CVE-2021-3429: Cloud-init Password Exposure Through World-Readable Log File, Exploit Details and Mitigation Steps

The Common Vulnerabilities and Exposures System (CVE) recently published an important vulnerability with the code CVE-2021-3429. Today, we'll discuss this vulnerability in detail, go through a code snippet to understand it better, and share links to the original references where you can find more information. Our main aim is to make this post as easy to understand as possible so that readers who are not technical experts can grasp the exploit details and implications.

Vulnerability Description: CVE-2021-3429

Cloud-init is a widely used package that handles early initialization in cloud instances, including setting up user accounts, configuring network settings, and activating pre-installed virtual environments. It helps automate the setup process and makes deploying cloud instances quicker and easier.

The CVE-2021-3429 vulnerability affects cloud-init versions before 21.2. When using this package to set up random passwords for new user accounts, the software would write the password to a world-readable log file located at /var/log/cloud-init-output.log. This means that any local user with access to the log file could potentially read another user's password, and then log in as that user, gaining unauthorized access to their account and data.

Code Snippet

The code snippet below demonstrates how cloud-init writes the generated password to the world-readable log file:

# ... other cloud-init code ...

def create_user(username, password=None):
    if password is None:
        password = generate_random_password()
        log_password(username, password)
    # ... create the user account ...

def log_password(username, password):
    with open('/var/log/cloud-init-output.log', 'a') as log_file:
        log_file.write(f"Generated random password for {username}: {password}\n")

# ... other cloud-init code ...

In this example, when a new user account is created with create_user(username), it generates a random password and logs it to the file /var/log/cloud-init-output.log. Any local user with access to this log file can now see the generated password and potentially use it to log in as another user.

Exploit Details

An attacker with local access to a cloud instance or virtual machine can take the following steps to exploit this vulnerability:

1. Gain access to the /var/log/cloud-init-output.log file.

Use the discovered passwords to log in as those users, compromising their accounts and data.

This vulnerability puts user accounts and data at risk and can lead to targeted attacks or unauthorized access to sensitive information.

References and Original Notices

1. The CVE database for CVE-2021-3429: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3429

2. The cloud-init Launchpad bug report describing the vulnerability: https://bugs.launchpad.net/cloud-init/+bug/1918303

3. The official security notice for Ubuntu, which uses cloud-init by default: https://ubuntu.com/security/notices/USN-478-1

To mitigate this vulnerability, users should do the following

1. Update cloud-init to version 21.2 or higher. Check the package manager or distribution's update system for the latest version.
2. Remove any previously generated random passwords from the /var/log/cloud-init-output.log file to prevent unauthorized access.

Consider changing passwords for user accounts that were created with cloud-init before version 21.2.

Stay safe out there, and always remember to update your software packages regularly to protect yourself from potential vulnerabilities like CVE-2021-3429.

Timeline

Published on: 04/19/2023 22:15:00 UTC
Last modified on: 05/04/2023 13:00:00 UTC