CF workflows leak credentials in system audit logs

Vulnerability

The vulnerability affects Cloud Foundry Notifications (all versions prior to 63), SMB-volume release (all versions prior to 3.1.19), and cf-nfs-volume release (5.0.X versions prior to 5.0.27, 7.1.X versions prior to 7.1.19). Kernel audit logging is enabled on some components, causing various lifecycle workflows that use admin or service credentials in binary invocations to be recorded. The audit logging captures arguments passed to binary invocations that access the filesystem, thereby exposing credentials [1].

Exploitation

An attacker with access to the kernel audit logs on the affected Cloud Foundry components can retrieve the recorded credentials. No special network position or user interaction beyond gaining access to the logs is required. The attacker can then use these credentials to perform actions such as deploying applications on the Cloud Foundry instance [1].

Impact

Successful exploitation leads to credential disclosure. A malicious user can leverage the leaked admin or service credentials to deploy apps on the CF instance, potentially gaining unauthorized access and control over the platform [1].

Mitigation

Users should upgrade to fixed versions: Notifications 63 or later, SMB-volume 3.1.19 or later, cf-nfs-volume 5.0.27 or 7.1.19 or later. The vulnerability was disclosed on 2023-06-15 [1]. No workaround is mentioned; upgrading is the recommended mitigation.