[Plug-security] Fwd: Security issue in livecd-tools causes password issue in Fedora cloud images

Lisa Kachold lisakachold at obnosis.com
Thu May 23 15:10:10 MST 2013


The trolling of Amazon EC2 AMI's continues - now with root exploit.

---------- Forwarded message ----------
From: Robyn Bergeron <rbergero at redhat.com>
Date: Thu, May 23, 2013 at 2:25 PM
Subject: Security issue in livecd-tools causes password issue in Fedora
cloud images
To: announce at lists.fedoraproject.org


Greetings.

A flaw has been identified in the tool used by the Fedora Project to create
cloud images. Images generated by this tool, including Fedora Project
“official” AMIs (Amazon Machine Images), AMIs whose heritage can be traced
to official Fedora AMIs, as well as some images using the AMI format in
non-Amazon clouds, are affected, as described below.

** Issue **

The flaw identified by CVE-2013-2069 [1] (Red Hat Bugzilla 964299 [2])
describes an issue where, in default circumstances, the virtual machine
image creator tool gave the root user an empty password rather than leaving
the password locked.  When using Fedora 15, 16, 17, or 18 Amazon Machine
Images (AMIs) on Amazon Web Services, a local, unprivileged user could use
this issue to escalate their privileges.

This issue was caused by the way a tool was used to create images, and not
due to a security vulnerability in Fedora images or AWS.

Fedora-based images for cloud or virtualization usage that were not
provided by the Fedora Project, but were created with the same tool, may be
affected. This includes AMIs created by individuals for their own self-use,
as well as AMI-format images provided by individuals or specific open
source projects for use in non-Amazon cloud environments. Please check with
the upstream project or contributor that referenced those images to find
out if those images were affected by the image creation tool used in the
respective project.

** Resolution **

The Fedora Project provides Amazon Machine Images (AMIs) for Fedora through
Amazon Web Services.  These AMIs are provided as minimally configured
system images which are available for use as-is or for configuration and
customization as required by end users. Fedora 15, 16, 17 and 18 AMIs for
Amazon Web Services had an empty root password by default.  To address
this, the Fedora Release Engineering team has created new AMIs that lock
the root password by default. These AMIs are now available on AWS.

To correct existing Fedora 17 and 18 AMIs, any AMIs built using Fedora
AMIs, or any currently running Fedora instances instantiated from those
AMIs, users can lock the root password by issuing, as root, the command:

passwd -l root

Since Fedora 14, Fedora has used the default user account “ec2-user”.
Locking the root password will still allow “ec2-user” to use the “sudo”
command to gain root without requiring a password.

Note: The default OpenSSH configuration disallows password logins when the
password is empty, preventing a remote attacker from logging in without a
password.

IDs for new AMIs are posted here:
http://fedoraproject.org/en/get-fedora-options#clouds

Please note that new AMIs are available only for current releases of
Fedora, which are Fedora 17 and Fedora 18.  If you are utilizing a Fedora
16 or earlier AMI, you should be aware that your release has reached its
end of life, and thus security updates, as well as new AMIs, for that
particular release are not available.

** Root Cause **

Kickstart can be used to automate operating system installations. A
Kickstart file specifies settings for an installation. Once the
installation system boots, it can read a Kickstart file and carry out the
installation process without any further input from a user. Kickstart is
used as part of the process of creating images of Fedora for cloud
providers.

It was discovered that when no 'rootpw' command was specified in a
Kickstart file, the image creator tools gave the root user an empty
password rather than leaving the password locked, which could allow a local
user to gain access to the root account (CVE-2013-2069). We have corrected
this issue by updating the Kickstart file used to build affected images to
lock the password file.

The affected tool used by the Fedora Project to generate AMIs is
appliance-creator, which is part of the appliance-tools package.
 Appliance-creator depends on another tool, livecd-creator (part of the
livecd-tools package) in building AMIs; this tool contained the
aforementioned password flaw.  Please note that  livecd-creator is a
dependency for other various image-building tools, and AMIs generated with
these tools may have the same issue, if the tool does not enforce locking
of the password by default.

The Fedora Project thanks Amazon Web Services and Red Hat for notifying us
of this issue. Amazon Web Services acknowledges Sylvain Beucler as the
original reporter.

Thanks,

-Robyn Bergeron



[1] https://access.redhat.com/security/cve/CVE-2013-2069
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2069
--
announce mailing list
announce at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce



-- 

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/index.php>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130523/c3fc5bd5/attachment.html>


More information about the Plug-security mailing list