Information leak (resource disk swap file created world-readable)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
walinuxagent (Ubuntu) |
Fix Released
|
Undecided
|
Łukasz Zemczak |
Bug Description
Impact:
Swap files created by WALinuxAgent on Azure resource disks are
world-readable, meaning that, e.g. any secret key or similar which
gets paged out to swap by the kernel could be read by any ordinary,
local user.
Versions affected:
2.2.32-1
root@
WALinuxAgent-
Python: 3.5.2
Goal state agent: 2.2.34
Older/newer versions of the walinuxagent package in other suites may also be affected but I have only verified that that 2.2.32-1 in Xenial is indeed vulnerable.
Steps to reproduce:
1. Create and boot B1s VM using the Ubuntu 16.04 image as available from Azure
2. Configure walinuxagent[1] to mount resource disk and create swap file thereon:
ResourceDisk.
ResourceDisk.
ResourceDisk.
# sed -i \
> -e 's/^\(ResourceD
> -e 's/^\(ResourceD
> -e 's/^\(ResourceD
> /etc/waagent.conf
3. Restart walinuxagent ("systemctl restart walinuxagent.
4. Wait for the swap file to be created
5. Then, as a normal user, proceed to read the contents of said swap file:
francis@
drwxr-xr-x 3 root root 4096 Jan 14 04:16 /mnt
-r--r--r-- 1 root root 639 Jan 14 04:14 /mnt/DATALOSS_
drwx------ 2 root root 16384 Jan 14 04:14 /mnt/lost+found
-rw-r--r-- 1 root root 4134141952 Jan 14 04:18 /mnt/swapfile
francis@
000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >................<
000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >................<
[...]
Changed in walinuxagent (Ubuntu): | |
assignee: | nobody → Łukasz Zemczak (sil2100) |
Changed in walinuxagent (Ubuntu): | |
status: | New → Fix Released |
information type: | Private Security → Public Security |
Attaching debdiff for disco. Build-tested in a -security only private PPA.