PT-2020-17057 · Rclone+2 · Rclone+2

Victor9

Published

2020-11-19

Updated

2024-08-21

CVE-2020-28924

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Rclone versions prior to 1.53.3

Description An issue was discovered due to the use of a weak random number generator, resulting in the password generator producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started, limiting the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data, making it possible to create a dictionary of all possible passwords with about 38 million entries per password length, which would make decryption of secret material possible with a plausible amount of effort.

Recommendations For versions prior to 1.53.3, all passwords generated by affected versions should be changed.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-331CWE-338

Related Identifiers

ALT-PU-2021-1108

ALT-PU-2021-1154

ALT-PU-2022-1255

BIT-RCLONE-2020-28924

CVE-2020-28924

GHSA-RMW5-XPG9-JR29

GO-2022-0878

OPENSUSE-SU-2020:2008-1

OPENSUSE-SU-2020:2035-1

OPENSUSE-SU-2020:2168-1

OPENSUSE-SU-2020_2008-1

OPENSUSE-SU-2020_2035-1

OPENSUSE-SU-2021:0272-1

OPENSUSE-SU-2024:11297-1

Affected Products

Alt Linux

Rclone

Suse

PT-2020-17057 · Rclone+2 · Rclone+2

CVE-2020-28924

Weakness Enumeration

Related Identifiers

Affected Products

References · 29