Scaleway Centos7.2 image is vulnerable

UPDATE 2017-11-09: Torgrim Teigstad originally reported this and did some additional testing this week. It appears that all VMs spun from this image use the same hard coded root password, and this exists in the list of passwords being probed over ssh. If you’ve changed the root password after installation, you’re safe. Well done, Torgrim!

tl;dr: If you install the recommended Centos 7.2 image on Scaleway.com and leave it be, it appears to have a severe security issue and it will get owned unless patched immediately.

I did an experiment with a fresh vm and did not patch it in any way. After two days the VM locked up and refused ssh logins and console access. A hard reboot later, the vm has been taken over.

And before the haters starts yelling that I need to patch: yes, but no. This is scaleway’s fault. Their images should be safe to run by default. Yes, from the time I install it it is my responsibility, but the original image should be updated and secured by Scaleway.

Last login: Tue Oct 31 14:29:08 2017 from 177.101.205.5

[root@scw-4eee22 ~]# find /tmp
/tmp
/tmp/aw.sh.1
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix

-rw-r–r– 1 root root 0 Oct 27 19:58 aw.sh.1

I certainly have never logged in from 177.101.205.5.

The vm is based on the scaleway image armv7l-centos-latest-2016-07-01_10:24.

It didn’t take long for them to get back in:

Nov 1 09:39:59 scw-4eee22 sshd[4215]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 1 09:44:34 scw-4eee22 sshd[4246]: Accepted password for root from 194.88.107.164 port 50587 ssh2

Nov 1 09:54:35 scw-4eee22 sshd[4347]: Accepted password for root from 14.47.125.208 port 4235 ssh2
Nov 1 09:54:35 scw-4eee22 sshd[4347]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 1 09:54:36 scw-4eee22 sshd[4347]: Received disconnect from 14.47.125.208: 11:
Nov 1 09:54:36 scw-4eee22 sshd[4347]: pam_unix(sshd:session): session closed for user root

root password hash from /etc/shadow:

root:$6$0fPUiyMT/zOk$Wh83pSqrId7z.sl5wtQPn87mphyuwsHh3Zm1gt9rj1NGr9WB4V9p8I7U3biMH/THNj8/hD3iAXkOUYUh1Ki1S/:16772:0:99999:7:::

[root@scw-4eee22 log]# ls -l /etc/shadow
———- 1 root root 687 Jul 1 2016 /etc/shadow

(can’t trust the time stamps)

 

Here is the list of packages that yum wants to upgrade (if we decide to trust what yum is doing at this stage):

