cloud-init logs leak hashed passwords
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cloud-init |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
The recent update of cloud-init to Version: 22.2-0ubuntu1~
has started logging a warning that includes hashed passwords into at least three files readable by all users-
/var/
2022年06月12日 21:23:48,866 - util.py[DEBUG]: Read 100004 bytes from /usr/lib/
2022年06月12日 21:23:48,963 - schema.py[WARNING]: Invalid cloud-config provided:
users.0: {'gecos': 'Mike Stroyan', 'groups': ['adm', 'cdrom', 'dip', 'plugdev', 'lxd', 'sudo'], 'lock-passwd': False, 'name': 'mike', 'passwd': 'HASHED_PASSWORD!', 'shell': '/bin/bash'} is not valid under any of the given schemas
2022年06月12日 21:23:48,964 - util.py[DEBUG]: Reading from /var/lib/
/var/
2022年06月12日 21:23:48,963 - schema.py[WARNING]: Invalid cloud-config provided:
users.0: {'gecos': 'Mike Stroyan', 'groups': ['adm', 'cdrom', 'dip', 'plugdev', 'lxd', 'sudo'], 'lock-passwd': False, 'name': 'mike', 'passwd': 'HASHED_PASSWORD!', 'shell': '/bin/bash'} is not valid under any of the given schemas
/var/log/syslog
Jun 12 15:23:49 b2 cloud-init[800]: 2022年06月12日 21:23:48,963 - schema.py[WARNING]: Invalid cloud-config provided:
Jun 12 15:23:49 b2 cloud-init[800]: users.0: {'gecos': 'Mike Stroyan', 'groups': ['adm', 'cdrom', 'dip', 'plugdev', 'lxd', 'sudo'], 'lock-passwd': False, 'name': 'mike', 'passwd': 'HASHED_PASSWORD!', 'shell': '/bin/bash'} is not valid under any of the given schemas
Jun 12 15:23:49 b2 systemd[1]: Finished Initial cloud-init job (metadata service crawler).
It looks like the warning about not being compliant with schemas comes from both the use of a "lock-passwd" key and by representation of users groups as an array of strings instead of a single string containing a comma separated list of groups.
/var/lib/
That was later changed to "lock_passwd" in this pull merge-
https:/
But installations done with the original 20.04 release will still have "lock-passwd".
That propagates to several files in /var/lib/
The treatment of the "groups" key as an array of strings continues in subiquity.
Both "lock-passwd" and "groups" conflict with /usr/lib/
That would be more minor issue if the warning put into multiple log files didn't contain the password hash that is otherwise only readable by root.
CVE References
Thanks Mike. We'll get this fixed ASAP.
Thanks Mike,
James, will these errors halt the install process entirely? Or will it continue on without expected users?
Will fixing this (adding aliases?) cause unexpected *success* in cloud-config use in deployments? If we add aliases, what happens if someone supplies both lock_passwd and lock-passwd keys in their user data?
I'm a bit surprised this is the first we're hearing a consequence of a change from two years ago.
Thanks
A little more background might be helpful here. Nothing has changed in the code handling of users or groups. The thing that changed is that we have added schema validation to our cloud-init cloud-config. In the users/groups module being used here, cloud-init has supported keys with dashes '-' and keys with underscores '_', though the documentation for the past 4 years or so have only shown underscores. When we introduced the schema to this module, we effectively deprecated the dashes, and in the future we'll only be supporting underscores. If a module fails schema validation, we currently warn but do not raise an exception.
The cloud-config from this bug contains 'lock-passwd' which is still supported but now deprecated. We logged the bit of the cloud-config that doesn't pass validation, but in doing so we have exposed sensitive user data.
To specifically answer you questions:
will these errors halt the install process entirely?
No.
Or will it continue on without expected users?
Neither. It will do the right thing. It is complaining about the supplied keys not matching the schema.
Will fixing this (adding aliases?) cause unexpected *success* in cloud-config use in deployments?
We won't be changing aliases for the fix. The fix is to write a more generic warning to the log telling the user to run a command as root to see why their config is invalid.
If we add aliases, what happens if someone supplies both lock_passwd and lock-passwd keys in their user data?
This is currently already valid. We're trying to deprecate 'lock-passwd'
"I'm a bit surprised this is the first we're hearing a consequence of a change from two years ago."
The change is in 22.2 and was SRUed last week.
