CVE-2021-3429 in cloud-init
Summary
by MITRE • 04/20/2023
When instructing cloud-init to set a random password for a new user account, versions before 21.2 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/26/2025
The vulnerability described in CVE-2021-3429 represents a critical security flaw in the cloud-init configuration management tool that affects systems running versions prior to 21.2. This issue arises from improper handling of sensitive information during user account creation processes, creating a significant privilege escalation vector for local attackers. The vulnerability is classified under CWE-200, which deals with exposure of sensitive information to an unauthorized actor, and aligns with ATT&CK technique T1078.101 for valid accounts and T1566 for credential access through legitimate credentials.
The technical implementation of this flaw occurs when cloud-init executes commands to create new user accounts and assign random passwords. During this process, the system generates a password that gets written to the /var/log/cloud-init-output.log file with world-readable permissions. This log file typically contains output from cloud-init operations including command execution results, configuration details, and in this case, the generated password. The flaw stems from inadequate permission management and output sanitization during the cloud-init execution lifecycle, where sensitive data is not properly redacted or protected before being logged to persistent storage.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass broader security implications for cloud environments and containerized systems where cloud-init is commonly deployed. Local users who can access the system can simply examine the log file to obtain valid credentials for other user accounts, effectively bypassing authentication mechanisms and gaining unauthorized access to potentially sensitive system resources. This vulnerability particularly affects cloud deployments where multiple users or services might be running on the same host, creating a vector for lateral movement and privilege escalation attacks. The risk is amplified in environments where cloud-init is used for automated provisioning and where system administrators might not be aware of the password exposure occurring in log files.
Mitigation strategies for CVE-2021-3429 should focus on immediate patching of affected cloud-init versions to 21.2 or later, which addresses the improper logging of sensitive information. Organizations should also implement log file permission controls to ensure that sensitive information is not written to world-readable files, and establish proper log sanitization procedures during cloud-init execution. Additionally, system administrators should conduct comprehensive audits of log file permissions and implement monitoring solutions to detect unauthorized access to sensitive log files. The remediation process should include disabling or restricting access to cloud-init output logs that contain sensitive information, and implementing proper credential management practices that do not rely on potentially exposed logging mechanisms. Organizations should also consider implementing principle of least privilege access controls and regular security assessments of cloud-init configurations to prevent similar vulnerabilities from emerging in automated deployment environments.