Login Sign Up

CVE-2012-6639

8.8 HIGH

📋 TL;DR

CVE-2012-6639 is a privilege escalation vulnerability in Cloud-init versions before 0.7.0 that allows local attackers to gain root privileges by submitting malicious requests to an untrusted EC2 metadata service. This affects cloud instances using vulnerable Cloud-init versions to retrieve EC2 instance data. The vulnerability requires access to the local system but can lead to complete system compromise.

💻 Affected Systems

Products:
  • Cloud-init
Versions: All versions before 0.7.0
Operating Systems: Linux distributions using Cloud-init for cloud instance initialization
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using Cloud-init with EC2 metadata service access. Cloud providers and distributions that package Cloud-init may have different default configurations.

📦 What is this software?

Cloud Init by Canonical

View all CVEs affecting Cloud Init →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Enterprise Server by Suse

View all CVEs affecting Linux Enterprise Server →

Linux Enterprise Server by Suse

View all CVEs affecting Linux Enterprise Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, allowing attacker to install persistent backdoors, exfiltrate sensitive data, pivot to other systems, and destroy or encrypt data.

🟠

Likely Case

Local privilege escalation to root, enabling installation of malware, credential theft, and lateral movement within the cloud environment.

🟢

If Mitigated

Limited impact with proper network segmentation and metadata service restrictions, potentially only allowing local user privilege escalation without network access.

🌐 Internet-Facing: LOW - Exploitation requires local access to the vulnerable system, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Once an attacker gains any local access (even low-privilege), they can escalate to root and compromise the entire system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the system. The vulnerability is well-documented and proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cloud-init 0.7.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/cve-2012-6639

Restart Required: No

Instructions:

1. Update Cloud-init to version 0.7.0 or later using your distribution's package manager. 2. For Red Hat/CentOS: 'yum update cloud-init'. 3. For Ubuntu/Debian: 'apt-get update && apt-get install cloud-init'. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict metadata service access

linux

Configure iptables to block or restrict access to the EC2 metadata service (169.254.169.254) from local processes

iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -m owner --uid-owner root -j ACCEPT

Disable Cloud-init EC2 metadata

linux

Configure Cloud-init to not use EC2 metadata service by modifying configuration files

echo 'datasource_list: [ None ]' > /etc/cloud/cloud.cfg.d/99-disable-ec2.cfg

🧯 If You Can't Patch

  • Implement strict network controls to prevent access to EC2 metadata service (169.254.169.254)
  • Apply principle of least privilege and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Cloud-init version: 'cloud-init --version' or 'dpkg -l | grep cloud-init' or 'rpm -q cloud-init'. If version is earlier than 0.7.0, system is vulnerable.

Check Version:

cloud-init --version 2>/dev/null || dpkg -l cloud-init 2>/dev/null || rpm -q cloud-init 2>/dev/null

Verify Fix Applied:

Verify Cloud-init version is 0.7.0 or later: 'cloud-init --version' should show 0.7.0+. Test that Cloud-init still functions for legitimate initialization tasks.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Failed or unusual Cloud-init metadata requests
  • Processes accessing EC2 metadata service with non-root privileges

Network Indicators:

  • Local processes making requests to 169.254.169.254
  • Unusual outbound connections from cloud instances to metadata service

SIEM Query:

source="*syslog*" AND ("privilege escalation" OR "setuid" OR "sudo") AND process="cloud-init"

📊 Metadata

CVE ID: CVE-2012-6639
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: November 25, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-6639, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)