Bug 1940967 (CVE-2021-3429)
| Summary: | CVE-2021-3429 cloud-init: randomly generated passwords logged in clear-text to world-readable file | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adimania, apevec, dustymabe, eterrell, gholms, jgreguske, johannes.schischke, lars, mhayden, rmccabe, security-response-team, shardy, s, virt-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in cloud-init. When a system is configured through cloud-init and the "Set Passwords" module is used with "chpasswd" directive and "RANDOM", the randomly generated password for the relative user is written in clear-text in a file readable by any existing user of the system. The highest threat from this vulnerability is to data confidentiality and it may allow a local attacker to log in as another user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-10 19:28:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1945886, 1945891, 1945892, 1979252, 1979253, 1979254 | ||
| Bug Blocks: | 1940969, 1965033 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-03-19 16:33:05 UTC
Upstream bug: https://bugs.launchpad.net/cloud-init/+bug/1918303 Upstream fix: https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668 Created cloud-init tracking bugs for this issue: Affects: fedora-all [bug 1945886] When a configuration like the one below is used in cloud-init, cloud-init will assign a random password to the "alice" user and it will log the randomly generated password on console and on a world-readable log file.
```
chpasswd:
list: |
alice:RANDOM
```
Any other user on the system can read the generated password from the log file. However, a user is required to change his password on first login, making the leaked password useful only until the first user logs in. If `expire: false` is also used in `chpasswd` directive, then the random password might be valid even after the first login, making the leak worse.
Statement: By default the randomly password generated by "chpasswd" must be changed on the first login of the user. That means that once a user accesses the system for the first time, the random password in the log file cannot be used anymore. However it is possible to configure an extended validity period for the random password, thus the actual impact of this password leak may vary based on the environment and how the systems are configured through cloud-init. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3081 https://access.redhat.com/errata/RHSA-2021:3081 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3429 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3177 https://access.redhat.com/errata/RHSA-2021:3177 Hello, Is there now a way to obatin the random password in another way? Thx, Johannes This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3371 https://access.redhat.com/errata/RHSA-2021:3371 |