#139 Fake AMI instances
Closed: no action needed 3 years ago Opened 3 years ago by tibbs.

This message recently came to the security mailing list:
I don't really know who would deal with such a thing, but it seems like it would in the end be a trademark issue, which I guess puts it in the council's bailiwick.

For reference, here's the text of the message:

From: Bowe Strickland <bowe@redhat.com>
Subject: rogue "Fedora" ami's in aws frontier regions
To: security@lists.fedoraproject.org
Date: Fri, 8 Sep 2017 16:13:50 -0400
hey all...

not sure if this is the appropriate spot to share or not, but was the
closest I could find "security @ fedora"....

while working on a project, I searched for "Fedora" ami images in the
new-ish AWS region us-east-2 ("ohio"), and was pleasantly surprised to find
the easily discoverable and recognizable ami "Fedora release 26
(ami-f3a18096)" (as well as a a "Fedora release 25".....)

upon booting, I was concerned to find an extra ssh authorized key in
~fedora/.ssh/authorized_keys, and soon realized this was not a sanctioned
Fedora release (as confirmed from https://alt.fedoraproject.org/cloud/).

While yes, this is my fault for not starting from a trusted reference to
find a reliable AMI, I found this a pretty easy pit to fall into.

Don't know if there's a remedy, other than getting real Fedora images into
the frontier AWS regions, but thought that I should share...


Thanks. I'll see what we can do. From the comment "[Copied ami-73e7fa0a from us-west-2] Fedora release 26" one would assume good faith — but that extra ssh key sure is suspicious.

Did anything come out of this issue that can be reported here? Topic came up while I was talking to @sayanchowdhury earlier today.

Nothing to report here yet from a non-technical side. From a technical side, we could help prevent this in the future by making sure we have official images in place in new regions as soon as possible.

Metadata Update from @mattdm:
- Issue close_status updated to: no action needed
- Issue status updated to: Closed (was: Open)

3 years ago

Getting real Fedora images into the regions is really the best solution. We can also do some messaging around making sure to look on getfedora.org to get the correct AMIs (once they exist). We are also working on getting Fedora in the Marketplace. Closing this in favor of the tech-driven ticket.

Login to comment on this ticket.