2016-11-01 14:49:42 |
Scott Moser |
bug |
|
|
added bug |
2016-11-01 14:49:50 |
Scott Moser |
information type |
Private |
Private Security |
|
2016-11-01 14:50:02 |
Scott Moser |
bug |
|
|
added subscriber Andrew Jorgensen |
2016-11-01 14:50:05 |
Scott Moser |
cloud-init: status |
New |
Confirmed |
|
2016-11-01 14:50:09 |
Scott Moser |
cloud-init: importance |
Undecided |
Medium |
|
2016-11-01 14:56:04 |
Scott Moser |
attachment added |
|
suggested fix [per andrew] https://bugs.launchpad.net/cloud-init/+bug/1638312/+attachment/4770620/+files/out.diff |
|
2016-11-01 14:57:23 |
Scott Moser |
summary |
ec2 credentials cached on disk |
EC2 credentials are cached on disk |
|
2016-11-01 14:57:34 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu) |
|
2016-11-01 14:57:41 |
Scott Moser |
cloud-init (Ubuntu): status |
New |
Confirmed |
|
2016-11-01 14:57:44 |
Scott Moser |
cloud-init (Ubuntu): importance |
Undecided |
Medium |
|
2016-11-01 16:01:29 |
Scott Moser |
bug |
|
|
added subscriber Anthony Liguori |
2016-11-03 18:54:04 |
Scott Moser |
bug |
|
|
added subscriber Robert C Jennings |
2016-11-07 11:34:07 |
Scott Moser |
bug |
|
|
added subscriber Dan Watkins |
2016-11-07 12:48:10 |
Dan Watkins |
bug |
|
|
added subscriber Patricia Gaughen |
2016-11-07 17:03:05 |
Patricia Gaughen |
bug |
|
|
added subscriber Jon Grimm |
2017-01-20 18:50:34 |
Scott Moser |
cloud-init: status |
Confirmed |
Fix Committed |
|
2017-02-04 03:49:52 |
Launchpad Janitor |
cloud-init (Ubuntu): status |
Confirmed |
Fix Released |
|
2017-03-03 07:19:58 |
Scott Moser |
nominated for series |
|
Ubuntu Yakkety |
|
2017-03-03 07:19:58 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Yakkety) |
|
2017-03-03 07:19:58 |
Scott Moser |
nominated for series |
|
Ubuntu Xenial |
|
2017-03-03 07:19:58 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Xenial) |
|
2017-03-03 07:20:04 |
Scott Moser |
cloud-init (Ubuntu Xenial): status |
New |
Confirmed |
|
2017-03-03 07:20:08 |
Scott Moser |
cloud-init (Ubuntu Yakkety): status |
New |
Confirmed |
|
2017-03-03 07:20:12 |
Scott Moser |
cloud-init (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-03-03 07:20:14 |
Scott Moser |
cloud-init (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
2017-03-03 16:22:51 |
Scott Moser |
description |
On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
Note that:
a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
b.) General care needs to be taken for anyone "capturing" an ami and then making it public.
the suggested fix is to skip security-credentials when walking the meta-data tree. |
=== End SRU Template ===
[Impact]
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
The fix applied was simply to avoid reading the security credentials
in cloud-init.
[Test Case]
1. Launch an instance on Ec2.
2. Verify broken-ness by verifying 'security-credentials' exists in the
pickled object in /var/lib/cloud/instance/obj.pkl
3. enable proposed, update, upgrade
4. clean instance
rm -Rf /var/lib/cloud /var/log/cloud-init*
5. reboot
6. go back in and verify no 'security-credentials' are present.
[Regression Potential]
Low, but possible if someone was using the obj.pkl and expecting to
find credentials there. No one should be doing that.
Second possibility is if someone was using cloud-init's
get_instance_metadata and expected to have the security-credentials there.
=== End SRU Template ===
On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
Note that:
a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
b.) General care needs to be taken for anyone "capturing" an ami and then making it public.
the suggested fix is to skip security-credentials when walking the meta-data tree. |
|
2017-03-03 16:23:01 |
Scott Moser |
description |
=== End SRU Template ===
[Impact]
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
The fix applied was simply to avoid reading the security credentials
in cloud-init.
[Test Case]
1. Launch an instance on Ec2.
2. Verify broken-ness by verifying 'security-credentials' exists in the
pickled object in /var/lib/cloud/instance/obj.pkl
3. enable proposed, update, upgrade
4. clean instance
rm -Rf /var/lib/cloud /var/log/cloud-init*
5. reboot
6. go back in and verify no 'security-credentials' are present.
[Regression Potential]
Low, but possible if someone was using the obj.pkl and expecting to
find credentials there. No one should be doing that.
Second possibility is if someone was using cloud-init's
get_instance_metadata and expected to have the security-credentials there.
=== End SRU Template ===
On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
Note that:
a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
b.) General care needs to be taken for anyone "capturing" an ami and then making it public.
the suggested fix is to skip security-credentials when walking the meta-data tree. |
=== Begin SRU Template ===
[Impact]
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
The fix applied was simply to avoid reading the security credentials
in cloud-init.
[Test Case]
1. Launch an instance on Ec2.
2. Verify broken-ness by verifying 'security-credentials' exists in the
pickled object in /var/lib/cloud/instance/obj.pkl
3. enable proposed, update, upgrade
4. clean instance
rm -Rf /var/lib/cloud /var/log/cloud-init*
5. reboot
6. go back in and verify no 'security-credentials' are present.
[Regression Potential]
Low, but possible if someone was using the obj.pkl and expecting to
find credentials there. No one should be doing that.
Second possibility is if someone was using cloud-init's
get_instance_metadata and expected to have the security-credentials there.
=== End SRU Template ===
On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
Note that:
a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
b.) General care needs to be taken for anyone "capturing" an ami and then making it public.
the suggested fix is to skip security-credentials when walking the meta-data tree. |
|
2017-03-03 20:28:03 |
Jon Grimm |
bug |
|
|
added subscriber Steve Langasek |
2017-03-04 01:59:30 |
Scott Moser |
information type |
Private Security |
Public |
|
2017-03-07 23:24:16 |
Chris Halse Rogers |
cloud-init (Ubuntu Xenial): status |
Confirmed |
Fix Committed |
|
2017-03-07 23:24:21 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-03-07 23:24:29 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2017-03-07 23:24:39 |
Chris Halse Rogers |
tags |
|
verification-needed |
|
2017-03-07 23:33:08 |
Chris Halse Rogers |
cloud-init (Ubuntu Yakkety): status |
Confirmed |
Fix Committed |
|
2017-03-08 19:40:26 |
Scott Moser |
tags |
verification-needed |
verification-done-xenial verification-done-yakkety |
|
2017-03-16 16:18:49 |
Launchpad Janitor |
cloud-init (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-03-16 16:19:04 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-03-16 16:19:33 |
Launchpad Janitor |
cloud-init (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2017-09-23 02:14:13 |
Scott Moser |
cloud-init: status |
Fix Committed |
Fix Released |
|
2023-05-10 18:03:13 |
James Falcon |
bug watch added |
|
https://github.com/canonical/cloud-init/issues/2750 |
|