ESA-12: Insecure Configuration in some EuStore EMIs

====================================================================
Eucalyptus Security Advisory

Advisory ID:                  ESA-12
Issue  Date:                  2013-06-20
Severity Level:               Important
Affected Versions:            EuStore EMI EMI 3868652036 (Centos 6.3), EMI 0400376721 (Fedora 16), EMI 2425352071 (Fedora 17), 1347115203 (OpenSUSE 12.2)
CVE Number:                   CVE-2013-2297
====================================================================

OVERVIEW
------------

An insecure configuration has been identified in some EMIs provided by
Eucalyptus EuStore. The root password was left empty in certain
situations potentially allowing for privilege escalation by system
users. Updated images are now available. We recommend immediately
replacing them with the newest version.


DESCRIPTION
-------------

As a part of Eucalyptus's EuStore image hardening effort, an insecure
configuration, where the root password was left empty, has been
identified in four EuStore EMIs. This problem is partly related to
CVE-2013-2069, where a third-party tool used to generated EMIs was
leaving the root password unset instead of locking it. An unset root
password can allow for privilege escalation by users on any Eucalyptus
instance instantiated from the affected EMI. None of the reported EMIs
allowed remote root ssh using the empty password.


WORKAROUND 
-------------

Set or lock the root account password on any instance running
from the affected EMI. To set the password, execute:
# passwd root
To lock the password, execute:
# passwd -l  root


SOLUTION
-------------
Updated EMIs 1222062543 (Centos 6.3), 2518794716 (Fedora 16), 0278205488 (Fedora 17), 1424900416 (OpenSUSE 12.2) resolve this issue.


CONTACT and HELP
-------------

Contact the Eucalyptus Security Team at security@eucalyptus.com.