CVE-2020-11933

Priority
Description
cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices
was run without restrictions on every boot, which a physical attacker could
exploit by crafting cloud-init user-data/meta-data via external media to
perform arbitrary changes on the device to bypass intended security
mechanisms such as full disk encryption. This issue did not affect
traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539
and core version 2.45.2, revision 9659.
Ubuntu-Description
It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and
Ubuntu Core 18 devices ran on every boot without restrictions. A physical
attacker could exploit this to craft cloud-init user-data/meta-data via
external media to perform arbitrary changes on the device to bypass
intended security mechanisms such as full disk encryption. This issue did
not affect traditional Ubuntu systems. (CVE-2020-11933)
Mitigation
jdstrand> On provisioned devices, disable cloud-init using:
$ sudo systemctl disable cloud-init
jdstrand> For unprovisioned devices, provision then disable cloud-init
Assigned-to
jdstrand
Notes
jdstrandcloud-init as managed by snapd is only used on Ubuntu Core 16 and 18
devices. This does not affect traditional Ubuntu cloud, desktop and server
systems or the upcoming Ubuntu Core 20.
Since the attack requires physical presence, the vulnerability
provides no additional access to standard Ubuntu Core devices. For Ubuntu
Core devices with full disk encryption, the vulnerability allows admin access
to the device after the disk has been decrypted.
snapd will be updated to disable/restrict cloud-init after the first
boot. Since this does not affect traditional deb-based Ubuntu systems,
security updates will not be provided for the snapd deb in the Ubuntu archive
and these debs are marked as 'not-affected'. For notification purposes we
will issue a USN for this.
Ubuntu Core 16 devices will be updated via the 'core' snap which
includes snapd
Ubuntu Core 18 devices will be updated via the 'snapd' snap (which
is provided separated from the core18 snap)
20.04 LTS Raspberry Pi images are affected but do not include FDE.
A non-security bug task has been added to https://launchpad.net/bugs/1879530.
Snap
Store: core
core:released (2.45.2, revisions 9659+)
Snap
Store: core18
core18:not-affected (code-not-present)
Snap
Store: core20
core20:not-affected (code-not-present)
Snap
Store: snapd
Upstream:released (2.45.2)
snapd:released (2.45.2, revisions 8539+)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 20.04 LTS (Focal Fossa):not-affected
Ubuntu 20.10 (Groovy Gorilla):not-affected
More Information

Updated: 2020-07-30 08:21:13 UTC (commit dd36f14d21577f24d69b52e860f40106ba49ea35)