Security Notification: cloud-init behavior change affecting non-x86 architectures. CVE-2024-6174

A recent update to cloud-init (version 25.1.4) introduces a change that impacts non-x86 architectures on AltStack, OpenStack, and legacy EC2 platforms. Administrators launching non-x86 instances on these platforms may may need to review and adjust their configurations or cloud-specific images to ensure cloud-init remains enabled.

This change is part of a mitigation for CVE-2024-6174, which addresses a security vulnerability where generic cloud images with cloud-init enabled could inappropriately attempt to detect metadata services (IMDS) on untrusted local networks. This behavior created an opportunity for man-in-the-middle (MITM) attacks on instances not running on their intended platforms.

What’s Changed:

  • cloud-init now enforces strict datasource detection before the network is up.
  • If cloud-init cannot identify a valid datasource using system artifacts such as:
  • cloud-init will no longer attempt to fall back to probing known link-local IPs (e.g., for OpenStack or EC2 metadata) if a platform-specific artifact isn’t detected early.

Impact:

  • This primarily affects non-x86 virtual machines on OpenStack, as some images may not expose necessary metadata (like DMI) to the VM and typically do not have customized images declaring the OpenStack datasource.
  • Previously, cloud-init would remain permissively enabled even without a clear datasource, and attempt late discovery via network probing. This is no longer the case.

Action Required:

This update improves security by ensuring that cloud-init only activates in trusted environments with clearly identified datasources, reducing exposure to potential MITM attacks.

References

[1] CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-6174
[2] Launchpad bug: Bug #2069607 “Remove hard coded IP addresses” : Bugs : cloud-init package : Ubuntu
[3] Cloud-init doc workarounds for non-x86: https://cloudinit.readthedocs.io/en/latest/reference/breaking_changes.html#id2