EC2 credentials are cached on disk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
Medium
|
Unassigned | ||
cloud-init (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned |
Bug Description
=== Begin SRU Template ===
[Impact]
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
The fix applied was simply to avoid reading the security credentials
in cloud-init.
[Test Case]
1. Launch an instance on Ec2.
2. Verify broken-ness by verifying 'security-
pickled object in /var/lib/
3. enable proposed, update, upgrade
4. clean instance
rm -Rf /var/lib/cloud /var/log/
5. reboot
6. go back in and verify no 'security-
[Regression Potential]
Low, but possible if someone was using the obj.pkl and expecting to
find credentials there. No one should be doing that.
Second possibility is if someone was using cloud-init's
get_instance_
=== End SRU Template ===
On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
Note that:
a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
b.) General care needs to be taken for anyone "capturing" an ami and then making it public.
the suggested fix is to skip security-
information type: | Private → Private Security |
Changed in cloud-init: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in cloud-init: | |
status: | Confirmed → Fix Committed |
Changed in cloud-init (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in cloud-init (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in cloud-init (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in cloud-init (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
information type: | Private Security → Public |
Attaching the suggested fix per Andrew. I fixed flake8 complaints in the test, but that is all.