← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1918303] Re: Randomly set credentials written in cleartext to world-readable file

 

This bug was fixed in the package cloud-init -
21.1-19-gbad84ad4-0ubuntu1~20.10.1

---------------
cloud-init (21.1-19-gbad84ad4-0ubuntu1~20.10.1) groovy; urgency=medium

  * d/cloud-init.postinst: Change output log permissions on upgrade
    (LP: #1918303)
  * d/cloud-init.manpages: include upstream manpages in package (LP: #1908548)
  * drop the following cherry-picks now included:
    + cpick-4f62ae8d-Fix-regression-with-handling-of-IMDS-ssh-keys-760
  * New upstream snapshot. (LP: #1920272)
    - .travis.yml: generate an SSH key before running tests (#848)
    - write passwords only to serial console, lock down cloud-init-output.log
      (#847)
    - Fix apt default integration test (#845)
    - integration_tests: bump pycloudlib dependency (#846)
    - commit f35181fa970453ba6c7c14575b12185533391b97 [eb3095]
    - archlinux: Fix broken locale logic (#841) [Kristian Klausen]
    - Integration test for #783 (#832)
    - integration_tests: mount more paths IN_PLACE (#838)
    - Fix requiring device-number on EC2 derivatives (#836)
    - Remove the vi comment from the part-handler example (#835)
    - net: exclude OVS internal interfaces in get_interfaces (#829)
    - tox.ini: pass OS_* environment variables to integration tests (#830)
    - integration_tests: add OpenStack as a platform (#804)
    - Add flexibility to IMDS api-version (#793) [Thomas Stringer]
    - Fix the TestApt tests using apt-key on Xenial and Hirsute (#823)
      [Paride Legovini]
    - doc: remove duplicate "it" from nocloud.rst (#825) [V.I. Wood]
    - archlinux: Use hostnamectl to set the transient hostname (#797)
      [Kristian Klausen]
    - cc_keys_to_console.py: Add documentation for recently added config key
      (#824) [dermotbradley]
    - Update cc_set_hostname documentation (#818) [Toshi Aoyama]
    - Release 21.1 (#820)
    - Azure: Support for VMs without ephemeral resource disks. (#800)
      [Johnson Shi]
    - cc_keys_to_console: add option to disable key emission (#811)
      [Michael Hudson-Doyle]
    - integration_tests: introduce lxd_use_exec mark (#802)
    - azure: case-insensitive UUID to avoid new IID during kernel upgrade
      (#798)
    - stale.yml: don't ask submitters to reopen PRs (#816)
    - integration_tests: fix use of SSH agent within tox (#815)
    - integration_tests: add UPGRADE CloudInitSource (#812)
    - integration_tests: use unique MAC addresses for tests (#813)
    - Update .gitignore (#814)
    - Port apt cloud_tests to integration tests (#808)
    - integration_tests: fix test_gh626 on LXD VMs (#809)
    - Fix attempting to decode binary data in test_seed_random_data test (#806)
    - Remove wait argument from tests with session_cloud calls (#805)
    - Datasource for UpCloud (#743) [Antti Myyrä]
    - test_gh668: fix failure on LXD VMs (#801)
    - openstack: read the dynamic metadata group vendor_data2.json (#777)
      [Andrew Bogott]
    - includedir in suoders can be prefixed by "arroba" (#783)
      [Jordi Massaguer Pla]
    - Merge upstream/20.4.1 into master
    - [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware]
    - Revert integration test associated with reverted #586 (#784)
    - Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla]
    - Add Rick Harding to CLA signers (#792) [Rick Harding]
    - HACKING.rst: add clarifying note to LP CLA process section (#789)
    - Stop linting cloud_tests (#791)
    - cloud-tests: update cryptography requirement (#790) [Joshua Powers]
    - Remove 'remove-raise-on-failure' calls from integration_tests (#788)
    - Use more cloud defaults in integration tests (#757)
    - Adding self to cla signers (#776) [Andrew Bogott]
    - doc: avoid two warnings (#781) [Dan Kenigsberg]
    - Use proper spelling for Red Hat (#778) [Dan Kenigsberg]
    - Add antonyc to .github-cla-signers (#747) [Anton Chaporgin]
    - integration_tests: log image serial if available (#772)
