Director - Default root password set in Overcloud images - CVE-2016-4474

Public Date: June 8, 2016, 12:47
Updated August 1, 2016, 07:48 - Chinese, Simplified French Japanese Korean

Was this information helpful?

Resolved Status
Important Impact

A vulnerability was discovered in overcloud images used by Red Hat OpenStack director to deploy OpenStack environments, where all shipped images have the same default root password.

Background Information

Overcloud images are built by booting a "utility" Red Hat Enterprise Linux image in a virtual machine, and customizing the image for director usage by installing all relevant OpenStack packages. However, the utility image had the following parameter configured, and this parameter was not changed during customization:

rootpw ROOTPW

As a result, all shipped images had the default root password of "ROOTPW".

Take Action

All Red Hat customers with OpenStack environments which were deployed by impacted director versions are strongly recommended to apply mitigations to their systems. Any new deployments should only use the updated Overcloud images. Image versions and recommended mitigations can be found under the Resolve tab.

Red Hat Product Security has rated this update as having a security impact of Important .

All OpenStack systems deployed by the director with these images have the known root passwd of "ROOTPW". If this password was not changed after deployment, an attacker could potentially access and update the system as root.

Because remote root access using SSH is disabled by default, an attacker would require an account on the machine or console access through either the undercloud Compute (this configuration is not supported) or other standard console tools.

To diagnose this vulnerability in your OpenStack environment, see the Resolve tab.

Impacted Products

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux Platform 7.0 (Kilo) director
  • Red Hat OpenStack Platform 8.0 (Liberty) director

Diagnose

You can easily diagnose this vulnerability doing the following:

  1. Run nova list on the undercloud to display a list of impacted machines.
  2. Try to log on as 'root' to each machine using the 'ROOTPW' password.

Mitigation

The vulnerability can be mitigated by changing the root password of any machines deployed by the director, or restricting the root account:

  1. Run nova list on the undercloud to display a list of impacted machines.
  2. Log into each machine and gain root access, example: 
    • $ ssh heat-admin@<your-system>
$ su -
  3. Do one of the following:
    • Set a new password: 
    • # passwd
    • Lock the root account: 
    • # passwd -l root

Updates for Affected Products

Fixes for all impacted Products were released on June 13, 2016.

Errata only provide updated images for future deployments. However, the root password in current deployments must also be updated (see Mitigation).

Product Images Advisory/Update
Red Hat OpenStack Platform 8.0 (Liberty) director rhosp-director-images-8.0-20160603.2.el7ost RHSA-2016:1222
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director overcloud-full version 7.3.2 or later RHSA-2016:1223

Comments