CVE-2020-28924

Upstream information

CVE-2020-28924 at MITRE

Description

An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.

---

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores

	National Vulnerability Database
Base Score	5
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	None
Availability Impact	None

CVSS v3 Scores

	National Vulnerability Database
Base Score	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Access Vector	Network
Access Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1179005 [NEW]

SUSE Security Advisories:

• openSUSE-SU-2020:2008-1, published Tue Feb 16 10:57:21 2021
• openSUSE-SU-2020:2035-1, published Tue Feb 16 10:57:21 2021
• openSUSE-SU-2020:2168-1, published Tue Feb 16 10:57:22 2021
• openSUSE-SU-2021:0272-1, published Tue Feb 16 10:27:50 2021

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub for SUSE Linux Enterprise 15 SP1	rclone >= 1.53.3-bp151.4.6.1 rclone-bash-completion >= 1.53.3-bp151.4.6.1 rclone-zsh-completion >= 1.53.3-bp151.4.6.1	Patchnames: openSUSE-2020-2168
SUSE Package Hub for SUSE Linux Enterprise 15 SP2	rclone >= 1.53.3-bp152.2.4.11 rclone-bash-completion >= 1.53.3-bp152.2.4.11 rclone-zsh-completion >= 1.53.3-bp152.2.4.11	Patchnames: openSUSE-2021-272
openSUSE Leap 15.1	rclone >= 1.53.3-lp151.3.6.1 rclone-bash-completion >= 1.53.3-lp151.3.6.1 rclone-debuginfo >= 1.53.3-lp151.3.6.1 rclone-zsh-completion >= 1.53.3-lp151.3.6.1	Patchnames: openSUSE-2020-2035
openSUSE Leap 15.2	rclone >= 1.53.3-lp152.2.3.1 rclone-bash-completion >= 1.53.3-lp152.2.3.1 rclone-debuginfo >= 1.53.3-lp152.2.3.1 rclone-zsh-completion >= 1.53.3-lp152.2.3.1	Patchnames: openSUSE-2020-2008