Note that the warning message from the schema check is triggered by both the "lock-passwd" key and the representation of users_groups.user groups key as an array of strings rather than a single string with comma separated group names. I need to change both of those in the json file to make it accept the way that Ubuntu subiquity installer wrote the cloud config.
diff --git a/cloudinit/
index a5be310a..4e07c0c9 100644
--- a/cloudinit/
+++ b/cloudinit/
@@ -35,7 +35,8 @@
},
"groups": {
- "type": "string"
+ "type": ["array", "string"],
+ "items": {"type": "string"}
},
"homedir": {
@@ -51,6 +52,11 @@
"type": "boolean"
},
+ "lock-passwd": {
+ "default": true,
+ "description": "Disable password login. Default: ``true``",
+ "type": "boolean"
+ },
Thanks for the explanations James,
Please use CVE-2022-2084 for this issue.
Thanks
Thanks Mike for the context here and spending time understanding the symptoms.
In our deprecation of this key, we should have also added a DEPRECATED description to this in our schema. Looks like we covered that approach in other keys like `grub-dpkg` -> grub_dpkg[1] and `remove-defaults` -> remove_defaults[2] but not in this case. We have PRs in flight to fix this and will make sure subiquity is also onboard with our deprecation schedule for these keys too so we don't re-introduce this problem when the hyphenated keys are officially dropped in upstream.
References:
[1] https:/
[2] https:/
Hey Seth, what do you think about the severity for this bug?
Chad, James, I've added you both to https:/
Thanks
Thanks Seth.
Email sent out on this Friday with the suggested fix, the packages have been uploaded to this private PPA and are available for security review and upload into the appropriate -security pockets for Bionic, Focal, Impish, and Jammy.
Proposed fix, generalize schema validation warnings messages to avoid reporting potentially sensitive user-data values in /var/log/
cloud-init.postinst fixes to redact historic sensitive logs.
diff --git a/debian/changelog b/debian/changelog
index 135671ae..baec8fd1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cloud-init (22.2-0ubuntu1~
+
+ * d/cloud-
+ * Remove schema errors from log (LP: #1978422) (CVE-2022-2084)
+
+ -- James Falcon <email address hidden> 2022年6月14日 06:31:00 -0500
+
cloud-init (22.2-0ubuntu1~
* cherry-pick a2e62738: Fix cc_phone_home requiring 'tries' (#1500)
diff --git a/debian/
index 683ba86d..85788a98 100644
--- a/debian/
+++ b/debian/
@@ -125,6 +125,27 @@ handle_
db_unregister "${debconf_name}" || :
}
+fix_1978422_
+ local oldver="1ドル" last_bad_
+ dpkg --compare-versions "$oldver" le "$last_bad_ver" || return 0
+
+ MSG="Redacting sensitive logs due to invalid cloud-config user-data from"
+ INVALID_
+ if grep -q "${INVALID_
+ echo "${MSG} /var/log/
+ # Redact all schema warnings between
+ # 'Invalid cloud-config provided:' and the next timestamped log 2022-
+ sed -i '/Invalid cloud-config provided:
+ fi
+ if grep -q "${INVALID_
+ echo "${MSG} /var/log/
+ # Redact all schema warnings between
+ # 'Invalid cloud-config provided:' and the public/private key gen at
+ # 'Generating public/private rsa key pair' OR 'Cloud'
+ sed -i '/Invalid cloud-config provided:
+ fi
+}
+
fix_1336855() {
### Begin fix for LP: 1336855
# fix issue where cloud-init misidentifies the location of grub and
@@ -375,6 +396,9 @@ EOF
cleanup_
fix_lp1889555 "2ドル"
change_
+
+ # Redact schema sensitive warning logs on invalid user-data
+ fix_1978422_
fi
#DEBHELPER#
diff --git a/debian/
new file mode 100644
index 00000000..01e886d7
--- /dev/null
+++ b/debian/
@@ -0,0 +1,148 @@
+From b0534cbf05221b1
- bionic.debdiff Edit (9.6 KiB, text/plain)
functional debdiff for bionic between 22.2-0ubuntu1~
- focal.debdiff Edit (9.6 KiB, text/plain)
functional debdiff for focal between 22.2-0ubuntu1~
- impish.debdiff Edit (9.6 KiB, text/plain)
functional debdiff for impish between 22.2-0ubuntu1~
- jammy.debdiff Edit (9.5 KiB, text/plain)
functional debdiff for jammy between 22.2-0ubuntu1~
Updated patches to suggest in messaging that admins may want to redact journalctl logs or remote log aggregators.
Is Cloud-Init 21.4 affected?
The change landed in 22.2, so 21.4 should not be affected.
Tracked in Github Issues as https:/