← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1638312] Re: EC2 credentials are cached on disk

 

This bug was fixed in the package cloud-init -
0.7.9-48-g1c795b9-0ubuntu1~16.10.1

---------------
cloud-init (0.7.9-48-g1c795b9-0ubuntu1~16.10.1) yakkety; urgency=medium

  * debian/rules: install Z99-cloudinit-warnings.sh to /etc/profile.d
  * debian/patches/ds-identify-behavior-yakkety.patch: adjust default
    behavior of ds-identify for SRU (LP: #1669675, #1660385).
  * New upstream snapshot.
    - Support warning if the used datasource is not in ds-identify's list
      (LP: #1669675).
    - DatasourceEc2: add warning message when not on AWS. (LP: #1660385)
    - Z99-cloudinit-warnings: Add profile.d script for showing warnings on
    - Z99-cloud-locale-test.sh: convert tabs to spaces, remove unneccesary
      execute bit in permissions.
    - (RedHat) net: correct errors in cloudinit/net/sysconfig.py
      [Lars Kellogg-Stedman]
    - ec2_utils: fix MetadataLeafDecoder that returned bytes on empty
    - Fix eni rendering of multiple IPs per interface [Ryan Harper]
      (LP: #1657940)
    - Add 3 ecdsa-sha2-nistp* ssh key types now that they are standardized
      [Lars Kellogg-Stedman]
    - EC2: Do not cache security credentials on disk [Andrew Jorgensen]
      (LP: #1638312)
    - OpenStack: Use timeout and retries from config in get_data.
      [Lars Kellogg-Stedman] (LP: #1657130)
    - Fixed Misc issues related to VMware customization. [Sankar Tanguturi]
    - (RedHat) Use dnf instead of yum when available [Lars Kellogg-Stedman]
    - Get early logging logged, including failures of cmdline url.
    - test / doc / build environment changes
      - Remove style checking during build and add latest style checks to
        tox [Joshua Powers]
      - code-style: make master pass pycodestyle (2.3.1) cleanly, currently
        [Joshua Powers]
      - Fix small typo and change iso-filename for consistency
      - tools/mock-meta: support python2 or python3 and ipv6 in both.
      - tests: remove executable bit on test_net, so it runs, and fix it.
      - tests: No longer monkey patch httpretty for python 3.4.2
      - reset httppretty for each test [Lars Kellogg-Stedman]
      - build: fix running Make on a branch with tags other than master
      - doc: Fix typos and clarify some aspects of the part-handler
        [Erik M. Bray]
      - doc: add some documentation on OpenStack datasource.
      - Fix minor docs typo: perserve > preserve [Jeremy Bicha]
      - validate-yaml: use python rather than explicitly python3

 -- Scott Moser <smoser@xxxxxxxxxx>  Mon, 06 Mar 2017 16:37:28 -0500

** Changed in: cloud-init (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1638312

Title:
  EC2 credentials are cached on disk

Status in cloud-init:
  Fix Committed
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Fix Released
Status in cloud-init source package in Yakkety:
  Fix Released

Bug description:
  === Begin SRU Template ===
  [Impact]
  On EC2, instance metadata can include credentials that remain valid for as
  much as 6 hours. Reading these and allowing them to be pickled represents a
  potential vulnerability if a snapshot of the disk is taken and shared as part
  of an AMI.

  The fix applied was simply to avoid reading the security credentials
  in cloud-init.

  [Test Case]
  1. Launch an instance on Ec2.
  2. Verify broken-ness by verifying 'security-credentials' exists in the
     pickled object in /var/lib/cloud/instance/obj.pkl
  3. enable proposed, update, upgrade
  4. clean instance
     rm -Rf /var/lib/cloud /var/log/cloud-init*
  5. reboot
  6. go back in and verify no 'security-credentials' are present.

  [Regression Potential]
  Low, but possible if someone was using the obj.pkl and expecting to
  find credentials there. No one should be doing that.

  Second possibility is if someone was using cloud-init's
  get_instance_metadata and expected to have the security-credentials there.

  === End SRU Template ===
  On EC2, instance metadata can include credentials that remain valid for as much
  as 6 hours. Reading these and allowing them to be pickled represents a
  potential vulnerability if a snapshot of the disk is taken and shared as part
  of an AMI.

  Note that:
  a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
  b.) General care needs to be taken for anyone "capturing" an ami and then making it public.

  the suggested fix is to skip security-credentials when walking the
  meta-data tree.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1638312/+subscriptions