Does CVE-2013-2069 affect Red Hat products?
Environment
- Red Hat Enterprise Linux 6.4 KVM Guest Images for cloud instances
- Red Hat Enterprise Linux Amazon Machine Images on Amazon Web Services
Issue
The flaw identified by CVE-2013-2069 (Red Hat Bugzilla 964299) describes an issue where in default circumstances, the virtual machine image creator tool gave the root user an empty password rather than leaving the password locked. When using Red Hat Enterprise Linux 6.4 KVM Guest Images for cloud instances, or Red Hat Enterprise Linux Amazon Machine Images on Amazon Web Services, a local, unprivileged user could use this issue to escalate their privileges.
This issue was caused by the way a tool was used to create Images, and not due to a security vulnerability in Red Hat Enterprise Linux or AWS.
Resolution
Red Hat Enterprise Linux 6.4 KVM Guest Images for cloud instances
Red Hat Enterprise Linux 6.4 KVM Guest Images for cloud instances had an empty root password by default. To address this, Red Hat has created updated KVM images that lock the root password by default and released a security advisory explaining the issue, workaround, and resolution as RHSA-2013:0849
Red Hat Enterprise Linux Amazon Machine Images for Amazon Web Services
Red Hat provides Amazon Machine Images (AMIs) for Red Hat Enterprise Linux through Amazon Web Services (AWS). These AMIs are provided as minimally configured system images which are available for use as-is or for configuration and customization as required by end users.
Red Hat Enterprise Linux 5 and 6 Amazon Machine Images (AMIs) for Amazon Web Services (AWS) had an empty root password by default. To address this, Red Hat has created updated AMIs that lock the root password by default. These updated AMIs are now available on AWS.
To correct existing Red Hat Enterprise Linux AMIs, any AMIs built using Red Hat Enterprise Linux AMIs, or any currently running Red Hat Enterprise Linux instances instantiated from those AMIs, users can lock the root password by issuing, as root, the command:
passwd -l root
With Red Hat Enterprise Linux 6.4, Red Hat introduced the default user account "ec2-user". Locking the root password will still allow "ec2-user" to use the "sudo" command to gain root without requiring a password. Red Hat Enterprise Linux versions prior to 6.4 do not have "ec2-user": after locking the root password on such systems, users will still be able to log in as the root user via SSH key files.
Note: The default OpenSSH configuration disallows password logins when the password is empty, preventing a remote attacker from logging in without a password.
The affected AMIs have been updated and are available at: https://aws.amazon.com/redhat
Root Cause
Kickstart can be used to automate operating system installations. A Kickstart file specifies settings for an installation. Once the installation system boots, it can read a Kickstart file and carry out the installation process without any further input from a user. Kickstart is used as part of the process of creating Images of Red Hat Enterprise Linux for cloud providers.
It was discovered that when no 'rootpw' command was specified in a Kickstart file, the image creator tools gave the root user an empty password rather than leaving the password locked, which could allow a local user to gain access to the root account (CVE-2013-2069).
We have corrected this issue by updating the Kickstart file used to build affected images to lock the password file. This issue was caused by the way a tool was used to create Images, and not due to a security vulnerability in Red Hat Enterprise Linux, or AWS.
Red Hat would like to thank Amazon Web Services for reporting this issue. Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments