OpenLiteSpeed for WordPress on Azure Pre-Configured with Extra User

OpenLiteSpeed looks like a nice WordPress environment and I’ve been working on deploying the image found in the Azure marketplace. However I discovered that the image comes pre-configured with a user named Eric who has sudo privileges on the machine. This creates a back door for Eric to log in to any password-protected machine on Azure that runs OpenLiteSpeed.

Update This issue has been resolved—see the end of this post. If you are already using OpenLightSpeed for WordPress on Azure, use this post to check for the vulnerability and apply mitigations.

1. Create an openlitespeed-wordpress virtual machine on Azure:

OLS Azure 01

Set it up for password logon:

OLS Azure 02

Note that you can’t change the network configuration:

OLS Azure 03

Once it’s created, you can see that SSH port 22 is open to all:

OLS Azure 04.

2. Connect to the machine with WinSCP and Putty.

/etc/passwd is where I first noticed Eric, as user 1000:

OLS Azure 05.

/etc/shadow confirms he has a password:

OLS Azure 06.

/etc/sudoers.d/90-cloud-init-users shows that he doesn’t need a password for sudo:

OLS Azure 07.

Eric is in the sudo group. His password never expires:

OLS Azure 08.

He has no home directory:

OLS Azure 09.

3. Change Eric’s password (sudo passwd eric), then log on as Eric. It works fine. Do something requiring sudo, e.g. shutting down OpenLiteSpeed. That works too.

OLS Azure 10.

Check for Other Traces of Eric

1. While logged on as the main user (not Eric), search for files owned by Eric. There shouldn’t be any.

sudo find / -user eric

2. Search for active processes owned by eric (there shouldn’t be any):

ps aux|grep -i eric

Note that this will always show a line for the grep process itself.

Mitigations

1. When first setting up the virtual machine, choose SSH authentication. This will disable password logon.

2. Use the Azure firewall to restrict port 22 to only your IP address. (This is a good idea regardless to prevent brute force SSH attacks.)

3. Change Eric’s password.

sudo passwd eric

4. Lock the password and expire all logons

sudo usermod --lock --expiredate 1970-01-02 eric
sudo chage -l eric

5. Open the /etc/sudoers.d/90-cloud-init-users file and comment out Eric’s line.

6. You can probably delete user Eric, but I haven’t tried this yet.

sudo deluser eric

Conclusion

This appears to be an honest mistake, not a malicious action. Still, Eric’s credentials need to be removed and a new image published. Users who have created virtual machines from this image need to be notified to remove Eric’s privileges. Hopefully LiteSpeed Technologies has saved the email addresses that it collects as the machine is created so that they can make this notification.

Update I shared this post privately with OpenLiteSpeed on December 21, 2020. Within two hours, they started fixing the vulnerability. An updated openlitespeed-wordpress image, with the vulnerability removed, went live on Azure on December 22. The only remaining artifact is the user Eric listed in /etc/sudoers.d/90-cloud-init-users, but since Eric is no longer defined as a user in the system, this should have no effect.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.