CVE-2018-10896 in cloud-init
Summary
by MITRE
The default cloud-init configuration, in cloud-init 0.6.2 and newer, included "ssh_deletekeys: 0", disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/02/2025
The vulnerability described in CVE-2018-10896 represents a critical security flaw in the cloud-init configuration management system that affects versions 0.6.2 and newer. This issue stems from a default configuration parameter that disables the automatic deletion of SSH host keys during instance provisioning. The cloud-init service, which is responsible for initializing cloud instances with proper configuration settings, was configured to preserve existing SSH host keys rather than regenerate them for each new instance. This default behavior creates a fundamental security risk in virtualized environments where instances are frequently cloned from master images or templates.
The technical flaw manifests when cloud instances are created through cloning operations from a golden master system or template. In such scenarios, the SSH host keys that were originally generated on the template system are preserved and carried over to the newly created instances. This means that multiple instances within the same environment end up sharing identical SSH host keys, fundamentally undermining the security model that relies on unique host key identification for secure communications. The vulnerability specifically impacts the SSH host key management process where cloud-init should be regenerating unique keys for each instance to maintain proper host authentication security.
The operational impact of this vulnerability extends beyond simple configuration oversight to create significant security risks in cloud environments. When multiple instances share the same SSH host keys, attackers can exploit this weakness to conduct man-in-the-middle attacks by impersonating legitimate instances within the network. The shared host keys make it possible for malicious actors to establish connections that appear legitimate to SSH clients, potentially allowing unauthorized access to systems or interception of communications. This vulnerability particularly affects cloud deployments where rapid instance provisioning and cloning are common practices, such as in auto-scaling environments or when using template-based deployment strategies.
The security implications of this vulnerability align with several common attack patterns documented in the ATT&CK framework, particularly those related to credential access and defense evasion techniques. The shared SSH host keys can be leveraged to bypass host key verification mechanisms that are fundamental to SSH security protocols. This vulnerability also relates to CWE-310, which addresses cryptographic issues, specifically in the context of key management and generation. Organizations utilizing cloud-init with the default configuration are essentially creating a backdoor scenario where any instance can potentially masquerade as another, undermining the trust model that SSH and other cryptographic protocols rely upon. The risk is amplified in multi-tenant environments where instances from different users or applications might share the same infrastructure.
Mitigation strategies for this vulnerability involve modifying the cloud-init configuration to explicitly enable SSH host key deletion during instance initialization. Administrators should ensure that the ssh_deletekeys parameter is set to 1 or true, which forces cloud-init to regenerate SSH host keys for each new instance. This configuration change should be implemented across all cloud environments where instances are cloned from templates or golden images. Additionally, organizations should conduct regular audits of their cloud-init configurations to ensure that security best practices are maintained. The recommended approach includes implementing automated configuration management tools that can enforce proper SSH key handling policies and establishing security guidelines that mandate unique host key generation for all cloud instances. Regular security assessments and penetration testing should also be conducted to verify that the configuration changes have been properly implemented and are functioning as intended.