cloud-init leaks credentials

Bug #2013967 reported by James Golovich
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

I have sent this information to Vultr directly, but I wanted to coordinate with the cloud-init security team in case the second issue is due to something other than just a configuration issue.

The Linux hosts (CentOS 9, Ubuntu, Debian) on Vultr leak credentials via two issues.

Issue One:

The Vultr cloud-init DataSource logs the vendor-data which includes credentials. /var/log/cloud-init.log is accessible to any logged in user (not just root) or application.

The code that does this is visible here:
        # Dump some data so diagnosing failures is manageable
        LOG.debug("Vultr Vendor Config:")

Here is an excerpt from the log showing this. (This host has been terminated so the credentials are useless)
/var/log/cloud-init.log: "#cloud-config\n{\"package_upgrade\":true,\"disable_root\":false,\"manage_etc_hosts\":tru

Debian default file permissions, note cloud-init-output.log is more secure than clound-init.log due to CVE-2021-3429

root@vultr:~# ls -l /var/log
total 1356
-rw-r--r-- 1 root root 27258 Mar 17 22:27 alternatives.log
drwxr-xr-x 2 root root 4096 Mar 31 03:50 apt
-rw-r----- 1 root adm 1127 Mar 31 03:55 auth.log
-rw-rw---- 1 root utmp 0 Mar 17 22:25 btmp
-rw-r--r-- 1 root adm 122857 Mar 31 03:50 cloud-init.log
-rw-r----- 1 root adm 95409 Mar 31 03:50 cloud-init-output.log
-rw-r----- 1 root adm 176237 Mar 31 03:55 daemon.log
-rw-r----- 1 root adm 8423 Mar 31 03:50 debug
-rw-r--r-- 1 root root 279776 Mar 31 03:50 dpkg.log
-rw-r--r-- 1 root root 3488 Mar 17 22:27 faillog
-rw-r--r-- 1 root root 32 Mar 17 22:27 image_build_date
drwxr-xr-x 3 root root 4096 Mar 17 22:27 installer
drwxr-sr-x+ 4 root systemd-journal 4096 Mar 31 03:50 journal
-rw-r----- 1 root adm 135311 Mar 31 03:55 kern.log
-rw-rw-r-- 1 root utmp 31828 Mar 31 03:55 lastlog
-rw-r----- 1 root adm 128275 Mar 31 03:55 messages
drwxr-xr-x 2 ntp ntp 4096 Sep 23 2020 ntpstats
drwx------ 2 root root 4096 Mar 17 22:27 private
drwxr-xr-x 3 root root 4096 Mar 17 22:26 runit
-rw-r----- 1 root adm 313512 Mar 31 03:55 syslog
-rw-r----- 1 root adm 6974 Mar 31 03:55 ufw.log
drwxr-x--- 2 root adm 4096 Mar 17 22:27 unattended-upgrades
-rw-r----- 1 root adm 774 Mar 31 03:50 user.log
-rw-rw-r-- 1 root utmp 3456 Mar 31 03:55 wtmp

Issue Two:

The vendor-data includes credentials and are saved to the public instance-data.json. The vendor-data should be redacted.

This might be a general cloud-init issue; The issue might be that 'vendor-data' should be added to

The permissions on the instance-data.json file are readable by any logged in user (not just root) or application:
-rw-r--r-- 1 root root 6794 Mar 30 04:50 instance-data.json

Here is an excerpt showing the data.
/run/cloud-init/instance-data.json: "#cloud-config\n{\"package_upgrade\":true,\"disable_root\":false,\"manage_e

CVE References

Revision history for this message
James Golovich (jamesgol) wrote :
Revision history for this message
James Falcon (falcojr) wrote :

Thanks for the detailed bug report. Both issues are definitely something we need to fix in cloud-init. We'll work on getting these two issues fixed ASAP and released according to our security guidelines.

Changed in cloud-init:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Mark Esler (eslerm) wrote :

Thanks @jamesgol and @falcojr

Please refer to this issue as CVE-2023-1786 in patches.

Revision history for this message
Chad Smith (chad.smith) wrote :

Thank you again James Golovich for the discovery and reporting. Private pull requests created with proposed solutions for this are under review. Security Embargo email to affected parties sent out today and estimated CVE publication date will be agreed upon for this exposure.

Revision history for this message
Chad Smith (chad.smith) wrote :

Embargo publication and remediation expected on Apr 24th. Details will be posted to this bug once embargo is lifted and remediation released.

Revision history for this message
Chad Smith (chad.smith) wrote :

Uploads posted to ubuntu-security-collab PPA for final review Bionic, Focal, Jammy, Kinetic. Fix review in progress for Xenial backport. Expected release date End of business Apr 25th

Revision history for this message
Chad Smith (chad.smith) wrote :

Uploads public for cloud-init version 23.1.2 in the following suites:
  bionic-security, focal-security, jammy-security, kinetic-security and lunar-security.

Additionally for Xenial customers with Ubuntu Pro enabled, the following release is back-ported to xenial-infra-security PPA as version 21.1-19-gbad84ad4-0ubuntu1~16.04.4

Changed in cloud-init:
status: Triaged → Fix Released
Revision history for this message
Chad Smith (chad.smith) wrote :

The resolution for this seurity bug is comprised of two fixes, one fix for runtime logic that is run either by cloud-init on either first boot and every reboot and one fix for downstream packaging postinstall script to allow for patching /run/cloud-init/instance-data.json for systems which may not reboot.

The commits are below:

 1. upstream commit in main to set perms 640 always and redact instance-data.json

 2. postinstall downstream fix to perform the same operations across package upgrade

Separately, a backport to Xenial(16.04) packaging postinst for Ubunto Pro ESM was necessary:

Chad Smith (chad.smith)
information type: Private Security → Public Security
Revision history for this message
James Falcon (falcojr) wrote :
Revision history for this message
Chad Smith (chad.smith) wrote :

This bug is believed to be fixed in cloud-init in version 23.2. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.