====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Installing:
python-gobject-base armv7hl 3.22.0-1.el7 base 279 k
replacing pygobject3-base.armv7hl 3.14.0-3.el7
Updating:
alsa-lib armv7hl 1.1.3-3.el7 base 378 k
audit armv7hl 2.7.6-3.el7 base 225 k
audit-libs armv7hl 2.7.6-3.el7 base 88 k
avahi-autoipd armv7hl 0.6.31-17.el7 base 40 k
avahi-libs armv7hl 0.6.31-17.el7 base 56 k
bash armv7hl 4.2.46-29.el7 updates 942 k
bind-libs-lite armv7hl 32:9.9.4-51.el7 updates 671 k
bind-license noarch 32:9.9.4-51.el7 updates 84 k
binutils armv7hl 2.25.1-32.base.el7.1 updates 5.0 M
ca-certificates noarch 2017.2.14-71.el7 base 472 k
centos-userland-release armv7hl 7-4.1708.el7.centos.0.1 base 25 k
chkconfig armv7hl 1.7.4-1.el7 base 177 k
coreutils armv7hl 8.22-18.el7 base 3.2 M
cpio armv7hl 2.11-25.el7 updates 202 k
cronie armv7hl 1.4.11-17.el7 base 88 k
cronie-anacron armv7hl 1.4.11-17.el7 base 35 k
cryptsetup-libs armv7hl 1.7.4-3.el7 base 217 k
curl armv7hl 7.29.0-42.el7 base 262 k
cyrus-sasl-lib armv7hl 2.1.26-21.el7 base 148 k
dbus armv7hl 1:1.6.12-17.el7 base 274 k
dbus-libs armv7hl 1:1.6.12-17.el7 base 134 k
device-mapper armv7hl 7:1.02.140-8.el7 base 280 k
device-mapper-libs armv7hl 7:1.02.140-8.el7 base 308 k
dhclient armv7hl 12:4.2.5-58.el7 base 268 k
dhcp-common armv7hl 12:4.2.5-58.el7 base 173 k
dhcp-libs armv7hl 12:4.2.5-58.el7 base 122 k
dnsmasq armv7hl 2.76-2.el7.2 updates 257 k
dracut armv7hl 033-502.el7 base 319 k
dracut-config-generic armv7hl 033-502.el7 base 53 k
dracut-config-rescue armv7hl 033-502.el7 base 55 k
dracut-network armv7hl 033-502.el7 base 97 k
e2fsprogs armv7hl 1.42.9-10.el7 base 690 k
e2fsprogs-libs armv7hl 1.42.9-10.el7 base 157 k
ebtables armv7hl 2.0.10-15.el7 base 116 k
elfutils-libelf armv7hl 0.168-8.el7 base 191 k
elfutils-libs armv7hl 0.168-8.el7 base 259 k
ethtool armv7hl 2:4.8-1.el7 base 113 k
expat armv7hl 2.1.0-10.el7 base 68 k
file-libs armv7hl 5.11-33.el7 base 339 k
filesystem armv7hl 3.2-21.el7 base 1.0 M
fipscheck armv7hl 1.4.1-6.el7 base 20 k
fipscheck-lib armv7hl 1.4.1-6.el7 base 9.9 k
firewalld noarch 0.4.4.4-6.el7 base 416 k
gawk armv7hl 4.0.2-4.el7.1 base 819 k
glib2 armv7hl 2.50.3-3.el7 base 2.2 M
glibc armv7hl 2.17-196.el7 base 3.3 M
glibc-common armv7hl 2.17-196.el7 base 11 M
gmp armv7hl 1:6.0.0-15.el7 base 237 k
gnupg2 armv7hl 2.0.22-4.el7 base 1.4 M
gnutls armv7hl 3.3.26-9.el7 base 604 k
gobject-introspection armv7hl 1.50.0-1.el7 base 226 k
grep armv7hl 2.20-3.el7 base 334 k
gzip armv7hl 1.5-9.el7 base 124 k
initscripts armv7hl 9.49.39-1.el7 base 434 k
iproute armv7hl 3.10.0-87.el7 base 614 k
iprutils armv7hl 2.4.14.1-1.el7 base 220 k
iptables armv7hl 1.4.21-18.0.1.el7 updates 405 k
iputils armv7hl 20160308-10.el7 base 150 k
jansson armv7hl 2.10-1.el7 base 34 k
kbd armv7hl 1.15.5-13.el7 base 336 k
