cloud-init

cloud-init leaks credentials

Bug #2013967 reported by James Golovich on 2023-03-31

262

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-init	Fix Released	High	Unassigned

Bug Description

I have sent this information to Vultr directly, but I wanted to coordinate with the cloud-init security team in case the second issue is due to something other than just a configuration issue.

The Linux hosts (CentOS 9, Ubuntu, Debian) on Vultr leak credentials via two issues.

Issue One:

The Vultr cloud-init DataSource logs the vendor-data which includes credentials. /var/log/cloud-init.log is accessible to any logged in user (not just root) or application.

The code that does this is visible here:
https://github.com/canonical/cloud-init/blob/main/cloudinit/sources/DataSourceVultr.py#L57-L58
        # Dump some data so diagnosing failures is manageable
        LOG.debug("Vultr Vendor Config:")
        LOG.debug(md['vendor-data']['config'])

Here is an excerpt from the log showing this. (This host has been terminated so the credentials are useless)
/var/log/cloud-init.log: "#cloud-config\n{\"package_upgrade\":true,\"disable_root\":false,\"manage_etc_hosts\":tru
e,\"system_info\":{\"default_user\":{\"name\":\"root\"}},\"ssh_pwauth\":1,\"chpasswd\":{\"users\":[{\"name\":\"roo
t\",\"password\":\"$6$6hTD1OeYjWtGUHuX$QAZCC3R67Frau3GV023YLRHjLpueNYlhcoUcwwbEpiK4qQW01xMgP9mLDrxcw.AmOCmMYF8XSQ5
sPGg9kG5V5.\"}],\"expire\":false}}",

Debian default file permissions, note cloud-init-output.log is more secure than clound-init.log due to CVE-2021-3429

root@vultr:~# ls -l /var/log
total 1356
-rw-r--r-- 1 root root 27258 Mar 17 22:27 alternatives.log
drwxr-xr-x 2 root root 4096 Mar 31 03:50 apt
-rw-r----- 1 root adm 1127 Mar 31 03:55 auth.log
-rw-rw---- 1 root utmp 0 Mar 17 22:25 btmp
-rw-r--r-- 1 root adm 122857 Mar 31 03:50 cloud-init.log
-rw-r----- 1 root adm 95409 Mar 31 03:50 cloud-init-output.log
-rw-r----- 1 root adm 176237 Mar 31 03:55 daemon.log
-rw-r----- 1 root adm 8423 Mar 31 03:50 debug
-rw-r--r-- 1 root root 279776 Mar 31 03:50 dpkg.log
-rw-r--r-- 1 root root 3488 Mar 17 22:27 faillog
-rw-r--r-- 1 root root 32 Mar 17 22:27 image_build_date
drwxr-xr-x 3 root root 4096 Mar 17 22:27 installer
drwxr-sr-x+ 4 root systemd-journal 4096 Mar 31 03:50 journal
-rw-r----- 1 root adm 135311 Mar 31 03:55 kern.log
-rw-rw-r-- 1 root utmp 31828 Mar 31 03:55 lastlog
-rw-r----- 1 root adm 128275 Mar 31 03:55 messages
drwxr-xr-x 2 ntp ntp 4096 Sep 23 2020 ntpstats
drwx------ 2 root root 4096 Mar 17 22:27 private
drwxr-xr-x 3 root root 4096 Mar 17 22:26 runit
-rw-r----- 1 root adm 313512 Mar 31 03:55 syslog
-rw-r----- 1 root adm 6974 Mar 31 03:55 ufw.log
drwxr-x--- 2 root adm 4096 Mar 17 22:27 unattended-upgrades
-rw-r----- 1 root adm 774 Mar 31 03:50 user.log
-rw-rw-r-- 1 root utmp 3456 Mar 31 03:55 wtmp

Issue Two:

The vendor-data includes credentials and are saved to the public instance-data.json. The vendor-data should be redacted.

