azure

Security Notices

2018-08-31 Bitnami build key present in Microsoft Azure server instances

During recent testing, we found that Bitnami single VMs for Azure Marketplace built after 25 May 2018 and before 29 August 2018 included the Bitnami build SSH key in the .ssh/authorized_keys file.

The mistaken inclusion of this SSH key permitted remote access to parties who had possession of the private key. This private key was solely in possession of Bitnami and has been destroyed. Users who wish to take all possible security-related steps may however still wish to remove the entry from their .ssh/authorized_keys file.

If you are running a Bitnami server that you think could be affected, execute the following command at your server console to check if the server includes that key and remove it:

$ curl -s https://downloads.bitnami.com/files/download/patch-script/key-remover.sh | sudo bash

Here is the output from an example run, showing that the key was found and removed:

bitnami@testpasswd:~$ curl -s https://downloads.bitnami.com/files/download/patch-script/key-remover.sh | sudo bash
Bitnami public key found at /root/.ssh/authorized_keys
This is /root/.ssh/authorized_keys now:
Key removed. Backup left at /root/.ssh/authorized_keys.backup-x2HAI
Bitnami public key found at /home/bitnami/.ssh/authorized_keys
This is /home/bitnami/.ssh/authorized_keys now:
Key removed. Backup left at /home/bitnami/.ssh/authorized_keys.backup-FZCwc

Success!
The files below do not include the bitnami public key anymore:
/root/.ssh/authorized_keys
/home/bitnami/.ssh/authorized_keys
/home/user/.ssh/authorized_keys

If you prefer to remove the key manually, this is the key fingerprint:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxLUCv+f9uU8hNd5P0RKXVB3pRQ810NLbD05ufA0W1rcT7ob1v26AWiz/j/kPXf/kWyWOv5SVkBquinHUcVtdtb1S3/dXKh8ywk8Ah5wy2Iy63Dl9i+Mu4yCraqwE/GK6Uj1Q9HgfSMVpoPk561H1z4FBcHDp/fv3ABIXYduGkKMgA36NAhGb7Q0Us+VyoRzaCC+HLF3IZnIAlWG3dqRfeNW5sNAAtQP0BslhDy/MHPHwjaGiIodL4mTl0XnQtBNOb2clGioqwc0B6GSOhE5GwUfcmX5r21pt34lBVt02m2dkoHCCJW91a0l1puDAOBBpbU6d9ygwpCsM82dKjuQPdHgPPzWOxWMMJCCQxLrJRy0+NDeM+2ZvDkKDAgm9slpQkeamRNyDZSnWu2Du+NATvjSPrxO7wsrLfRNDOhbkcN8A4uZ+rCEgaeUuNkFAi9bRlvQa6/CBB26hJ9ZZmJf8TwE6bVAoLyQWzHlZIW9zflpaa4bmxkYfVsNQwEOdJILVoLuodivc8i+6qLLhramgxoNckvsZhfPUsxGLZZxgysMtwNHG2R451OYjO4p2/pzufCyGiTLhDTZSQUBgVc46rv+y4Ep245StSeeCR5EGIAEpClh0/u7wkpQYjntQ90JdrFO38SEw2aqm1UVRzvS//l1R6fz3F757GCHvie0YIqQ==

If you have any questions about this process, you can visit our github repository. We will be happy to help!

Last modification June 29, 2022