    - Revert "ssh_util: handle non-default AuthorizedKeysFile config (#586)"
      (#775)
    - [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware]
    - net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin]
    - .travis.yml: don't run cloud_tests in CI (#756)
    - test_upgrade: add some missing commas (#769)
    - cc_seed_random: update documentation and fix integration test (#771)
    - Fix test gh-632 test to only run on NoCloud (#770)
    - archlinux: fix package upgrade command handling (#768) [Bao Trinh]
    - integration_tests: add integration test for LP:1910835 (#761)
    - Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer]
    - integration_tests: log cloud-init version in SUT (#758)
    - Add ajmyyra as contributor (#742) [Antti Myyrä]
    - net_convert: add some missing help text (#755)
    - Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL
      (#753) [Eduardo Otubo]
    - doc: document missing IPv6 subnet types (#744) [Antti Myyrä]
    - Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong]
    - integration_tests: add SSH key selection settings (#754)
    - fix a typo in man page cloud-init.1 (#752) [Amy Chen]
    - network-config-format-v2.rst: add Netplan Passthrough section (#750)
    - stale: re-enable post holidays (#749)
    - integration_tests: port ca_certs tests from cloud_tests (#732)
    - Azure: Add telemetry for poll IMDS (#741) [Johnson Shi]
    - doc: move testing section from HACKING to its own doc (#739)
    - No longer allow integration test failures on travis (#738)
    - stale: fix error in definition (#740)
    - integration_tests: set log-cli-level to INFO by default (#737)
    - PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736)
    - stale: disable check for holiday break (#735)
    - integration_tests: log the path we collect logs into (#733)
    - .travis.yml: add (most) supported Python versions to CI (#734)
    - integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731)
    - cc_ca_certs: add RHEL support (#633) [cawamata]
    - Azure: only generate config for NICs with addresses (#709)
      [Thomas Stringer]
    - doc: fix CloudStack configuration example (#707) [Olivier Lemasle]
    - integration_tests: restrict test_lxd_bridge appropriately (#730)
    - Add integration tests for CLI functionality (#729)
    - Integration test for gh-626 (#728)
    - Some test_upgrade fixes (#726)
    - Ensure overriding test vars with env vars works for booleans (#727)
    - integration_tests: port lxd_bridge test from cloud_tests (#718)
    - Integration test for gh-632. (#725)
    - Integration test for gh-671 (#724)
    - integration-requirements.txt: bump pycloudlib commit (#723)
    - Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo]
    - Integration test for LP:1813396 and #669 (#719)
    - integration_tests: include timestamp in log output (#720)
    - integration_tests: add test for LP:1898997 (#713)
    - Add integration test for power_state_change module (#717)
    - Update documentation for network-config-format-v2 (#701) [ggiesen]
    - sandbox CA Cert tests to not require ca-certificates (#715)
      [Eduardo Otubo]
    - Add upgrade integration test (#693)
    - Integration test for 570 (#712)
    - Add ability to keep snapshotted images in integration tests (#711)
    - Integration test for pull #586 (#706)
    - integration_tests: introduce skipping of tests by OS (#702)
    - integration_tests: introduce IntegrationInstance.restart (#708)
    - Add lxd-vm to list of valid integration test platforms (#705)
    - Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL
      (#685) [Eduardo Otubo]
    - Delete image snapshots created for integration tests (#682)
    - Parametrize ssh_keys_provided integration test (#700) [lucasmoura]
    - Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura]
    - cc_apt_configure: add riscv64 as a ports arch (#687)
      [Dimitri John Ledkov]
    - cla: add xnox (#692) [Dimitri John Ledkov]
    - Collect logs from integration test runs (#675)

