ubuntu core cloud-init allows infinite creation of sudo users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
High
|
Ian Johnson | ||
cloud-init (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
On Ubuntu Core 18, cloud-init is configured to run w/o any restrictions. What this means is that you can craft cloud-init user-data/meta-data which creates users at any point in time during a device's lifetime by just attaching a flash drive and rebooting a device. I'm considering this a security bug as it totally bypasses any full disk encryption that we might have on Ubuntu Core 18 customers and is generally unexpected with Ubuntu Core 18.
I reproduced this with a flash drive formatted as vfat with label CIDATA, with the following files on it:
/user-data:
#cloud-config
users:
- default
- name: user1
sudo: ALL=(ALL) NOPASSWD:ALL
lock_passwd: false
passwd: $6$rounds=
/meta-data:
instance-id: iid-local01
local-hostname: cloudimg
(the passwd hash is just "passw0rd")
With this flash drive, I can insert it and reboot a UC18 device at any point in it's lifetime, i.e. on first boot during seeding, or after seeding has completed and the device is connected to a brand store, etc. and upon booting up cloud-init will happily import this data and create the user as a sudoer, giving full root access to the device. Additionally, I can change the user-data / meta-data and reboot again (change user1 to user2 and instance-id to iid-local002, etc.) and cloud-init will happily re-import the data again. Arguably this is undesired behavior because it's expected to be able to use cloud-init to configure a device initially with a user/pw for various use-cases, but it's _not_ expected that after a device is seeded/
I tested this with the released UC18 image on cdimage for Raspberry Pi 4 with the following snaps:
core18 20200427 1753 latest/stable canonical✓ base
pi 18-1 34 18-pi/stable canonical✓ gadget
pi-kernel 5.3.0-1023.
snapd 2.44.3 7267 latest/stable canonical✓ snapd
It's unclear how to fix this, but after discussing with Samuele and Michael, we probably want to just limit cloud-init to only run once on first-boot and then never again. This will allow current UC18 use cases for cloud-init such as testing or automated provisioning with MAAS to work, but will block attackers from adding new users at any point in time afterwards.
CVE References
Changed in snapd: | |
assignee: | nobody → Ian Johnson (anonymouse67) |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in snapd: | |
status: | Confirmed → In Progress |
summary: |
- uc18 cloud-init allows infinite creation of sudo users + ubuntu core cloud-init allows infinite creation of sudo users |
Changed in snapd: | |
status: | In Progress → Fix Committed |
Changed in snapd: | |
milestone: | none → 2.45.2 |
status: | Fix Committed → Fix Released |
For reference, I tested this with a manually modified version of the core18 snap to not include the etc/cloud/ cloud.cfg. d/90_dpkg. cfg file (which specifies to cloud-init it can use all possible data sources) and I could still reproduce this bug with Ubuntu Core 18.