A recent update to cloud-init (version 25.1.4) introduces a change that impacts non-x86 architectures on AltStack, OpenStack, and legacy EC2 platforms. Administrators launching non-x86 instances on these platforms may may need to review and adjust their configurations or cloud-specific images to ensure cloud-init remains enabled.
This change is part of a mitigation for CVE-2024-6174, which addresses a security vulnerability where generic cloud images with cloud-init enabled could inappropriately attempt to detect metadata services (IMDS) on untrusted local networks. This behavior created an opportunity for man-in-the-middle (MITM) attacks on instances not running on their intended platforms.
What’s Changed:
- cloud-init now enforces strict datasource detection before the network is up.
- If cloud-init cannot identify a valid datasource using system artifacts such as:
- DMI info from SMBIOS tables
- Kernel command-line parameters
- Filesystem Base configuration (/etc/cloud)…then it will disable itself early in the boot process.
- cloud-init will no longer attempt to fall back to probing known link-local IPs (e.g., for OpenStack or EC2 metadata) if a platform-specific artifact isn’t detected early.
Impact:
- This primarily affects non-x86 virtual machines on OpenStack, as some images may not expose necessary metadata (like DMI) to the VM and typically do not have customized images declaring the OpenStack datasource.
- Previously, cloud-init would remain permissively enabled even without a clear datasource, and attempt late discovery via network probing. This is no longer the case.
Action Required:
- Admins deploying non-x86 instances (particularly outside of standard cloud environments) should ensure that the required platform-identifying artifacts are exposed to the VM.
- Affected non-x86 instances can provide custom configuration in OpenStack to launch images using the alternative ConfigDrive datasource.
- Update any custom images or platform configurations to explicitly declare the intended datasource.
This update improves security by ensuring that cloud-init only activates in trusted environments with clearly identified datasources, reducing exposure to potential MITM attacks.
References
[1] CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-6174
[2] Launchpad bug: Bug #2069607 “Remove hard coded IP addresses” : Bugs : cloud-init package : Ubuntu
[3] Cloud-init doc workarounds for non-x86: https://cloudinit.readthedocs.io/en/latest/reference/breaking_changes.html#id2