CVE-2023-1786: Bug #2013967 “cloud-init leaks credentials " : Bugs : cloud-init

I have sent this information to Vultr directly, but I wanted to coordinate with the cloud-init security team in case the second issue is due to something other than just a configuration issue.

The Linux hosts (CentOS 9, Ubuntu, Debian) on Vultr leak credentials via two issues.

Issue One:

The Vultr cloud-init DataSource logs the vendor-data which includes credentials. /var/log/cloud-init.log is accessible to any logged in user (not just root) or application.

The code that does this is visible here:
https://github.com/canonical/cloud-init/blob/main/cloudinit/sources/DataSourceVultr.py#L57-L58
# Dump some data so diagnosing failures is manageable
LOG.debug(“Vultr Vendor Config:”)
LOG.debug(md[‘vendor-data’][‘config’])

Here is an excerpt from the log showing this. (This host has been terminated so the credentials are useless)
/var/log/cloud-init.log: "#cloud-config\n{\"package_upgrade\":true,\"disable_root\":false,\"manage_etc_hosts\":tru
e,\"system_info\":{\"default_user\":{\"name\":\"root\"}},\"ssh_pwauth\":1,\"chpasswd\":{\"users\":[{\"name\":\"roo
t\",\"password\":\"$6$6hTD1OeYjWtGUHuX$QAZCC3R67Frau3GV023YLRHjLpueNYlhcoUcwwbEpiK4qQW01xMgP9mLDrxcw.AmOCmMYF8XSQ5
sPGg9kG5V5.\"}],\"expire\":false}}",

Debian default file permissions, note cloud-init-output.log is more secure than clound-init.log due to CVE-2021-3429

root@vultr:~# ls -l /var/log
total 1356
-rw-r–r-- 1 root root 27258 Mar 17 22:27 alternatives.log
drwxr-xr-x 2 root root 4096 Mar 31 03:50 apt
-rw-r----- 1 root adm 1127 Mar 31 03:55 auth.log
-rw-rw---- 1 root utmp 0 Mar 17 22:25 btmp
-rw-r–r-- 1 root adm 122857 Mar 31 03:50 cloud-init.log
-rw-r----- 1 root adm 95409 Mar 31 03:50 cloud-init-output.log
-rw-r----- 1 root adm 176237 Mar 31 03:55 daemon.log
-rw-r----- 1 root adm 8423 Mar 31 03:50 debug
-rw-r–r-- 1 root root 279776 Mar 31 03:50 dpkg.log
-rw-r–r-- 1 root root 3488 Mar 17 22:27 faillog
-rw-r–r-- 1 root root 32 Mar 17 22:27 image_build_date
drwxr-xr-x 3 root root 4096 Mar 17 22:27 installer
drwxr-sr-x+ 4 root systemd-journal 4096 Mar 31 03:50 journal
-rw-r----- 1 root adm 135311 Mar 31 03:55 kern.log
-rw-rw-r-- 1 root utmp 31828 Mar 31 03:55 lastlog
-rw-r----- 1 root adm 128275 Mar 31 03:55 messages
drwxr-xr-x 2 ntp ntp 4096 Sep 23 2020 ntpstats
drwx------ 2 root root 4096 Mar 17 22:27 private
drwxr-xr-x 3 root root 4096 Mar 17 22:26 runit
-rw-r----- 1 root adm 313512 Mar 31 03:55 syslog
-rw-r----- 1 root adm 6974 Mar 31 03:55 ufw.log
drwxr-x— 2 root adm 4096 Mar 17 22:27 unattended-upgrades
-rw-r----- 1 root adm 774 Mar 31 03:50 user.log
-rw-rw-r-- 1 root utmp 3456 Mar 31 03:55 wtmp

Issue Two:

The vendor-data includes credentials and are saved to the public instance-data.json. The vendor-data should be redacted.

This might be a general cloud-init issue; The issue might be that ‘vendor-data’ should be added to
'sensitive_keys’.

The permissions on the instance-data.json file are readable by any logged in user (not just root) or application:
-rw-r–r-- 1 root root 6794 Mar 30 04:50 instance-data.json

Here is an excerpt showing the data.
/run/cloud-init/instance-data.json: "#cloud-config\n{\"package_upgrade\":true,\"disable_root\":false,\"manage_e
tc_hosts\":true,\"system_info\":{\"default_user\":{\"name\":\"root\"}},\"ssh_pwauth\":1,\"chpasswd\":{\"users\":[{
\"name\":\"root\",\"password\":\"$6$6hTD1OeYjWtGUHuX$QAZCC3R67Frau3GV023YLRHjLpueNYlhcoUcwwbEpiK4qQW01xMgP9mLDrxcw
.AmOCmMYF8XSQ5sPGg9kG5V5.\"}],\"expire\":false}}",