You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The dev image recipe in meta-dstack/recipes-core/images/dstack-rootfs-dev.inc includes Yocto's debug-tweaks feature, which sets an empty root password and enables SSH root access, creating a remotely exploitable backdoor if the dev image is deployed to production.
Root Cause
The dev image recipe includes Yocto's debug-tweaks feature:
The production image correctly uses nologin and does not include debug-tweaks.
Attack Path
Operator accidentally deploys the dev image instead of the production image in a production environment
The CVM has an empty root password and SSH access
Any process or network-connected attacker can log in as root without credentials
Root access gives full control over all CVM contents including keyshares and private keys
Note: TDX attestation would detect the wrong image (different measurements), but only if the verifier checks the image measurements
Impact
If the dev image is accidentally deployed in production, the CVM has no authentication boundary. The risk is operational — it depends on deploying the correct image. The production image is correctly hardened.
Suggested Fix
Add a build-time safety check that prevents dev images from being pushed to production registries
Add a runtime check in the node that verifies it's running on a production image (e.g., check for the absence of debug-tweaks indicators)
Consider using distinct image names that make accidental substitution obvious (e.g., dstack-rootfs-dev-DO-NOT-DEPLOY-TO-PROD)
Note: This issue was created automatically. The vulnerability report was generated by Claude and has not been verified by a human.
The dev image recipe in
meta-dstack/recipes-core/images/dstack-rootfs-dev.incincludes Yocto'sdebug-tweaksfeature, which sets an empty root password and enables SSH root access, creating a remotely exploitable backdoor if the dev image is deployed to production.Root Cause
The dev image recipe includes Yocto's
debug-tweaksfeature:debug-tweaksenables:The production image correctly uses
nologinand does not includedebug-tweaks.Attack Path
Impact
If the dev image is accidentally deployed in production, the CVM has no authentication boundary. The risk is operational — it depends on deploying the correct image. The production image is correctly hardened.
Suggested Fix
debug-tweaksindicators)dstack-rootfs-dev-DO-NOT-DEPLOY-TO-PROD)