-pw': 'Another$ecret'
}

# This gets logged due to DEBUG level:
logger.debug(f"Creating partition with properties: {partition_properties}")

# The log output:
# DEBUG:zhmcclient.api:Creating partition with properties: {'boot-ftp-password': 'SUper5ecret!', 'ssc-master-pw': 'Another$ecret'}

Where Do These Logs Go?

- Local files: (e.g. /var/log/zhmcclient.log)

How Bad Is It?

- Credential leakage: Anyone who can read the logs can take over user accounts, partitions, storage profiles, and more.
- No workarounds: You can't just disable passwords from logs without upgrading, unless you rewrite the code yourself.

A staff member creates an HMC user with a strong password via zhmcclient.

3. The user creation event, including 'password': 'P@sswrd!', is written verbatim to your log file.

How To Fix

Upgrade to at least zhmcclient 1.18.1.
*This release scrubs or omits known sensitive fields from all log output.*

pip install --upgrade zhmcclient

Upgrade zhmcclient to 1.18.1 or newer _immediately._

2. Search your logs (past and present) for leaked credentials. If you find any, change those passwords everywhere they’re used.
3. Audit your logging configuration: Think before using DEBUG/INFO levels for sensitive systems.

References

- Official GitHub Security Advisory (GHSA-r58p-4h8c-9jvc)
- Zhmcclient release 1.18.1 Changelog
- NVD Entry for CVE-2024-53865
- PyPI page for zhmcclient
- CWE-532: Insertion of Sensitive Information into Log File

Final Thoughts

CVE-2024-53865 serves as a reminder:
Log files are not meant for secrets. Always keep your dependencies up to date, audit your logs regularly, and never underestimate the impact of “just logging everything.” This vulnerability is easy to fix, but impossible to workaround without losing insight into your logs or editing the library yourself.

Timeline

Published on: 11/29/2024 19:15:09 UTC