1940967 – (CVE-2021-3429) CVE-2021-3429 cloud-init: randomly generated passwords logged in clear-text to world-readable file

Bug 1940967 (CVE-2021-3429) - CVE-2021-3429 cloud-init: randomly generated passwords logged in clear-text to world-readable file

Summary: CVE-2021-3429 cloud-init: randomly generated passwords logged in clear-text t...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-3429
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1945886 1945891 1945892 1979252 1979253 1979254
Blocks:	1940969 1965033
TreeView+	depends on / blocked

Reported:	2021-03-19 16:33 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-04-17 21:14 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in cloud-init. When a system is configured through cloud-init and the "Set Passwords" module is used with "chpasswd" directive and "RANDOM", the randomly generated password for the relative user is written in clear-text in a file readable by any existing user of the system. The highest threat from this vulnerability is to data confidentiality and it may allow a local attacker to log in as another user.
Clone Of:
Environment:
Last Closed:	2021-08-10 19:28:21 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:3081	None	None	None	2021-08-10 14:00:30 UTC
Red Hat Product Errata	RHSA-2021:3177	None	None	None	2021-08-17 08:30:33 UTC
Red Hat Product Errata	RHSA-2021:3371	None	None	None	2021-08-31 09:13:04 UTC

Description Guilherme de Almeida Suckevicz 2021-03-19 16:33:05 UTC

The "Set Passwords" module allows a user to specify that cloud-init create a random password for a particular user. In order to allow people to access systems using these randomly generated passwords (without needing another access vector in order to know the passwords), cloud-init emits them to the serial console. In order to have log messages emitted to the console readily available within the system also, it writes that same content to /var/log/cloud-init-output.log. As a result, those passwords are written to that file, which is world-readable.

Comment 1 Riccardo Schirone 2021-04-02 09:31:21 UTC

Upstream bug:
https://bugs.launchpad.net/cloud-init/+bug/1918303

Upstream fix:
https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668

Comment 2 Riccardo Schirone 2021-04-02 13:11:38 UTC

Created cloud-init tracking bugs for this issue:

Affects: fedora-all [bug 1945886]

Comment 4 Riccardo Schirone 2021-04-02 13:36:45 UTC

When a configuration like the one below is used in cloud-init, cloud-init will assign a random password to the "alice" user and it will log the randomly generated password on console and on a world-readable log file.

```
chpasswd:
  list: |
    alice:RANDOM
```

Any other user on the system can read the generated password from the log file. However, a user is required to change his password on first login, making the leaked password useful only until the first user logs in. If `expire: false` is also used in `chpasswd` directive, then the random password might be valid even after the first login, making the leak worse.

Comment 6 Riccardo Schirone 2021-04-02 13:53:51 UTC

Statement:

By default the randomly password generated by "chpasswd" must be changed on the first login of the user. That means that once a user accesses the system for the first time, the random password in the log file cannot be used anymore. However it is possible to configure an extended validity period for the random password, thus the actual impact of this password leak may vary based on the environment and how the systems are configured through cloud-init.

Comment 7 errata-xmlrpc 2021-08-10 14:00:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3081 https://access.redhat.com/errata/RHSA-2021:3081

Comment 8 Product Security DevOps Team 2021-08-10 19:28:21 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3429

Comment 9 errata-xmlrpc 2021-08-17 08:30:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3177 https://access.redhat.com/errata/RHSA-2021:3177

Comment 10 johannes 2021-08-26 15:23:03 UTC

Hello,
Is there now a way to obatin the random password in another way?
Thx,
Johannes

Comment 11 errata-xmlrpc 2021-08-31 09:13:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3371 https://access.redhat.com/errata/RHSA-2021:3371

Note You need to log in before you can comment on or make changes to this bug.