cloud-init: Use of random.choice when generating random password

A flaw was found in cloud-init, where it uses the random.choice function when creating sensitive random strings used for generating a random password in new instances. Depending on the instance configuration, a remote or local attacker may abuse this vulnerability to guess the password of the...

CentOS 7 : cloud-init (RHSA-2020:3898)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:3898 advisory. - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included sshdeletekeys: 0, disabling cloud-init's deletion of ssh host keys. In...

cloud-init: Use of random.choice when generating random password

A flaw was found in cloud-init, where it uses the random.choice function when creating sensitive random strings used for generating a random password in new instances. Depending on the instance configuration, a remote or local attacker may abuse this vulnerability to guess the password of the...

cloud-init through 19.4 relies on Mersenne Twister for a random password which makes it easier for attackers to predict passwords because rand_str in cloudinit/util.py calls the random.choice function.

...

Cloud-init Security Feature Issue Vulnerability

Cloud-init is a virtual machine initialization tool for cloud platforms. A security vulnerability exists in cloud-init version 19.4 and earlier, which stems from a call to the 'random.choice' function by randstr in the cloudinit/util.py file. An attacker could use this vulnerability to guess a...

DEBIAN-CVE-2020-8631

cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because randstr in cloudinit/util.py calls the random.choice function...