The required feature described as a wish
Description: CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value is randomized at install time, and the administrator is not prompted to change them during setup. Note that the database encryption key cannot be changed afterwards.
Affected Components: Management
Impact: An attacker with knowledge of the default credentials, which are publicly documented, can authenticate to the CloudStack Management UI without any prior reconnaissance or effort. Additionally, if the database encryption key is not changed, an attacker who gains read access to the database (e.g., via SQL injection, a misconfigured backup, or direct server access) can decrypt all protected fields, including API secret keys, passwords, and other credentials, using the known default key.
Steps to Reproduce:
- Deploy a fresh CloudStack instance following the official documentation.
- Attempt to log in using the username
admin and the password password.
- Observe that login succeeds without any prompt to change the default password.
- Separately, inspect the database encryption key on the management server:
- $ cat /etc/cloudstack/management/key
- Observe that the encryption key is set to the default value
password.
Recommended Remediation: Generate a unique password and database encryption key from a reliable source of entropy during installation (before the system becomes operational). Neither value should have a usable default.
The required feature described as a wish
Description: CloudStack ships with a default administrative password and database encryption key, both set to the string "password". Neither value is randomized at install time, and the administrator is not prompted to change them during setup. Note that the database encryption key cannot be changed afterwards.
Affected Components: Management
Impact: An attacker with knowledge of the default credentials, which are publicly documented, can authenticate to the CloudStack Management UI without any prior reconnaissance or effort. Additionally, if the database encryption key is not changed, an attacker who gains read access to the database (e.g., via SQL injection, a misconfigured backup, or direct server access) can decrypt all protected fields, including API secret keys, passwords, and other credentials, using the known default key.
Steps to Reproduce:
adminand the passwordpassword.password.Recommended Remediation: Generate a unique password and database encryption key from a reliable source of entropy during installation (before the system becomes operational). Neither value should have a usable default.