Greetings.
A flaw has been identified in the tool used by the Fedora Project to create cloud images. Images generated by this tool, including Fedora Project “official” AMIs (Amazon Machine Images), AMIs whose heritage can be traced to official Fedora AMIs, as well as some images using the AMI format in non-Amazon clouds, are affected, as described below.
** Issue **
The flaw identified by CVE-2013-2069 [1] (Red Hat Bugzilla 964299 [2]) describes an issue where, in default circumstances, the virtual machine image creator tool gave the root user an empty password rather than leaving the password locked. When using Fedora 15, 16, 17, or 18 Amazon Machine Images (AMIs) on Amazon Web Services, a local, unprivileged user could use this issue to escalate their privileges.
This issue was caused by the way a tool was used to create images, and not due to a security vulnerability in Fedora images or AWS.
Fedora-based images for cloud or virtualization usage that were not provided by the Fedora Project, but were created with the same tool, may be affected. This includes AMIs created by individuals for their own self-use, as well as AMI-format images provided by individuals or specific open source projects for use in non-Amazon cloud environments. Please check with the upstream project or contributor that referenced those images to find out if those images were affected by the image creation tool used in the respective project.
** Resolution **
The Fedora Project provides Amazon Machine Images (AMIs) for Fedora through Amazon Web Services. These AMIs are provided as minimally configured system images which are available for use as-is or for configuration and customization as required by end users. Fedora 15, 16, 17 and 18 AMIs for Amazon Web Services had an empty root password by default. To address this, the Fedora Release Engineering team has created new AMIs that lock the root password by default. These AMIs are now available on AWS.
To correct existing Fedora 17 and 18 AMIs, any AMIs built using Fedora AMIs, or any currently running Fedora instances instantiated from those AMIs, users can lock the root password by issuing, as root, the command:
passwd -l root
Since Fedora 14, Fedora has used the default user account “ec2-user”. Locking the root password will still allow “ec2-user” to use the “sudo” command to gain root without requiring a password.
Note: The default OpenSSH configuration disallows password logins when the password is empty, preventing a remote attacker from logging in without a password.
IDs for new AMIs are posted here: http://fedoraproject.org/en/get-fedora-options#clouds
Please note that new AMIs are available only for current releases of Fedora, which are Fedora 17 and Fedora 18. If you are utilizing a Fedora 16 or earlier AMI, you should be aware that your release has reached its end of life, and thus security updates, as well as new AMIs, for that particular release are not available.
** Root Cause **
Kickstart can be used to automate operating system installations. A Kickstart file specifies settings for an installation. Once the installation system boots, it can read a Kickstart file and carry out the installation process without any further input from a user. Kickstart is used as part of the process of creating images of Fedora for cloud providers.
It was discovered that when no 'rootpw' command was specified in a Kickstart file, the image creator tools gave the root user an empty password rather than leaving the password locked, which could allow a local user to gain access to the root account (CVE-2013-2069). We have corrected this issue by updating the Kickstart file used to build affected images to lock the password file.
The affected tool used by the Fedora Project to generate AMIs is appliance-creator, which is part of the appliance-tools package. Appliance-creator depends on another tool, livecd-creator (part of the livecd-tools package) in building AMIs; this tool contained the aforementioned password flaw. Please note that livecd-creator is a dependency for other various image-building tools, and AMIs generated with these tools may have the same issue, if the tool does not enforce locking of the password by default.
The Fedora Project thanks Amazon Web Services and Red Hat for notifying us of this issue. Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
Thanks,
-Robyn Bergeron
[1] https://access.redhat.com/security/cve/CVE-2013-2069 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2069
announce@lists.stg.fedoraproject.org