LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security issue in livecd-tools causes password issue in Fedora cloud images

[Posted May 24, 2013 by ris]

From:  Robyn Bergeron <rbergero-AT-redhat.com>
To:  announce-AT-lists.fedoraproject.org
Subject:  Security issue in livecd-tools causes password issue in Fedora cloud images
Date:  Thu, 23 May 2013 17:25:42 -0400 (EDT)
Message-ID:  <1044678825.28402388.1369344342502.JavaMail.root@redhat.com>
Archive-link:  Article, Thread 

Greetings.

A flaw has been identified in the tool used by the Fedora Project to create cloud images. Images
generated by this tool, including Fedora Project “official” AMIs (Amazon Machine Images), AMIs
whose heritage can be traced to official Fedora AMIs, as well as some images using the AMI format
in non-Amazon clouds, are affected, as described below.

** Issue ** 

The flaw identified by CVE-2013-2069 [1] (Red Hat Bugzilla 964299 [2]) describes an issue where, in
default circumstances, the virtual machine image creator tool gave the root user an empty password
rather than leaving the password locked.  When using Fedora 15, 16, 17, or 18 Amazon Machine Images
(AMIs) on Amazon Web Services, a local, unprivileged user could use this issue to escalate their
privileges.

This issue was caused by the way a tool was used to create images, and not due to a security
vulnerability in Fedora images or AWS.

Fedora-based images for cloud or virtualization usage that were not provided by the Fedora Project,
but were created with the same tool, may be affected. This includes AMIs created by individuals for
their own self-use, as well as AMI-format images provided by individuals or specific open source
projects for use in non-Amazon cloud environments. Please check with the upstream project or
contributor that referenced those images to find out if those images were affected by the image
creation tool used in the respective project.

** Resolution **

The Fedora Project provides Amazon Machine Images (AMIs) for Fedora through Amazon Web Services.
These AMIs are provided as minimally configured system images which are available for use as-is or
for configuration and customization as required by end users. Fedora 15, 16, 17 and 18 AMIs for
Amazon Web Services had an empty root password by default.  To address this, the Fedora Release
Engineering team has created new AMIs that lock the root password by default. These AMIs are now
available on AWS.

To correct existing Fedora 17 and 18 AMIs, any AMIs built using Fedora AMIs, or any currently
running Fedora instances instantiated from those AMIs, users can lock the root password by issuing,
as root, the command:

passwd -l root

Since Fedora 14, Fedora has used the default user account “ec2-user”. Locking the root password
will still allow “ec2-user” to use the “sudo” command to gain root without requiring a
password. 

Note: The default OpenSSH configuration disallows password logins when the password is empty,
preventing a remote attacker from logging in without a password.

IDs for new AMIs are posted here:
http://fedoraproject.org/en/get-fedora-options#clouds

Please note that new AMIs are available only for current releases of Fedora, which are Fedora 17
and Fedora 18.  If you are utilizing a Fedora 16 or earlier AMI, you should be aware that your
release has reached its end of life, and thus security updates, as well as new AMIs, for that
particular release are not available.

** Root Cause **

Kickstart can be used to automate operating system installations. A Kickstart file specifies
settings for an installation. Once the installation system boots, it can read a Kickstart file and
carry out the installation process without any further input from a user. Kickstart is used as part
of the process of creating images of Fedora for cloud providers.

It was discovered that when no 'rootpw' command was specified in a Kickstart file, the image
creator tools gave the root user an empty password rather than leaving the password locked, which
could allow a local user to gain access to the root account (CVE-2013-2069). We have corrected this
issue by updating the Kickstart file used to build affected images to lock the password file.

The affected tool used by the Fedora Project to generate AMIs is appliance-creator, which is part
of the appliance-tools package.  Appliance-creator depends on another tool, livecd-creator (part of
the livecd-tools package) in building AMIs; this tool contained the aforementioned password flaw.
Please note that  livecd-creator is a dependency for other various image-building tools, and AMIs
generated with these tools may have the same issue, if the tool does not enforce locking of the
password by default.  

The Fedora Project thanks Amazon Web Services and Red Hat for notifying us of this issue. Amazon
Web Services acknowledges Sylvain Beucler as the original reporter.

Thanks,

-Robyn Bergeron



[1] https://access.redhat.com/security/cve/CVE-2013-2069
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2069
-- 
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds