OpenStack Compute (nova)

Nova compute log can get the password info from the user_data

Bug #1899229 reported by changzhi
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Wishlist
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

Here is the log on /var/log/nova/nova-compute.log, we can see user_data='I2Nsb3VkLWNvbmZpZwpjaHBhc3N3ZDoKICBsaXN0OiB8CiAgICByb290OjEyMzQ1Njc4CiAgZXhwaXJlOiBGYWxzZQ==', if you use python to do base64 decode, it will translate to '#cloud-config\nchpasswd:\n list: |\n root:12345678\n expire: False', we can see the root password is 12345678. Here is the method:

>>>base64.b64decode("I2Nsb3VkLWNvbmZpZwpjaHBhc3N3ZDoKICBsaXN0OiB8CiAgICByb290OjEyMzQ1Njc4CiAgZXhwaXJlOiBGYWxzZQ==")
b'#cloud-config\nchpasswd:\n list: |\n root:12345678\n expire: False'

Although the password is been encrypted but it is easy to decrypted.

So, in order to avoid this, maybe we don't need to display the password info?

Tags: api security
Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

From nova perspective user_data is a transparent blob of information. Nova does not know if the user data contains passwords, security keys, or any other sensitive information. I'm not sure this is directly a nova security bug but it could be so I still marking it as such to get it evaluated from security perspective.

information type: Public → Private Security
tags: added: api security
Revision history for this message
Jeremy Stanley (fungi) wrote :

The cloud-init documentation/examples warn against using password auth, and especially plaintext password values:

https://cloudinit.readthedocs.io/en/latest/topics/modules.html#users-and-groups
https://cloudinit.readthedocs.io/en/latest/topics/examples.html#including-users-and-groups

The chpasswd module included in your example also supports one-way hashes:

https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords

Further, we issued an OSSN years ago suggesting that placing sensitive information within instance metadata is inherently unsafe:

https://wiki.openstack.org/wiki/OSSN/OSSN-0074

Given the above, putting passwords, especially unhashed ones like those in your example, should be considered a grave mistake on the part of the user. I think it's safe to switch this report back to public (odds are hundreds of subscribers to nova bugs already got E-mail messages containing the bug description anyway), and treat it as a security hardening opportunity if there's interest in locking down or eliding the logged user data in some way.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Also, the duplicate (bug 1899228) is still public anyway.

information type: Private Security → Public
Changed in ossa:
status: New → Won't Fix
Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

I mark this confirmed from Nova perspective as Nova logs the user_data as described. Still as user_data is transparent to nova we cannot selectively not log it if it contains sensitive data. So either we always log it or never log it.

Changed in nova:
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Nick Tait (nickthetait) wrote :

It doesn't seem right or possible that Nova would figure out which messages contain sensitive data. If there isn't a good reason (unlikely IMO) for Nova to be logging this info in the first place I would support removing this feature.

The only other option I see is like Jeremy said: user error. Challenging part is this kind of problem is difficult for a user to detect.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.