CVE-2020-8632

cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.

En cloud-init versiones hasta 19.4, la función rand_user_password en el archivo cloudinit/config/cc_set_passwords.py posee un pequeño valor predeterminado de pwlen, lo que facilita a atacantes adivinar las contraseñas.

A flaw was found in cloud-init, where it uses short passwords when generating a random password in new instances. Depending on the instance configuration, a remote or local attacker may abuse this vulnerability to guess the password of the victim user.

An update that solves two vulnerabilities and has one errata is now available. This update for cloud-init fixes the following security issues. Replaced the theoretically predictable deterministic RNG with the system RNG. Increased the default random password length from 9 to 20. This update was imported from the SUSE:SLE-15-SP1:Update update project.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-02-05 CVE Reserved
2020-02-05 CVE Published
2024-08-04 CVE Updated
2025-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-330: Use of Insufficiently Random Values
CWE-521: Weak Password Requirements

CAPEC

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795	2022-01-01
https://github.com/canonical/cloud-init/pull/189	2022-01-01

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html	2022-01-01
https://access.redhat.com/security/cve/CVE-2020-8632	2020-11-04
https://bugzilla.redhat.com/show_bug.cgi?id=1798728	2020-11-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Canonical Search vendor "Canonical"		Cloud-init Search vendor "Canonical" for product "Cloud-init"				<= 19.4 Search vendor "Canonical" for product "Cloud-init" and version " <= 19.4"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected