yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1638312] Re: EC2 credentials are cached on disk

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Scott Moser <smoser@xxxxxxxxxx>
Date: Sat, 23 Sep 2017 02:14:17 -0000
Reply-to: Bug 1638312 <1638312@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug is believed to be fixed in cloud-init in 17.1. If this is still
a problem for you, please make a comment and set the state back to New

Thank you.

** Changed in: cloud-init
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1638312

Title:
  EC2 credentials are cached on disk

Status in cloud-init:
  Fix Released
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Fix Released
Status in cloud-init source package in Yakkety:
  Fix Released

Bug description:
  === Begin SRU Template ===
  [Impact]
  On EC2, instance metadata can include credentials that remain valid for as
  much as 6 hours. Reading these and allowing them to be pickled represents a
  potential vulnerability if a snapshot of the disk is taken and shared as part
  of an AMI.

  The fix applied was simply to avoid reading the security credentials
  in cloud-init.

  [Test Case]
  1. Launch an instance on Ec2.
  2. Verify broken-ness by verifying 'security-credentials' exists in the
     pickled object in /var/lib/cloud/instance/obj.pkl
  3. enable proposed, update, upgrade
  4. clean instance
     rm -Rf /var/lib/cloud /var/log/cloud-init*
  5. reboot
  6. go back in and verify no 'security-credentials' are present.

  [Regression Potential]
  Low, but possible if someone was using the obj.pkl and expecting to
  find credentials there. No one should be doing that.

  Second possibility is if someone was using cloud-init's
  get_instance_metadata and expected to have the security-credentials there.

  === End SRU Template ===
  On EC2, instance metadata can include credentials that remain valid for as much
  as 6 hours. Reading these and allowing them to be pickled represents a
  potential vulnerability if a snapshot of the disk is taken and shared as part
  of an AMI.

  Note that:
  a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
  b.) General care needs to be taken for anyone "capturing" an ami and then making it public.

  the suggested fix is to skip security-credentials when walking the
  meta-data tree.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1638312/+subscriptions