ESA-12: Insecure Configuration In Some EuStore EMIs

Eucalyptus Security Advisory
Advisory ID: 
ESA-12
Severity Level: 
Important
Issue Date: 
2013-06-20
Last Updated: 
2013-06-20
Affected Products: 
EuStore EMI EMI 3868652036 (Centos 6.3), EMI 0400376721 (Fedora 16), EMI 2425352071 (Fedora 17), 1347115203 (OpenSUSE 12.2)

Overview

An insecure configuration has been identified in some EMIs provided by Eucalyptus EuStore. The root password was left empty in certain situations potentially allowing for privilege escalation by system users. Updated images are now available. We recommend immediately replacing them with the newest version.

Description

As a part of Eucalyptus's EuStore image hardening effort, an insecure configuration, where the root password was left empty, has been identified in four EuStore EMIs. This problem is partly related to CVE-2013-2069, where a third-party tool used to generated EMIs was leaving the root password unset instead of locking it. An unset root password can allow for privilege escalation by users on any Eucalyptus instance instantiated from the affected EMI. None of the reported EMIs allowed remote root ssh using the empty password.

Workaround

Set or lock the root account password on any instance running from the affected EMI. To set the password, execute:

# passwd root 

To lock the password, execute:

# passwd -l  root

Solution

Updated EMIs 1222062543 (Centos 6.3), 2518794716 (Fedora 16), 0278205488 (Fedora 17), 1424900416 (OpenSUSE 12.2) resolve this issue.

Contact and Help

Contact the Eucalyptus Security Team at security@eucalyptus.com.