Bug 1940967 (CVE-2021-3429) - CVE-2021-3429 cloud-init: randomly generated passwords logged in clear-text to world-readable file
Summary: CVE-2021-3429 cloud-init: randomly generated passwords logged in clear-text t...
Alias: CVE-2021-3429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1945886 1945891 1945892 1979252 1979253 1979254
Blocks: 1940969 1965033
TreeView+ depends on / blocked
Reported: 2021-03-19 16:33 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:14 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cloud-init. When a system is configured through cloud-init and the "Set Passwords" module is used with "chpasswd" directive and "RANDOM", the randomly generated password for the relative user is written in clear-text in a file readable by any existing user of the system. The highest threat from this vulnerability is to data confidentiality and it may allow a local attacker to log in as another user.
Clone Of:
Last Closed: 2021-08-10 19:28:21 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3081 0 None None None 2021-08-10 14:00:30 UTC
Red Hat Product Errata RHSA-2021:3177 0 None None None 2021-08-17 08:30:33 UTC
Red Hat Product Errata RHSA-2021:3371 0 None None None 2021-08-31 09:13:04 UTC

Description Guilherme de Almeida Suckevicz 2021-03-19 16:33:05 UTC
The "Set Passwords" module allows a user to specify that cloud-init create a random password for a particular user. In order to allow people to access systems using these randomly generated passwords (without needing another access vector in order to know the passwords), cloud-init emits them to the serial console. In order to have log messages emitted to the console readily available within the system also, it writes that same content to /var/log/cloud-init-output.log. As a result, those passwords are written to that file, which is world-readable.

Comment 2 Riccardo Schirone 2021-04-02 13:11:38 UTC
Created cloud-init tracking bugs for this issue:

Affects: fedora-all [bug 1945886]

Comment 4 Riccardo Schirone 2021-04-02 13:36:45 UTC
When a configuration like the one below is used in cloud-init, cloud-init will assign a random password to the "alice" user and it will log the randomly generated password on console and on a world-readable log file.

  list: |

Any other user on the system can read the generated password from the log file. However, a user is required to change his password on first login, making the leaked password useful only until the first user logs in. If `expire: false` is also used in `chpasswd` directive, then the random password might be valid even after the first login, making the leak worse.

Comment 6 Riccardo Schirone 2021-04-02 13:53:51 UTC

By default the randomly password generated by "chpasswd" must be changed on the first login of the user. That means that once a user accesses the system for the first time, the random password in the log file cannot be used anymore. However it is possible to configure an extended validity period for the random password, thus the actual impact of this password leak may vary based on the environment and how the systems are configured through cloud-init.

Comment 7 errata-xmlrpc 2021-08-10 14:00:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3081 https://access.redhat.com/errata/RHSA-2021:3081

Comment 8 Product Security DevOps Team 2021-08-10 19:28:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 9 errata-xmlrpc 2021-08-17 08:30:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3177 https://access.redhat.com/errata/RHSA-2021:3177

Comment 10 johannes 2021-08-26 15:23:03 UTC
Is there now a way to obatin the random password in another way?

Comment 11 errata-xmlrpc 2021-08-31 09:13:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3371 https://access.redhat.com/errata/RHSA-2021:3371

Note You need to log in before you can comment on or make changes to this bug.