Bug 1574338 - CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH host keys [rhel-7]
Summary: CVE-2018-10896 cloud-init: default configuration disabled deletion of SSH hos...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2020-01-02
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cloud-init
Version: 7.5
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Eduardo Otubo
QA Contact: Huijuan Zhao
URL:
Whiteboard:
Depends On:
Blocks: CVE-2018-10896 1814152
TreeView+ depends on / blocked
 
Reported: 2018-05-03 05:36 UTC by Khramov Anton
Modified: 2020-09-29 19:50 UTC (History)
14 users (show)

Fixed In Version: cloud-init-19.4-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1814152 (view as bug list)
Environment:
Last Closed: 2020-09-29 19:48:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3898 0 None None None 2020-09-29 19:50:43 UTC

Description Khramov Anton 2018-05-03 05:36:00 UTC
Description of problem:

in combination with hashicorp packer and cloud-init, SSH host keys are not regenerated, when new VM instances are created. This could lead to the MITM attack.

Version-Release number of selected component (if applicable):

0.7.9

Steps to Reproduce:
1. Create a simple rhel7 image using packer
2. Create instances using this image
3. Notice that all these images share the same SSH host keys

Actual results:

SSH keys are not regenerated when new instance is created

Expected results:

SSH keys should be regenerated

Additional info:

When cloud-init was created for rhel, the "ssh_deletekeys" option was explicitly set to "false" and "ssh_genkeytypes" option was set to be empty (https://git.centos.org/blob/rpms!cloud-init.git/c7/SOURCES!0001-configuration-changes-for-RHEL-package.patch#L66). Most probably it was done because "cloud-init.service" has "Wants=sshd-keygen.service" (https://github.com/cloud-init/cloud-init/blob/master/systemd/cloud-init.service.tmpl#L6), which actually is responsible to regenerate ssh keys (https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!sshd-keygen.service). However "sshd-keygen.service" doesn't have a logic to detect whether current VM instance was just created or not. "cloud-init" has this logic.

Other distors, like SLES or Ubuntu, both rely on cloud-init logic, but not on "sshd-keygen.service" to regenerate SSH host keys.

Comment 24 Huijuan Zhao 2020-03-24 10:56:30 UTC
Tested with rhel-7.9(3.10.0-1128.el7.x86_64) + cloud-init-19.4-2.el7.x86_64, the issue is fixed.

1. There's "ssh_deletekeys:   1" and "ssh_genkeytypes:  ~" in /etc/cloud/cloud.cfg.
2. Compare the content of /etc/ssh/ssh_host_*key* between VM1 and image:
The content are different between VM1 and image. 
SSH host keys are regenerated for the new instance.

Change the status to VERIFIED.

Comment 26 errata-xmlrpc 2020-09-29 19:48:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: cloud-init security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3898


Note You need to log in before you can comment on or make changes to this bug.