 -- James Falcon <james.falcon@xxxxxxxxxxxxx>  Mon, 22 Mar 2021 09:32:45
-0500

** Changed in: cloud-init (Ubuntu Groovy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1918303

Title:
  Randomly set credentials written in cleartext to world-readable file

Status in cloud-init:
  Fix Committed
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Fix Released
Status in cloud-init source package in Bionic:
  Fix Released
Status in cloud-init source package in Focal:
  Fix Released
Status in cloud-init source package in Groovy:
  Fix Released

Bug description:
  ## Summary

  cloud-init allows administrators to set passwords for user accounts
  via the chpasswd configuration module. Administrators can instruct
  cloud-init to set a random password generated at runtime using the 'R'
  or 'RANDOM' keywords.

  However, cloud-init appears to write all randomly generated passwords
  in cleartext to stderr. Cloud-init's default logging configuration, in
  file /etc/cloud/cloud.cfg.d/05_logging.cfg, redirects both stdout and
  stderr to the log file /var/log/cloud-init-output.log. The file
  /var/log/cloud-init-output.log is world readable. Thus, any
  unprivileged account on the system can view the cleartext password for
  any account which had a random password generated at runtime. The
  credentials are not redacted in the log.

  ## Reproduction

  Pre-requisites: A device with Ubuntu Server 20.04 installed. Ubuntu
  Server comes with cloud-init pre-installed out of the box, but the
  latest release of cloud-init as of this report (21.1) is not available
  in 20.04's apt repositories. You may need to install v21.1 manually.
  You will also need an exsiting admin account with root privileges.

  1. Login as admin.
  2. Create an unprivileged user account, bob, and set a password. We will use this account to demonstrate unprivileged account access to generated passwords.
  sudo adduser bob
  3. Create another unprivileged user account, alice, and set a password. We will change this account's password with cloud-init.
  sudo adduser alice
  4. Create and open configuration file /etc/cloud/cloud.cfg.d/95_chpasswd.cfg using vim or other editor of your choice.
  sudo vim /etc/cloud/cloud.cfg.d/95_chpasswd.cfg
  5. Add the following chpasswd configuration content to the file then save and exit.
  chpasswd:
    list: |
      alice:RANDOM
  6. cloud-init only runs the chpasswd function on first boot of the OS that cloud-init knows about. For proof of concept purposes, we need to simulate a new instance. Run:
  sudo cloud-init clean
  to reset cloud-init's state.
  7. Reboot the system.
  sudo reboot
  8. Login as unprivileged user bob.
  9. View the password by runnnig
  cat /var/log/cloud-init-output.log | grep alice
  10. Alice's temporary password should appear on terminal in the form alice:<password>
  11. Logout and log back in to the system as alice using the temporary password. You should get access and prompted to set a new password, which confirms the password bob retrieved from the logs is the actual password for alice's account.

  ## Impact

  Any unprivileged user on the system can retrieve all cloud-init
  randomly set credentials. These could potentially be used to access
  other accounts.

  # Notes

  If 'expire: false' is added to the chpasswd config, then leaked
  passwords remain valid until manually changed and increases the risk
  of unauthorized account access. Otherwise, the default behaviour
  prompts accounts to set a new password at next login, reducing the
  time window for unauthorized access.

  Accounts not used for interactive login might not get passwords
  changed or accounts might get a password set but then not authenticate
  for some time. The precise impact and duration of valid exposed
  credentials appears dependent somewhat on each cloud-init customer's
  environment and how they use cloud-init to set credentials.

  I'm not sure the best approach to patch this but perhaps the
  credentials could be written to cloud-init's protected directories or
  files which restrict access to root users only, such as /var/run
  /cloud-init/instance-data-sensitive.json?

  Line 214 of https://github.com/canonical/cloud-
  init/blob/master/cloudinit/config/cc_set_passwords.py checks if any
  random passwords were set and if so prints each one to stderror. This
  might be the root cause.

  Tested on Ubuntu Server 20.04.02, cloud-init latest release 21.1 as of report time. If I can provide any further information please let me know. Thanks!
  -Carl

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1918303/+subscriptions