cc_set_passwords is too short for RANDOM

Bug #1860795 reported by Dimitri John Ledkov
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Undecided
Unassigned
cloud-init (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

PW_SET = (''.join([x for x in ascii_letters + digits
                   if x not in 'loLOI01']))

def rand_user_password(pwlen=9):
    return util.rand_str(pwlen, select_from=PW_SET)

len(PW_SET) is 55

log_2(55^20) is 115 bits, which is above 112, which matches the default OpenSSL SECLEVEL=2 setting in focal fossa.

Please bump PW_SET to 20, as 9 is crackable (provides 52 bits of security which is less than SECLEVEL 0).

As I'm about to use this on a mainframe, which by definition can crack that.

CVE References

Revision history for this message
Ryan Harper (raharper) wrote :
Revision history for this message
Dan Watkins (oddbloke) wrote :
Changed in cloud-init (Ubuntu):
status: New → Fix Committed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, did I read this correctly, that Python's random.choice() is used for these passwords?

"However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes."

https://docs.python.org/2/library/random.html

"However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes."

https://docs.python.org/3.8/library/random.html

Thanks

Changed in cloud-init (Ubuntu):
status: Fix Committed → In Progress
Revision history for this message
Ryan Harper (raharper) wrote :

Please open a separate bug for the random.choice() discussion.

Changed in cloud-init (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 19.4-56-g06e324ff-0ubuntu1

---------------
cloud-init (19.4-56-g06e324ff-0ubuntu1) focal; urgency=medium

  * New upstream snapshot.
    - sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
      [Robert Schweikert] (LP: #1800854)
    - cloudinit: replace "from six import X" imports (except in util.py) (#183)
    - run-container: use 'test -n' instead of 'test ! -z' (#202)
      [Paride Legovini]
    - net/cmdline: correctly handle static ip= config (#201)
      [Dimitri John Ledkov] (LP: #1861412)
    - Replace mock library with unittest.mock (#186)
    - HACKING.rst: update CLA link (#199)
    - Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
      [Louis Bouchard]
    - cloudinit/cmd/devel/net_convert.py: add missing space (#191)
    - tools/run-container: drop support for python2 (#192) [Paride Legovini]
    - Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
    - Make the RPM build use Python 3 (#190) [Paride Legovini]
    - cc_set_password: increase random pwlength from 9 to 20 (#189)
      (LP: #1860795) (CVE-2020-8632)
    - .travis.yml: use correct Python version for xenial tests (#185)
    - cloudinit: remove ImportError handling for mock imports (#182)
    - Do not use fallocate in swap file creation on xfs. (#70)
      [Eduardo Otubo] (LP: #1781781)
    - .readthedocs.yaml: install cloud-init when building docs (#181)
      (LP: #1860450)
    - Introduce an RTD config file, and pin the Sphinx version to the RTD
      default (#180)
    - Drop most of the remaining use of six (#179)
    - Start removing dependency on six (#178)
    - Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
    - docs: add proposed SRU testing procedure (#167)
    - util: rename get_architecture to get_dpkg_architecture (#173)
    - Ensure util.get_architecture() runs only once (#172)

 -- Chad Smith <email address hidden> Wed, 05 Feb 2020 13:56:17 -0700

Changed in cloud-init (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Dan Watkins (oddbloke) wrote : Fixed in cloud-init version 20.1.

This bug is believed to be fixed in cloud-init in version 20.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: New → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.