Predictable Password Generation in Cloud-Init by Canonical
CVE-2020-8631

5.5MEDIUM

Key Information:

Vendor
Canonical
Status
Cloud-init
Vendor
CVE Published:
5 February 2020

Summary

The vulnerability arises from the use of the Mersenne Twister algorithm in Cloud-Init versions up to 19.4, which produces predictable random numbers for password generation. This flaw allows attackers to forecast the generated passwords, thereby compromising security. The function rand_str in the cloudinit/util.py file employs random.choice, leading to insufficient randomness and exposing systems to potential unauthorized access. Users are highly encouraged to update to secure versions to mitigate this risk.

References

https://github.com/canonical/cloud-init/pull/204
x_refsource_MISC
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020/02/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.