CVE-2020-11933

Publication date 15 July 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.6 · High

Score breakdown

cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659.

From the Ubuntu Security Team

It was discovered that cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices ran on every boot without restrictions. A physical attacker could exploit this to craft cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. (CVE-2020-11933)

Read the notes from the security team

Mitigation

jdstrand> On provisioned devices, disable cloud-init using: $ sudo systemctl disable cloud-init jdstrand> For unprovisioned devices, provision then disable cloud-init

Status

Package Ubuntu Release Status
snapd 20.04 LTS focal
Not affected
19.10 eoan
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Not in release

Notes


jdstrand

cloud-init as managed by snapd is only used on Ubuntu Core 16 and 18 devices. This does not affect traditional Ubuntu cloud, desktop and server systems or the upcoming Ubuntu Core 20. Since the attack requires physical presence, the vulnerability provides no additional access to standard Ubuntu Core devices. For Ubuntu Core devices with full disk encryption, the vulnerability allows admin access to the device after the disk has been decrypted. snapd will be updated to disable/restrict cloud-init after the first boot. Since this does not affect traditional deb-based Ubuntu systems, security updates will not be provided for the snapd deb in the Ubuntu archive and these debs are marked as 'not-affected'. For notification purposes we will issue a USN for this. Ubuntu Core 16 devices will be updated via the 'core' snap which includes snapd Ubuntu Core 18 devices will be updated via the 'snapd' snap (which is provided separated from the core18 snap) 20.04 LTS Raspberry Pi images are affected but do not include FDE. A non-security bug task has been added to https://launchpad.net/bugs/1879530.

Severity score breakdown

Parameter Value
Base score 7.6 · High
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references