kbd-legacy noarch 1.15.5-13.el7 base 465 k
kbd-misc noarch 1.15.5-13.el7 base 1.4 M
kexec-tools armv7hl 2.0.14-17.el7 base 174 k
kmod armv7hl 20-15.el7 base 112 k
kmod-libs armv7hl 20-15.el7 base 46 k
kpartx armv7hl 0.4.9-111.el7 base 73 k
krb5-libs armv7hl 1.15.1-8.el7 base 685 k
less armv7hl 458-9.el7 base 111 k
libblkid armv7hl 2.23.2-43.el7 base 166 k
libcap armv7hl 2.22-9.el7 base 46 k
libcom_err armv7hl 1.42.9-10.el7 base 39 k
libcurl armv7hl 7.29.0-42.el7 base 201 k
libdb armv7hl 5.3.21-20.el7 base 631 k
libdb-utils armv7hl 5.3.21-20.el7 base 128 k
libffi armv7hl 3.0.13-18.el7 base 28 k
libgcc armv7hl 4.8.5-16.el7 base 98 k
libgcrypt armv7hl 1.5.3-14.el7 base 259 k
libmount armv7hl 2.23.2-43.el7 base 166 k
libndp armv7hl 1.2-7.el7 base 29 k
libnetfilter_conntrack armv7hl 1.0.6-1.el7 base 50 k
libnl3 armv7hl 3.2.28-4.el7 base 242 k
libnl3-cli armv7hl 3.2.28-4.el7 base 161 k
libpcap armv7hl 14:1.5.3-9.el7 base 131 k
libselinux armv7hl 2.5-11.el7 base 156 k
libselinux-python armv7hl 2.5-11.el7 base 218 k
libselinux-utils armv7hl 2.5-11.el7 base 152 k
libsemanage armv7hl 2.5-8.el7 base 136 k
libsepol armv7hl 2.5-6.el7 base 265 k
libss armv7hl 1.42.9-10.el7 base 43 k
libssh2 armv7hl 1.4.3-10.el7.1 base 125 k
libstdc++ armv7hl 4.8.5-16.el7 base 267 k
libtasn1 armv7hl 4.10-1.el7 base 317 k
libteam armv7hl 1.25-5.el7 base 43 k
libuuid armv7hl 2.23.2-43.el7 base 79 k
libxml2 armv7hl 2.9.1-6.el7.3 base 578 k
lm_sensors-libs armv7hl 3.4.0-4.20160601gitf9185e5.el7 base 39 k
logrotate armv7hl 3.8.6-14.el7 base 67 k
lsscsi armv7hl 0.27-6.el7 base 47 k
lua armv7hl 5.1.4-15.el7 base 179 k
make armv7hl 1:3.82-23.el7 base 409 k
ncurses armv7hl 5.9-14.20130511.el7 updates 302 k
ncurses-base noarch 5.9-14.20130511.el7 updates 68 k
ncurses-libs armv7hl 5.9-14.20130511.el7 updates 277 k
net-tools armv7hl 2.0-0.22.20131004git.el7 base 296 k
nettle armv7hl 2.7.1-8.el7 base 329 k
nspr armv7hl 4.13.1-1.0.el7 base 107 k
nss armv7hl 3.28.4-15.el7 updates 740 k
nss-softokn armv7hl 3.28.3-8.el7 updates 270 k
nss-softokn-freebl armv7hl 3.28.3-8.el7 updates 181 k
nss-sysinit armv7hl 3.28.4-15.el7 updates 59 k
nss-tools armv7hl 3.28.4-15.el7 updates 488 k
nss-util armv7hl 3.28.4-3.el7 base 63 k
ntp armv7hl 4.2.6p5-25.el7 base 514 k
ntpdate armv7hl 4.2.6p5-25.el7 base 84 k
openldap armv7hl 2.4.44-5.el7 base 314 k
openssh armv7hl 7.4p1-13.el7 updates 507 k
openssh-clients armv7hl 7.4p1-13.el7 updates 597 k
openssh-server armv7hl 7.4p1-13.el7 updates 444 k
openssl-libs armv7hl 1:1.0.2k-8.el7 base 853 k
p11-kit armv7hl 0.23.5-3.el7 base 243 k
p11-kit-trust armv7hl 0.23.5-3.el7 base 115 k
pam armv7hl 1.1.8-18.el7 base 700 k
parted armv7hl 3.1-28.el7 base 595 k
pcre armv7hl 8.32-17.el7 base 387 k
perl armv7hl 4:5.16.3-292.el7 base 7.9 M
