A flaw has been identified in the tool used by the Fedora Project to create cloud images.
Images generated by this tool, including Fedora Project “official” AMIs (Amazon Machine
Images), AMIs whose heritage can be traced to official Fedora AMIs, as well as some images
using the AMI format in non-Amazon clouds, are affected, as described below.
** Issue **
The flaw identified by CVE-2013-2069  (Red Hat Bugzilla 964299 ) describes an issue
where, in default circumstances, the virtual machine image creator tool gave the root user
an empty password rather than leaving the password locked. When using Fedora 15, 16, 17,
or 18 Amazon Machine Images (AMIs) on Amazon Web Services, a local, unprivileged user
could use this issue to escalate their privileges.
This issue was caused by the way a tool was used to create images, and not due to a
security vulnerability in Fedora images or AWS.
Fedora-based images for cloud or virtualization usage that were not provided by the Fedora
Project, but were created with the same tool, may be affected. This includes AMIs created
by individuals for their own self-use, as well as AMI-format images provided by
individuals or specific open source projects for use in non-Amazon cloud environments.
Please check with the upstream project or contributor that referenced those images to find
out if those images were affected by the image creation tool used in the respective
** Resolution **
The Fedora Project provides Amazon Machine Images (AMIs) for Fedora through Amazon Web
Services. These AMIs are provided as minimally configured system images which are
available for use as-is or for configuration and customization as required by end users.
Fedora 15, 16, 17 and 18 AMIs for Amazon Web Services had an empty root password by
default. To address this, the Fedora Release Engineering team has created new AMIs that
lock the root password by default. These AMIs are now available on AWS.
To correct existing Fedora 17 and 18 AMIs, any AMIs built using Fedora AMIs, or any
currently running Fedora instances instantiated from those AMIs, users can lock the root
password by issuing, as root, the command:
passwd -l root
Since Fedora 14, Fedora has used the default user account “ec2-user”. Locking the root
password will still allow “ec2-user” to use the “sudo” command to gain root without
requiring a password.
Note: The default OpenSSH configuration disallows password logins when the password is
empty, preventing a remote attacker from logging in without a password.
IDs for new AMIs are posted here:
Please note that new AMIs are available only for current releases of Fedora, which are
Fedora 17 and Fedora 18. If you are utilizing a Fedora 16 or earlier AMI, you should be
aware that your release has reached its end of life, and thus security updates, as well as
new AMIs, for that particular release are not available.
** Root Cause **
Kickstart can be used to automate operating system installations. A Kickstart file
specifies settings for an installation. Once the installation system boots, it can read a
Kickstart file and carry out the installation process without any further input from a
user. Kickstart is used as part of the process of creating images of Fedora for cloud
It was discovered that when no 'rootpw' command was specified in a Kickstart file,
the image creator tools gave the root user an empty password rather than leaving the
password locked, which could allow a local user to gain access to the root account
(CVE-2013-2069). We have corrected this issue by updating the Kickstart file used to build
affected images to lock the password file.
The affected tool used by the Fedora Project to generate AMIs is appliance-creator, which
is part of the appliance-tools package. Appliance-creator depends on another tool,
livecd-creator (part of the livecd-tools package) in building AMIs; this tool contained
the aforementioned password flaw. Please note that livecd-creator is a dependency for
other various image-building tools, and AMIs generated with these tools may have the same
issue, if the tool does not enforce locking of the password by default.
The Fedora Project thanks Amazon Web Services and Red Hat for notifying us of this issue.
Amazon Web Services acknowledges Sylvain Beucler as the original reporter.