cc_set_passwords is too short for RANDOM

Bug #1860795 reported by Dimitri John Ledkov on 2020-01-24
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Undecided
Unassigned
cloud-init (Ubuntu)
Undecided
Unassigned

Bug Description

PW_SET = (''.join([x for x in ascii_letters + digits
                   if x not in 'loLOI01']))

def rand_user_password(pwlen=9):
    return util.rand_str(pwlen, select_from=PW_SET)

len(PW_SET) is 55

log_2(55^20) is 115 bits, which is above 112, which matches the default OpenSSL SECLEVEL=2 setting in focal fossa.

Please bump PW_SET to 20, as 9 is crackable (provides 52 bits of security which is less than SECLEVEL 0).

As I'm about to use this on a mainframe, which by definition can crack that.

CVE References

Dan Watkins (oddbloke) wrote :
Changed in cloud-init (Ubuntu):
status: New → Fix Committed
Seth Arnold (seth-arnold) wrote :

Hello, did I read this correctly, that Python's random.choice() is used for these passwords?

"However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes."

https://docs.python.org/2/library/random.html

"However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes."

https://docs.python.org/3.8/library/random.html

Thanks

Changed in cloud-init (Ubuntu):
status: Fix Committed → In Progress
Ryan Harper (raharper) wrote :

Please open a separate bug for the random.choice() discussion.

Changed in cloud-init (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 19.4-56-g06e324ff-0ubuntu1

---------------
cloud-init (19.4-56-g06e324ff-0ubuntu1) focal; urgency=medium

  * New upstream snapshot.
    - sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
      [Robert Schweikert] (LP: #1800854)
    - cloudinit: replace "from six import X" imports (except in util.py) (#183)
    - run-container: use 'test -n' instead of 'test ! -z' (#202)
      [Paride Legovini]
    - net/cmdline: correctly handle static ip= config (#201)
      [Dimitri John Ledkov] (LP: #1861412)
    - Replace mock library with unittest.mock (#186)
    - HACKING.rst: update CLA link (#199)
    - Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
      [Louis Bouchard]
    - cloudinit/cmd/devel/net_convert.py: add missing space (#191)
    - tools/run-container: drop support for python2 (#192) [Paride Legovini]
    - Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
    - Make the RPM build use Python 3 (#190) [Paride Legovini]
    - cc_set_password: increase random pwlength from 9 to 20 (#189)
      (LP: #1860795) (CVE-2020-8632)
    - .travis.yml: use correct Python version for xenial tests (#185)
    - cloudinit: remove ImportError handling for mock imports (#182)
    - Do not use fallocate in swap file creation on xfs. (#70)
      [Eduardo Otubo] (LP: #1781781)
    - .readthedocs.yaml: install cloud-init when building docs (#181)
      (LP: #1860450)
    - Introduce an RTD config file, and pin the Sphinx version to the RTD
      default (#180)
    - Drop most of the remaining use of six (#179)
    - Start removing dependency on six (#178)
    - Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
    - docs: add proposed SRU testing procedure (#167)
    - util: rename get_architecture to get_dpkg_architecture (#173)
    - Ensure util.get_architecture() runs only once (#172)

 -- Chad Smith <email address hidden> Wed, 05 Feb 2020 13:56:17 -0700

Changed in cloud-init (Ubuntu):
status: Fix Committed → Fix Released

This bug is believed to be fixed in cloud-init in version 20.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers