Bug 1598831 (CVE-2018-10896)

Summary: CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adimania, apevec, dmoppert, gholms, jgreguske, lars, rmccabe, shardy, s, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The default cloud-init configuration included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-21 19:27:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1574338, 1598832, 1598833, 1598834, 1814152, 1826218, 1855595    
Bug Blocks: 1576571    

Description Laura Pardo 2018-07-06 15:04:16 UTC
A flaw was found in cloud-init. SSH host keys are not regenerated when new VM instances are created in combination with hashicorp packer and cloud-init. This could lead to the Man In The Middle (MITM) attack.


Comment 1 Laura Pardo 2018-07-06 15:05:49 UTC
Created cloud-init tracking bugs for this issue:

Affects: epel-6 [bug 1598833]
Affects: fedora-all [bug 1598832]

Comment 5 Doran Moppert 2018-07-11 00:32:13 UTC
Reported upstream:


Comment 7 Doran Moppert 2018-08-07 00:59:01 UTC
Upstream commit now merged to master:


Comment 8 errata-xmlrpc 2020-07-21 15:30:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3050 https://access.redhat.com/errata/RHSA-2020:3050

Comment 9 Product Security DevOps Team 2020-07-21 19:27:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 11 errata-xmlrpc 2020-09-08 07:56:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2020:3644 https://access.redhat.com/errata/RHSA-2020:3644

Comment 12 errata-xmlrpc 2020-09-29 19:40:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3898 https://access.redhat.com/errata/RHSA-2020:3898