[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-announce-list
Subject: Security issue in livecd-tools causes password issue in Fedora cloud images
From: Robyn Bergeron <rbergero () redhat ! com>
Date: 2013-05-23 21:25:42
Message-ID: 1044678825.28402388.1369344342502.JavaMail.root () redhat ! com
[Download RAW message or body]
Greetings.
A flaw has been identified in the tool used by the Fedora Project to create cloud \
images. Images generated by this tool, including Fedora Project "official" AMIs \
(Amazon Machine Images), AMIs whose heritage can be traced to official Fedora AMIs, \
as well as some images using the AMI format in non-Amazon clouds, are affected, as \
described below.
** Issue **
The flaw identified by CVE-2013-2069 [1] (Red Hat Bugzilla 964299 [2]) describes an \
issue where, in default circumstances, the virtual machine image creator tool gave \
the root user an empty password rather than leaving the password locked. When using \
Fedora 15, 16, 17, or 18 Amazon Machine Images (AMIs) on Amazon Web Services, a \
local, unprivileged user could use this issue to escalate their privileges.
This issue was caused by the way a tool was used to create images, and not due to a \
security vulnerability in Fedora images or AWS.
Fedora-based images for cloud or virtualization usage that were not provided by the \
Fedora Project, but were created with the same tool, may be affected. This includes \
AMIs created by individuals for their own self-use, as well as AMI-format images \
provided by individuals or specific open source projects for use in non-Amazon cloud \
environments. Please check with the upstream project or contributor that referenced \
those images to find out if those images were affected by the image creation tool \
used in the respective project.
** Resolution **
The Fedora Project provides Amazon Machine Images (AMIs) for Fedora through Amazon \
Web Services. These AMIs are provided as minimally configured system images which \
are available for use as-is or for configuration and customization as required by end \
users. Fedora 15, 16, 17 and 18 AMIs for Amazon Web Services had an empty root \
password by default. To address this, the Fedora Release Engineering team has \
created new AMIs that lock the root password by default. These AMIs are now available \
on AWS.
To correct existing Fedora 17 and 18 AMIs, any AMIs built using Fedora AMIs, or any \
currently running Fedora instances instantiated from those AMIs, users can lock the \
root password by issuing, as root, the command:
passwd -l root
Since Fedora 14, Fedora has used the default user account "ec2-user". Locking the \
root password will still allow "ec2-user" to use the "sudo" command to gain root \
without requiring a password.
Note: The default OpenSSH configuration disallows password logins when the password \
is empty, preventing a remote attacker from logging in without a password.
IDs for new AMIs are posted here:
http://fedoraproject.org/en/get-fedora-options#clouds
Please note that new AMIs are available only for current releases of Fedora, which \
are Fedora 17 and Fedora 18. If you are utilizing a Fedora 16 or earlier AMI, you \
should be aware that your release has reached its end of life, and thus security \
updates, as well as new AMIs, for that particular release are not available.
** Root Cause **
Kickstart can be used to automate operating system installations. A Kickstart file \
specifies settings for an installation. Once the installation system boots, it can \
read a Kickstart file and carry out the installation process without any further \
input from a user. Kickstart is used as part of the process of creating images of \
Fedora for cloud providers.
It was discovered that when no 'rootpw' command was specified in a Kickstart file, \
the image creator tools gave the root user an empty password rather than leaving the \
password locked, which could allow a local user to gain access to the root account \
(CVE-2013-2069). We have corrected this issue by updating the Kickstart file used to \
build affected images to lock the password file.
The affected tool used by the Fedora Project to generate AMIs is appliance-creator, \
which is part of the appliance-tools package. Appliance-creator depends on another \
tool, livecd-creator (part of the livecd-tools package) in building AMIs; this tool \
contained the aforementioned password flaw. Please note that livecd-creator is a \
dependency for other various image-building tools, and AMIs generated with these \
tools may have the same issue, if the tool does not enforce locking of the password \
by default.
The Fedora Project thanks Amazon Web Services and Red Hat for notifying us of this \
issue. Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
Thanks,
-Robyn Bergeron
[1] https://access.redhat.com/security/cve/CVE-2013-2069
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2069
--
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic