[ASA-202011-17] rclone: private key recovery

Morten Linderud foxboron at archlinux.org
Sun Nov 29 17:18:16 UTC 2020


Arch Linux Security Advisory ASA-202011-17
==========================================

Severity: Medium
Date    : 2020-11-19
CVE-ID  : CVE-2020-28924
Package : rclone
Type    : private key recovery
Remote  : No
Link    : https://security.archlinux.org/AVG-1286

Summary
=======

The package rclone before version 1.53.3-1 is vulnerable to private key
recovery.

Resolution
==========

Upgrade to 1.53.3-1.

# pacman -Syu "rclone>=1.53.3-1"

The problem has been fixed upstream in version 1.53.3.

Workaround
==========

All passwords generated by rclone 1.49.0 up to 1.53.2 should be
changed. Rclone provides a password checker to find weak passwords as a
separate tool called passwordcheck.

Description
===========

An issue was discovered in rclone 1.49.0 up to 1.53.2. Due to the use
of a weak random number generator, the password generator has been
producing weak passwords with much less entropy than advertised. The
suggested passwords depend deterministically on the time rclone was
started. This limits the entropy of the passwords enormously. These
passwords are often used in the crypt backend for encryption of data.
It would be possible to make a dictionary of all possible passwords
with about 38 million entries per password length. This would make
decryption of secret material possible with a plausible amount of
effort. NOTE: all passwords generated by affected versions should be
changed.

Impact
======

A malicious user might be able to brute force the weak passwords.

References
==========

https://github.com/rclone/rclone/issues/4783
https://github.com/rclone/rclone/commit/7985df37681f54d013816a4641da4f9b085b3aa5
https://github.com/rclone/passwordcheck
https://security.archlinux.org/CVE-2020-28924
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20201129/7d5296bf/attachment.sig>


More information about the arch-security mailing list