6.5

CVSS Score

Basic Information

CVE ID

CVE-2022-1706

GHSA ID

GHSA-hj57-j5cw-2mwp

EPSS Score

CWE

CWE-200

Published

5/25/2022

Updated

1/11/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1706

CVE-2022-1706:
Ignition config accessible to unprivileged software on VMware

Impact

Unprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information.

Patches

Ignition 2.14.0 and later adds a new systemd service, ignition-delete-config.service, that deletes the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot. This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor.

If you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking ignition-delete-config.service. For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "systemd": {
    "units": [
      {
        "name": "ignition-delete-config.service",
        "mask": true
      }
    ]
  }
}

Workarounds

Avoid storing secrets in Ignition configs. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it's best to store secrets in a dedicated platform such as Hashicorp Vault.

Advice to Linux distributions

Linux distributions that ship Ignition should ensure the new ignition-delete-config.service is installed and enabled by default.

In addition, we recommend shipping a service similar to ignition-delete-config.service that runs when existing machines are upgraded, similar to the one in https://github.com/coreos/fedora-coreos-config/pull/1738. Consider giving your users advance notice of this change, and providing instructions for masking ignition-delete-config.service on existing nodes if users have tooling that requires the Ignition config to remain accessible in VM metadata.

References

For more information, see #1300 and #1350.

For more information

If you have any questions or comments about this advisory, open an issue in Ignition or email the CoreOS development mailing list.

(GitHub Advisory)

6.5

CVSS Score

Basic Information

CVE ID

CVE-2022-1706

GHSA ID

GHSA-hj57-j5cw-2mwp

EPSS Score

CWE

CWE-200

Published

5/25/2022

Updated

1/11/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/coreos/ignition/v2	go	< 2.14.0	2.14.0
github.com/coreos/ignition	go	<= 0.35.0	2.14.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Ignition retrieving cloud-init configs from hypervisor-specific storage (VMware guestinfo/VirtualBox properties) without subsequently deleting them. The key vulnerable functions are the config retrieval handlers in platform providers that lacked deletion logic. The patches introduced DelConfig methods and ignition-rmcfg to remove these artifacts post-retrieval. During exploitation, these unpatched retrieval functions would appear in stack traces when Ignition processes (but doesn't clean) sensitive configs, leaving them accessible through hypervisor interfaces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Unprivil**** so*tw*r* in VMw*r* VMs, in*lu*in* so*tw*r* runnin* in unprivil**** *ont*in*rs, **n r*tri*v* *n I*nition *on*i* stor** in * *yp*rvisor *u*stin*o v*ri**l* or OV* *nvironm*nt. I* t** I*nition *on*i* *ont*ins s**r*ts, t*is **n r*

Reasoning

T** vuln*r**ility st*ms *rom I*nition r*tri*vin* *lou*-init *on*i*s *rom *yp*rvisor-sp**i*i* stor*** (VMw*r* *u*stin*o/Virtu*l*ox prop*rti*s) wit*out su*s*qu*ntly **l*tin* t**m. T** k*y vuln*r**l* *un*tions *r* t** *on*i* r*tri*v*l **n*l*rs in pl*t*o

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-1706: Ignition config accessible to unprivileged software on VMware

Impact

Patches

Workarounds

Advice to Linux distributions

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-1706:
Ignition config accessible to unprivileged software on VMware

Vulnerability Intelligence
Miggo AI