perl-Pod-Escapes noarch 1:1.04-292.el7 base 50 k
perl-Socket armv7hl 2.010-4.el7 base 47 k
perl-libs armv7hl 4:5.16.3-292.el7 base 596 k
perl-macros armv7hl 4:5.16.3-292.el7 base 43 k
pinentry armv7hl 0.8.1-17.el7 base 69 k
policycoreutils armv7hl 2.5-17.1.el7 base 859 k
procps-ng armv7hl 3.3.10-16.el7 base 280 k
python armv7hl 2.7.5-58.el7 base 91 k
python-libs armv7hl 2.7.5-58.el7 base 5.5 M
python-pycurl armv7hl 7.19.0-19.el7 base 78 k
python-urlgrabber noarch 3.10-8.el7 base 107 k
rdma noarch 7.3_4.7_rc2-5.el7 base 29 k
readline armv7hl 6.2-10.el7 base 178 k
rpm armv7hl 4.11.3-25.el7 base 1.2 M
rpm-build-libs armv7hl 4.11.3-25.el7 base 96 k
rpm-libs armv7hl 4.11.3-25.el7 base 238 k
rpm-python armv7hl 4.11.3-25.el7 base 76 k
rsync armv7hl 3.0.9-18.el7 base 354 k
rsyslog armv7hl 8.24.0-12.el7 base 584 k
selinux-policy noarch 3.13.1-166.el7.5 updates 436 k
selinux-policy-targeted noarch 3.13.1-166.el7.5 updates 6.5 M
setup noarch 2.8.71-7.el7 base 164 k
shadow-utils armv7hl 2:4.1.5.1-24.el7 base 1.1 M
shared-mime-info armv7hl 1.8-3.el7 base 309 k
socat armv7hl 1.7.3.2-2.el7 base 269 k
sudo armv7hl 1.8.19p2-11.el7 updates 1.1 M
sysstat armv7hl 10.1.5-12.el7 base 295 k
systemd armv7hl 219-42.el7.4 updates 4.8 M
systemd-libs armv7hl 219-42.el7.4 updates 337 k
systemd-sysv armv7hl 219-42.el7.4 updates 70 k
tar armv7hl 2:1.26-32.el7 base 824 k
tcpdump armv7hl 14:4.9.0-5.el7 base 394 k
teamd armv7hl 1.25-5.el7 base 102 k
trousers armv7hl 0.3.14-2.el7 base 258 k
tzdata noarch 2017c-1.el7 updates 468 k
util-linux armv7hl 2.23.2-43.el7 base 1.9 M
vim-common armv7hl 2:7.4.160-2.el7 base 5.9 M
vim-enhanced armv7hl 2:7.4.160-2.el7 base 890 k
vim-filesystem armv7hl 2:7.4.160-2.el7 base 9.3 k
vim-minimal armv7hl 2:7.4.160-2.el7 base 359 k
virt-what armv7hl 1.13-10.el7 base 27 k
wget armv7hl 1.14-15.el7.1 updates 529 k
xz armv7hl 5.2.2-1.el7 base 228 k
xz-libs armv7hl 5.2.2-1.el7 base 98 k
yum noarch 3.4.3-154.el7.centos base 1.2 M
yum-plugin-fastestmirror noarch 1.1.31-42.el7 base 32 k
zlib armv7hl 1.2.7-17.el7 base 87 k
Installing for dependencies:
GeoIP armv7hl 1.5.0-11.el7 base 1.1 M
elfutils-default-yama-scope noarch 0.168-8.el7 base 30 k
firewalld-filesystem noarch 0.4.4.4-6.el7 base 47 k
hwdata armv7hl 0.252-8.6.el7 base 2.2 M
ipset armv7hl 6.29-1.el7 base 40 k
ipset-libs armv7hl 6.29-1.el7 base 47 k
libfastjson armv7hl 0.99.4-2.el7 base 25 k
nss-pem armv7hl 1.0.3-4.el7 base 59 k
pciutils armv7hl 3.5.1-2.el7 base 88 k
pciutils-libs armv7hl 3.5.1-2.el7 base 41 k
python-firewall noarch 0.4.4.4-6.el7 base 325 k

Transaction Summary
====================================================================================================
Install 1 Package (+11 Dependent packages)
Upgrade 172 Packages

 

 

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s