Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-11933

Published: 15 July 2020

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.

From the Ubuntu Security Team

It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. (CVE-2020-11933)

Notes

AuthorNote
jdstrand
cloud-init as managed by snapd is only used on Ubuntu Core 16 and 18
devices. This does not affect traditional Ubuntu cloud, desktop and server
systems or the upcoming Ubuntu Core 20.
Since the attack requires physical presence, the vulnerability
provides no additional access to standard Ubuntu Core devices. For Ubuntu
Core devices with full disk encryption, the vulnerability allows admin access
to the device after the disk has been decrypted.
snapd will be updated to disable/restrict cloud-init after the first
boot. Since this does not affect traditional deb-based Ubuntu systems,
security updates will not be provided for the snapd deb in the Ubuntu archive
and these debs are marked as 'not-affected'. For notification purposes we
will issue a USN for this.
Ubuntu Core 16 devices will be updated via the 'core' snap which
includes snapd
Ubuntu Core 18 devices will be updated via the 'snapd' snap (which
is provided separated from the core18 snap)
20.04 LTS Raspberry Pi images are affected but do not include FDE.
A non-security bug task has been added to https://launchpad.net/bugs/1879530.

Mitigation

jdstrand> On provisioned devices, disable cloud-init using:
 $ sudo systemctl disable cloud-init
jdstrand> For unprovisioned devices, provision then disable cloud-init

Priority

Medium

Cvss 3 Severity Score

7.6

Score breakdown

Status

Package Release Status
snapd
Launchpad, Ubuntu, Debian
trusty Does not exist

xenial Not vulnerable

eoan Not vulnerable

bionic Not vulnerable

focal Not vulnerable

upstream
Released (2.45.2)
core
Launchpad, Ubuntu, Debian
upstream Not vulnerable

core18
Launchpad, Ubuntu, Debian
upstream Not vulnerable

core20
Launchpad, Ubuntu, Debian
upstream Not vulnerable

Severity score breakdown

Parameter Value
Base score 7.6
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H