A Debian bug reported [1] noted that the default Debian template for LXC (lxc-debian.in) set the root password to 'root' for the newly-created Debian-based container. In addition, it was also reported [2] that the default sshd_config installed set 'PermitRootLogin yes' which, while normally not a problem to allow root to login with a password, due to the constant and known root password, makes it easy for any user to obtain root privileges in a new container where the password has not been changed. In the Fedora or CentOS templates that do set a random root password, this is not a problem. So the second Debian bug is only a security issue when the first issue is present (it is not a security issue in the other templates). Looking further at the various templates, when a password is not specified, other systems also use predictable defaults: * openmandriva * gentoo * altlinux * archlinux (if unspecified, no password is set) * opensuse * oracle * plamo * ubuntu (has a predictable password for user ubuntu, which in turn has sudo access) [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647 NOTE: I don't know whether or not this would ever receive a CVE based on these being configurable (so would require in most cases a person to either a) not specify a password or b) not change it post-creation), however the way the Fedora and CentOS templates work (random passwords, stored either in a file or printed to stdout) is a much safer/secure alternative and it would be ideal if these other templates could be changed to do something similar.
Created lxc tracking bugs for this issue: Affects: fedora-all [bug 1132002] Affects: epel-6 [bug 1132003] Affects: epel-7 [bug 1132004]
Inventory of current templates with plans: https://fedoraproject.org/wiki/LXC_Template_Security_Improvements
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.