The "Set Passwords" module allows a user to specify that cloud-init create a random password for a particular user. In order to allow people to access systems using these randomly generated passwords (without needing another access vector in order to know the passwords), cloud-init emits them to the serial console. In order to have log messages emitted to the console readily available within the system also, it writes that same content to /var/log/cloud-init-output.log. As a result, those passwords are written to that file, which is world-readable.
Upstream bug: https://bugs.launchpad.net/cloud-init/+bug/1918303 Upstream fix: https://github.com/canonical/cloud-init/commit/b794d426b9ab43ea9d6371477466070d86e10668
Created cloud-init tracking bugs for this issue: Affects: fedora-all [bug 1945886]
When a configuration like the one below is used in cloud-init, cloud-init will assign a random password to the "alice" user and it will log the randomly generated password on console and on a world-readable log file. ``` chpasswd: list: | alice:RANDOM ``` Any other user on the system can read the generated password from the log file. However, a user is required to change his password on first login, making the leaked password useful only until the first user logs in. If `expire: false` is also used in `chpasswd` directive, then the random password might be valid even after the first login, making the leak worse.
Statement: By default the randomly password generated by "chpasswd" must be changed on the first login of the user. That means that once a user accesses the system for the first time, the random password in the log file cannot be used anymore. However it is possible to configure an extended validity period for the random password, thus the actual impact of this password leak may vary based on the environment and how the systems are configured through cloud-init.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3081 https://access.redhat.com/errata/RHSA-2021:3081
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3429
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3177 https://access.redhat.com/errata/RHSA-2021:3177
Hello, Is there now a way to obatin the random password in another way? Thx, Johannes
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3371 https://access.redhat.com/errata/RHSA-2021:3371