-
Notifications
You must be signed in to change notification settings - Fork 857
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EC2 credentials are cached on disk #2750
Comments
Launchpad user Scott Moser(smoser) wrote on 2016-11-01T14:56:04.793516+00:00 Attaching the suggested fix per Andrew. I fixed flake8 complaints in the test, but that is all. Launchpad attachments: suggested fix [per andrew] |
Launchpad user Scott Moser(smoser) wrote on 2016-11-01T19:07:02.098764+00:00 Andrew, |
Launchpad user Andrew Jorgensen(ajorgens) wrote on 2016-11-01T19:32:01.535876+00:00 Hi Scott, |
Launchpad user Scott Moser(smoser) wrote on 2016-11-04T15:56:45.779861+00:00 Anthony, Andrew. |
Launchpad user Andrew Jorgensen(ajorgens) wrote on 2017-01-13T20:32:02.933649+00:00 I'm not sure why (or if?) folks on Amazon's side have dropped the ball here, but please go ahead and publish this fix at your convenience, if you haven't yet. |
Launchpad user Seth Arnold(seth-arnold) wrote on 2017-01-13T21:18:56.006026+00:00 Has a CVE been assigned to this issue? Or does it fall into the category of "security hardening" and thus not qualify for a CVE? Thanks |
Launchpad user Andrew Jorgensen(ajorgens) wrote on 2017-01-13T21:33:11.870221+00:00 No CVE has been assigned, and in fact it seems only Amazon Linux was vulnerable, because Ubuntu and others were using an API version for instance metadata that did not include IAM instance credentials. |
Launchpad user Launchpad Janitor(janitor) wrote on 2017-02-04T03:49:52.859201+00:00 This bug was fixed in the package cloud-init - 0.7.9-19-ge987092-0ubuntu1 cloud-init (0.7.9-19-ge987092-0ubuntu1) zesty; urgency=medium
-- Scott Moser smoser@ubuntu.com Fri, 03 Feb 2017 21:54:39 -0500 |
Launchpad user Jon Grimm(jgrimm) wrote on 2017-03-03T20:26:55.622898+00:00 Are we able to turn this bug public? |
Launchpad user Chris Halse Rogers(raof) wrote on 2017-03-07T23:24:41.030694+00:00 Hello Scott, or anyone else affected, Accepted cloud-init into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-48-g1c795b9-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! |
Launchpad user Chris Halse Rogers(raof) wrote on 2017-03-07T23:33:23.061196+00:00 Hello Scott, or anyone else affected, Accepted cloud-init into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-48-g1c795b9-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! |
Launchpad user Scott Moser(smoser) wrote on 2017-03-08T19:37:13.853962+00:00 In order to see the security credentials, you must launch an instance with Ubuntu cloud-init did not actually show this bug because it read and stored This can be verified simply by However, the get_instance_metadata() function would show the credentials. $ python3 -c 'from cloudinit import ec2_utils; print(ec2_utils.get_instance_metadata("latest")["iam"])' |
Launchpad user Scott Moser(smoser) wrote on 2017-03-08T19:38:08.997514+00:00 ami-78b7166e ubuntu/images-testing/hvm-ssd/ubuntu-yakkety-daily-amd64-server-20170307$ ec2metadata --ami-id After upgrade.. $ dpkg-query --show cloud-init $ python3 -c 'from cloudinit import ec2_utils; print(ec2_utils.get_instance_metadata("latest")["iam"])' Notice that the 'security-credentials' dictionary is not present. |
Launchpad user Scott Moser(smoser) wrote on 2017-03-08T19:40:12.527614+00:00 ami-f4cc1de2 ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20170221$ ec2metadata --ami-id $ dpkg-query --show cloud-init $ python3 -c 'from cloudinit import ec2_utils; print(ec2_utils.get_instance_metadata("latest")["iam"])' Notice that the 'security-credentials' entry is missing from the 'info' dict. |
Launchpad user Launchpad Janitor(janitor) wrote on 2017-03-16T16:18:49.500475+00:00 This bug was fixed in the package cloud-init - 0.7.9-48-g1c795b9-0ubuntu1~16.04.1 cloud-init (0.7.9-48-g1c795b9-0ubuntu1~16.04.1) xenial-proposed; urgency=medium
-- Scott Moser smoser@ubuntu.com Mon, 06 Mar 2017 16:34:10 -0500 |
Launchpad user Brian Murray(brian-murray) wrote on 2017-03-16T16:19:04.964313+00:00 The verification of the Stable Release Update for cloud-init has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions. |
Launchpad user Launchpad Janitor(janitor) wrote on 2017-03-16T16:19:33.912058+00:00 This bug was fixed in the package cloud-init - 0.7.9-48-g1c795b9-0ubuntu1~16.10.1 cloud-init (0.7.9-48-g1c795b9-0ubuntu1~16.10.1) yakkety; urgency=medium
-- Scott Moser smoser@ubuntu.com Mon, 06 Mar 2017 16:37:28 -0500 |
Launchpad user Scott Moser(smoser) wrote on 2017-09-23T02:14:17.341715+00:00 This bug is believed to be fixed in cloud-init in 17.1. If this is still a problem for you, please make a comment and set the state back to New Thank you. |
This bug was originally filed in Launchpad as LP: #1638312
Launchpad details
Launchpad user Scott Moser(smoser) wrote on 2016-11-01T14:49:42.830432+00:00
=== Begin SRU Template ===
[Impact]
On EC2, instance metadata can include credentials that remain valid for as
much as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
The fix applied was simply to avoid reading the security credentials
in cloud-init.
[Test Case]
pickled object in /var/lib/cloud/instance/obj.pkl
rm -Rf /var/lib/cloud /var/log/cloud-init*
[Regression Potential]
Low, but possible if someone was using the obj.pkl and expecting to
find credentials there. No one should be doing that.
Second possibility is if someone was using cloud-init's
get_instance_metadata and expected to have the security-credentials there.
=== End SRU Template ===
On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
Note that:
a.) the simple fact of storing the credentials in a file that is readable only by root is not a serious problem as any attacker on the system has access to the network available data.
b.) General care needs to be taken for anyone "capturing" an ami and then making it public.
the suggested fix is to skip security-credentials when walking the meta-data tree.
The text was updated successfully, but these errors were encountered: