cloud-init: default configuration disabled deletion of SSH host keys

The default cloud-init configuration included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct...

Low: Red Hat Security Advisory: cloud-init security update

An update for cloud-init is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...

RHEL 8 : cloud-init (RHSA-2020:3644)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:3644 advisory. The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to...

Huawei EulerOS: Security Advisory for cloud-init (EulerOS-SA-2020-1840)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP8 : cloud-init (EulerOS-SA-2020-1840)

According to the version of the cloud-init package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included 'sshdeletekeys: 0', disabling cloud-init's deletion of ssh host...

In cloud-init through 19.4 rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value which makes it easier for attackers to guess passwords.

...

cloud-init through 19.4 relies on Mersenne Twister for a random password which makes it easier for attackers to predict passwords because rand_str in cloudinit/util.py calls the random.choice function.

...

The default cloud-init configuration in cloud-init 0.6.2 and newer included "ssh_deletekeys: 0" disabling cloud-init's deletion of ssh host keys. In some environments this could lead to instances created by cloning a golden master or template system sharing ssh host keys and being able to impersonate one another or conduct man-in-the-middle attacks.

...

MGASA-2020-0295 Updated cloud-init packages fix security vulnerability

In cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because randstr in cloudinit/util.py calls the random.choice function CVE-2020-8631. In cloud-init, randuserpassword in cloudinit/config/ccsetpasswords.py has a small default...

Updated cloud-init packages fix security vulnerability

In cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because randstr in cloudinit/util.py calls the random.choice function CVE-2020-8631. In cloud-init, randuserpassword in cloudinit/config/ccsetpasswords.py has a small default...

CVE-2020-11933

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security...

CVE-2020-11933

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security...

Design/Logic Flaw

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security...

CVE-2020-11933 local snapd exploit through cloud-init

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security...

CVE-2020-11933

The CVE-2020-11933 issue affects Ubuntu Core 16/18 when cloud-init is managed by snapd. It describes cloud-init running with no boot-time restrictions, enabling a physical attacker to craft cloud-init user-data/meta-data on external media to perform arbitrary changes and bypass security controls ...

Insecure Configuration

cloud-init has an insecure configuration. The vulnerability exists as the default configuration disables deletion of SSH host keys...

Low: Red Hat Security Advisory: cloud-init security, bug fix, and enhancement update

An update for cloud-init is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

cloud-init: default configuration disabled deletion of SSH host keys

The default cloud-init configuration included "sshdeletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct...

RHEL 8 : cloud-init (RHSA-2020:3050)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:3050 advisory. The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to...

Ubuntu: Security Advisory (USN-4424-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...