The world of system administration is built on trust and, sometimes, a leap of faith in the tools we use. But what if these very tools quietly log sensitive data and leave it lying around for prying eyes? In this long read, we dig deep into CVE-2023-5182, a security bug that affected Subiquity – the Ubuntu Server installer – in versions 23.09.1 and earlier. If you want to understand how a simple log file misstep could result in password hashes being exposed to non-root users, keep reading.
What Is CVE-2023-5182?
Briefly, this issue is about how Subiquity, a key installer for Ubuntu, saved information in its log files. Due to insufficient filtering, these logs could contain hashed passwords used during installation. Any user who is a member of the adm group (and thus has read access to administrative logs) could potentially find these hashes, crack them offline, and possibly escalate their privilege.
Why Does This Matter?
Most people assume log files are boring. But logs can sometimes offer a gold mine for attackers — especially when debugging code accidentally “prints” sensitive information.
The adm group on Ubuntu hosts is used for log analysis; its users can read many non-world-readable system logs. If an attacker gains access to any account in adm, and the logs contain hashed passwords of root or other users, it’s only a matter of time before those hashes are retrieved and attacked offline (using tools like John the Ripper or Hashcat).
How Does The Vulnerability Work? (With Code Example)
Let’s look at a (simplified) Python-like pseudocode that shows what could go wrong during password setup/logging.
Vulnerable code snippet
import logging
def set_user_password(username, password):
hashed = hash_password(password)
# Logging intended for debugging
logging.info(f"Setting password for {username}: {hashed}")
write_to_system(username, hashed)
Above, the logging.info line records the hash value in an information log intended for developers. Unless care is taken, these logs would go to /var/log/installer/subiquity-server-debug.log (or similar). On Ubuntu, anyone in the adm group may read these logs:
$ grep "Setting password" /var/log/installer/subiquity-server-debug.log
Setting password for myadmin: $6$asdf$ABCDE123456...
Attacker combs log files
- Looks through /var/log/installer/, /var/log/syslog, etc., for passwords or hash patterns.
If the password is simple, attacker gets cleartext
- They now can impersonate admin/root or other key users.
Mitigation and Fix
Upgrading Subiquity to a version after 23.09.1 is critical, as this patch ensures logs do not record sensitive password data.
What the fix looks like
# After the fix
logging.info(f"Setting password for {username}")
(no hash information is logged anymore)
Cleanup tip: After fixing, rotate and review all logs to ensure no leaked data remains.
Responsible Disclosure and References
Canonical was quick to patch this, and responsible disclosure was followed.
Canonical’s Security Notice:
- USN-6614-1: Subiquity vulnerability
Launchpad Bug:
- https://bugs.launchpad.net/subiquity/+bug/2045558
Official MITRE CVE Record:
- https://nvd.nist.gov/vuln/detail/CVE-2023-5182
Conclusion
CVE-2023-5182 is a prime example of why operational security is just as important as technical measures. A single extra piece of data in a log file can undo layers of system security. Stay vigilant, upgrade your installers, and don’t leave any “password crumbs” behind.
If you’re responsible for Ubuntu deployments, take time to check your installer versions and logs today!
*This post is based exclusively on reviewing upstream reports and security notices, avoiding jargon to make the problem easier to understand for everyone.*
Timeline
Published on: 10/07/2023 00:15:11 UTC
Last modified on: 10/11/2023 18:05:32 UTC