CVE-2021-3429 - Leaked Cloud-Init Passwords Through World-Readable Logs Explained
Cloud-init is a widely used tool for automating the initialization of cloud servers across platforms like AWS, Azure, or OpenStack. It handles system setup tasks, including creating new users and provisioning credentials. In 2021, a critical vulnerability surfaced that could expose these credentials: CVE-2021-3429.
Let’s break down what happened, how you might be affected, and what to do about it—using clear language and step-by-step examples.
What is CVE-2021-3429?
CVE-2021-3429 is a security flaw found in versions of Cloud-init before 21.2. When administrators instructed Cloud-init to create a brand new user account with a randomly generated password, the system would obediently set everything up—but then write that new password in plain text to a log file: /var/log/cloud-init-output.log.
Why is that dangerous? This log file could be read by anyone on the server. So, any local user could quietly check the log, grab the new password, and log in as that new user.
How Does the Vulnerability Work?
1. An administrator spins up a cloud server with Cloud-init, tells it to create a user with a random password.
Cloud-init generates the password and applies it.
3. Cloud-init then logs the workflow—including the actual password—in /var/log/cloud-init-output.log.
Suppose you use the following cloud-init configuration (user-data file)
#cloud-config
users:
- name: testuser
lock_passwd: false
passwd: "{{ random }}"
plain_text_passwd: true
Cloud-init recognizes {{ random }} to generate a random password for testuser.
After your server boots, the file /var/log/cloud-init-output.log might contain
Snip from /var/log/cloud-init-output.log:
...
+ set_passwords
Setting password for user testuser
Generated random password: s8KuR9qDv3xmA7NJLrZP
...
Anyone with local access can simply run
cat /var/log/cloud-init-output.log
Exploit Scenario (Step-by-Step)
1. Someone already has a low-privilege account on your cloud server (for example, a support user or an attacker with partial access).
`bash
grep -i password /var/log/cloud-init-output.log
`
Now, the attacker has access as testuser—just because a log file leaked the generated secret.
Who is Vulnerable?
The key requirement for this attack is local access. That means an attacker must already be able to log in to the server (even if only as an unprivileged user). Once they’re in, they can simply read the log and harvest secrets.
This bug affects Cloud-init versions before 21.2.
Official References
- CVE Listing (mitre.org)
- Cloud-init GitHub Issue
- Upstream Patch Commit
No longer writes user passwords into log files.
- Treats password-handling as a sensitive operation, keeping details out of non-secure outputs like /var/log/cloud-init-output.log.
If you use a newer cloud-init, you’re safe by default.
`bash
sudo chmod 600 /var/log/cloud-init-output.log
`bash
grep -i password /var/log/cloud-init-output.log
sudo apt update && sudo apt install cloud-init
# On CentOS/RHEL
Summary Table
| Cloud-init Version | Password Leak in Log? | Safe? |
|--------------------|----------------------|----------------|
| < 21.2 | Yes | Vulnerable |
| 21.2 or higher | No | Safe |
Final Thoughts
While this bug required some form of inside access, it’s the kind of simple slip that can put whole automation and server-fleet setups at risk. Always keep your provisioning tools up to date, and remember: even log files can become your weakest link.
Be sure to audit your logs, update software, and follow principle of least privilege—always!
Want to read more?
- Upstream Announcement
- Canonical Cloud-init Project
- Mitre CVE-2021-3429 Details
Timeline
Published on: 04/19/2023 22:15:00 UTC
Last modified on: 05/04/2023 13:00:00 UTC