This might be a general cloud-init issue; The issue might be that 'vendor-data' should be added to
'sensitive_keys'.

The permissions on the instance-data.json file are readable by any logged in user (not just root) or application:
-rw-r--r-- 1 root root 6794 Mar 30 04:50 instance-data.json

Here is an excerpt showing the data.
/run/cloud-init/instance-data.json: "#cloud-config\n{\"package_upgrade\":true,\"disable_root\":false,\"manage_e
tc_hosts\":true,\"system_info\":{\"default_user\":{\"name\":\"root\"}},\"ssh_pwauth\":1,\"chpasswd\":{\"users\":[{
\"name\":\"root\",\"password\":\"$6$6hTD1OeYjWtGUHuX$QAZCC3R67Frau3GV023YLRHjLpueNYlhcoUcwwbEpiK4qQW01xMgP9mLDrxcw
.AmOCmMYF8XSQ5sPGg9kG5V5.\"}],\"expire\":false}}",

CVE References

2023-1786

Revision history for this message

James Golovich (jamesgol) wrote on 2023-03-31:

cloud-init.tar.gz Edit (138.4 KiB, application/x-tar)

Revision history for this message

James Falcon (falcojr) wrote on 2023-03-31:

Thanks for the detailed bug report. Both issues are definitely something we need to fix in cloud-init. We'll work on getting these two issues fixed ASAP and released according to our security guidelines.

Changed in cloud-init:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Mark Esler (eslerm) wrote on 2023-03-31:

Thanks @jamesgol and @falcojr

Please refer to this issue as CVE-2023-1786 in patches.

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-04-07:

Thank you again James Golovich for the discovery and reporting. Private pull requests created with proposed solutions for this are under review. Security Embargo email to affected parties sent out today and estimated CVE publication date will be agreed upon for this exposure.

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-04-12:

Embargo publication and remediation expected on Apr 24th. Details will be posted to this bug once embargo is lifted and remediation released.

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-04-25:

Uploads posted to ubuntu-security-collab PPA for final review Bionic, Focal, Jammy, Kinetic. Fix review in progress for Xenial backport. Expected release date End of business Apr 25th

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-04-26:

Uploads public for cloud-init version 23.1.2 in the following suites:
bionic-security, focal-security, jammy-security, kinetic-security and lunar-security.

Additionally for Xenial customers with Ubuntu Pro enabled, the following release is back-ported to xenial-infra-security PPA as version 21.1-19-gbad84ad4-0ubuntu1~16.04.4

Changed in cloud-init:
status:	Triaged → Fix Released

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-04-26:

The resolution for this seurity bug is comprised of two fixes, one fix for runtime logic that is run either by cloud-init on either first boot and every reboot and one fix for downstream packaging postinstall script to allow for patching /run/cloud-init/instance-data.json for systems which may not reboot.

The commits are below:

1. upstream commit in main to set perms 640 always and redact instance-data.json
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b

2. postinstall downstream fix to perform the same operations across package upgrade
https://github.com/canonical/cloud-init/commit/86606eb493f251899c1c6784e8d26743d6a379d2

Separately, a backport to Xenial(16.04) packaging postinst for Ubunto Pro ESM was necessary:
https://github.com/canonical/cloud-init/commit/857d03609e7d180c2b640a73bcdb8089b7be6093

Chad Smith (chad.smith) on 2023-04-26

information type:

Private Security → Public Security

Revision history for this message

James Falcon (falcojr) wrote on 2023-05-12:

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/4093

Revision history for this message

Chad Smith (chad.smith) wrote on 2023-05-25:

#10

This bug is believed to be fixed in cloud-init in version 23.2. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

cloud-init.tar.gz Edit

Add attachment

Remote bug watches

auto-github-canonical-cloud-init #4093
[closed launchpad priority] Edit

Bug watches keep track of this bug in other bug trackers.