Blog Tags: 

AWS Marketplace: False Positive Security Warning

It was recently brought to our attention that AWS Marketplace sent out a security warning direct to many of our AWS users. This occurred without any prior consultation with us, or verification that there was indeed an issue to warn about.

Let us make this perfectly clear: This is a FALSE POSITIVE. NO ACTION IS REQUIRED. You do not need to reset the debian-sys-maint password. All secrets are randomly generated on first boot, including the debian-sys-maint password.

Whilst it was completely out of our control, we deeply apologize for the confusion and panic this has caused.


We take security extremely seriously, and we appreciate that AWS does too. In this case, due to the sheer volume of images in the marketplace, they decided to err on the side of caution and send out notifications to all “affected” image subscribers, not just TurnKey users, which we appreciate. That said, we would have appreciated it a lot more if they had verified the issue and/or reach out to us first, but that is a discussion for another day...

To accommodate the updated AWS security scanner, we have removed the configuration file in question, which is now recreated entirely on firstboot. This has the side effect of slowing down the firstboot initialization process slightly, unfortunately.

If you any questions or concerns, please feel free to post a comment below, open a new thread on the forums or contact us via the support email.

For full context, here is the AWS email in full:

> Dear AWS Marketplace Subscriber,
>
> We are writing to notify you that a scan of our catalog identified the presence of a
> default password in the following product you have subscribed to:
>
> LAMP Stack - Web Stack (MySQL) powered by TurnKey GNU/Linux
>
> The default password for the MySQL user "debian-sys-maint" can be found in the
> following location:
> /etc/mysql/debian.cnf
>
> If you are still running this software, we highly recommend you reset this password. >
> If you have additional questions about your software please contact TurnKey
> GNU/Linux directly at: https://hub.turnkeylinux.org/
>
> Thank you,
>
> --The AWS Marketplace Team

Comments

Keyturns's picture

Hi, I also got such an email in early November from Amazon AWS and it had the subject: "Important Information Regarding Your AWS Marketplace" (sent by 'no-reply-aws@amazon.com').  I looked at /etc/mysql/debian.cnf which was readable only by root and had the lines:

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
...
password = prettyNonDefaultLookingPassword

So to me it looked like the message was not correct as the password noted in the file did not appear to be a default and the comment implied to me it was created dynamically on init boot.

Thanks for the update.

Jeremy Davis's picture

Nice one, glad you did your own research and made your own assessment.

Having said that, whilst we make every effort to make our images secure, we're still human, so bugs do creep in from time to time. So if you every do find something that you think isn't quite right, please feel free to get in touch. As a general rule, it's probably best to contact us directly via support AT turnkeylinux.org if you think you've found a security issue.

Pages

Add new comment