Hello,
We are writing to inform you that the "ubuntu" user account on your vultr.com subscription may have a non-randomized password. Providing secure, reliable, and performant products and services is our highest priority. As part of this goal, Vultr proactively identifies potential areas of risk to our customers and works to diligently resolve any findings with minimal service impact. While we are not aware of any disclosed issues related to this finding, we have taken precautionary measures to mitigate any potential risk as well as providing this notification.
Here's what you need to know:
- All Virtual and Bare Metal servers deployed with Ubuntu from the Vultr OS Library between October 11, 2022 and September 12, 2023 may have a non-randomized password for the "ubuntu" user which could present elevated risk for unauthorized access.
- New instances from Vultr's OS library deployed after September 12, 2023 are not affected.
- New instances deployed from snapshots created from affected instances may also be affected, however we have implemented automation with cloud-init to disable the password for the ubuntu user at the time of deploy.
Here's what we have done:
- Vultr has taken steps to ensure newly deployed instances are not affected.
- Vultr has scanned for affected instances and disabled the password for the "ubuntu" user wherever it was found to be accessible.
- Vultr has not accessed any data on your instance.
Here's what you need to do:
- Even though we have taken precautionary measures, it is recommended that you delete the ubuntu user, or change or disable its password.
- Take the opportunity to review some security best practices here: https://www.vultr.com/docs/security-best-practices-for-vultr-instances
If you have any questions or concerns, please contact our account management team by opening a support ticket here:
https://my.vultr.com/support/create ticket/
Thank you for your business,
---The Vultr.com Team---
> Providing secure, reliable, and performant products and services is our highest priority.
This kind of language always grates on me. It's obviously not true, at what point is this lying or fraud?
For 11 months, they were generating these insecure passwords. Clearly this isn't a priority, can you imaging them forgetting to bill their users for 11 months? I can't.
6 comments
[ 2.7 ms ] story [ 144 ms ] threadThis kind of language always grates on me. It's obviously not true, at what point is this lying or fraud?
For 11 months, they were generating these insecure passwords. Clearly this isn't a priority, can you imaging them forgetting to bill their users for 11 months? I can't.
They often skirt this by not knowing the best practices in the first place.