Bug 28991 - cloud-init new security issue CVE-2021-3429
Summary: cloud-init new security issue CVE-2021-3429
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-28 22:32 CEST by David Walser
Modified: 2021-10-29 21:33 CEST (History)
7 users (show)

See Also:
Source RPM: cloud-init-20.2-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-05-28 22:32:49 CEST
Debian-LTS has issued an advisory on March 20:
https://www.debian.org/lts/security/2021/dla-2601

The issue is fixed upstream in 21.2:
https://github.com/canonical/cloud-init/releases/tag/21.2

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-28 22:33:18 CEST

Status comment: (none) => Fixed upstream in 21.2
CC: (none) => mageia
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-05-29 20:52:14 CEST
This has been maintained by various people, so assigning the bug globally. CC'ing the registered maintainer Joseph.

CC: (none) => joequant
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-06-02 13:32:00 CEST
Hi,

For Cauldron and Mageia 8, I added a patch from Debian for that CVE and pushed cloud-init-20.2-2.1.mga8 and cloud-init-20.2-4.mga9 to the BS.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Nicolas Salguero 2021-06-02 13:32:15 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 3 David Walser 2021-06-02 23:06:26 CEST
We have 0.7.5 in Mageia 7, so Debian's patch for 0.7.9 might work for us.
Comment 4 David Walser 2021-07-01 18:53:58 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Assigning to QA as an update for Mageia 8 has been built.  Still needs advisory.

Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 21.2 => (none)

Comment 5 Aurelien Oudelet 2021-07-19 23:07:54 CEST
Advisory:
========================

Updated cloud-init package fixes a security vulnerability:

cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: 'chpasswd: list: | user1:RANDOM'

When instructing cloud-init to set a random password for a new user account, versions before 21.1.19 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user (CVE--2021-3429).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28991
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3429
 - https://www.debian.org/lts/security/2021/dla-2601
 - https://github.com/canonical/cloud-init/releases/tag/21.2
========================

Updated package in core/updates_testing:
========================
cloud-init-20.2-2.1.mga8

from SRPM:
cloud-init-20.2-2.1.mga8.src.rpm

CC: (none) => ouaurelien

Comment 6 Thomas Andrews 2021-10-27 23:30:33 CEST
Tested in VirtualBox, no installation issues. Referenced Bug 26236 for tests:

[tom@localhost ~]$ cloud-init --help
usage: /usr/bin/cloud-init [-h] [--version] [--file FILES] [--debug]
                           [--force]
                           {init,modules,single,query,dhclient-hook,features,analyze,devel,collect-logs,clean,status}
                           ...

optional arguments:
  -h, --help            show this help message and exit
  --version, -v         show program's version number and exit
  --file FILES, -f FILES
                        additional yaml configuration files to use
  --debug, -d           show additional pre-action logging (default: False)
  --force               force running even if no datasource is found (use
                        at your own risk)

Subcommands:
  {init,modules,single,query,dhclient-hook,features,analyze,devel,collect-logs,clean,status}
    init                initializes cloud-init and performs initial modules
    modules             activates modules using a given configuration key
    single              run a single module
    query               Query standardized instance metadata from the
                        command line.
    dhclient-hook       Run the dhclient hook to record network info.
    features            list defined features
    analyze             Devel tool: Analyze cloud-init logs and data
    devel               Run development tools
    collect-logs        Collect and tar all cloud-init debug info
    clean               Remove logs and artifacts so cloud-init can re-run.
    status              Report cloud-init status or wait on completion.

[tom@localhost ~]$ cloud-init --version
/usr/bin/cloud-init 20.2

Tried one thing more:

[tom@localhost ~]$ cloud-init status
Traceback (most recent call last):
  File "/usr/bin/cloud-init", line 33, in <module>
    sys.exit(load_entry_point('cloud-init==20.2', 'console_scripts', 'cloud-init')())
  File "/usr/lib/python3.8/site-packages/cloudinit/cmd/main.py", line 891, in main
    retval = util.log_time(
  File "/usr/lib/python3.8/site-packages/cloudinit/util.py", line 2648, in log_time
    ret = func(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/cloudinit/cmd/status.py", line 53, in handle_status_args
    init.read_cfg()
  File "/usr/lib/python3.8/site-packages/cloudinit/stages.py", line 173, in read_cfg
    self._cfg = self._read_cfg(extra_fns)
  File "/usr/lib/python3.8/site-packages/cloudinit/stages.py", line 181, in _read_cfg
    base_cfg=fetch_base_config())
  File "/usr/lib/python3.8/site-packages/cloudinit/stages.py", line 923, in fetch_base_config
    read_runtime_config(),
  File "/usr/lib/python3.8/site-packages/cloudinit/stages.py", line 912, in read_runtime_config
    return util.read_conf(RUN_CLOUD_CONFIG)
  File "/usr/lib/python3.8/site-packages/cloudinit/util.py", line 403, in read_conf
    return load_yaml(load_file(fname), default={})
  File "/usr/lib/python3.8/site-packages/cloudinit/util.py", line 1452, in load_file
    with open(fname, 'rb') as ifh:
PermissionError: [Errno 13] Permission denied: '/run/cloud-init/cloud.cfg'

I don't really know what I'm looking at from that last command, but it appears to me that it is working as designed - as far as I went.

OK for me, and validating. Advisory in Comment 5.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-29 18:18:03 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-10-29 21:33:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0494.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.