Lucene search

K
ubuntucveUbuntu.comUB:CVE-2020-8631
HistoryFeb 05, 2020 - 12:00 a.m.

CVE-2020-8631

2020-02-0500:00:00
ubuntu.com
ubuntu.com
19
cve-2020-8631
cloud-init
predictable password
mersenne twister
security

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0

Percentile

14.1%

cloud-init through 19.4 relies on Mersenne Twister for a random password,
which makes it easier for attackers to predict passwords, because rand_str
in cloudinit/util.py calls the random.choice function.

Notes

Author Note
ccdm94 This CVE has been patched in Xenial ESM. The patch, however, has been added only to the updates pocket, and since cloud-init is only used during first boot (pulling from updates), there should not be a need to add this to the security pocket.
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchcloud-init< 20.2-45-g5f7825e2-0ubuntu1~18.04.1UNKNOWN

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0

Percentile

14.1%