CVE-2020-28924 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-28924 Interim 1 18 2025-02-17T01:09:04Z current 2021-05-30T14:45:27Z 2025-02-17T01:09:04Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-28924 An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7U7GCOTNOZAWDNUDHOMKJOI2QXP3XJCD/ E-Mail link for openSUSE-SU-2020:2008-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K5BB2LYUVWQ74YU27Y4CMHJW42OBMUOT/ E-Mail link for openSUSE-SU-2020:2035-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C25WPUFSVQJ345UHYEYH27MOG434LTTQ/ E-Mail link for openSUSE-SU-2020:2168-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NBEJTWZN65MCKRTHPA4DPTTL2ZUEQGTM/ E-Mail link for openSUSE-SU-2021:0272-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP1 SUSE Package Hub 15 SP2 openSUSE Leap 15.1 openSUSE Leap 15.2 openSUSE Tumbleweed rclone-1.53.3-bp151.4.6.1 rclone-1.53.3-bp152.2.4.11 rclone-1.53.3-lp151.3.6.1 rclone-1.53.3-lp152.2.3.1 rclone-1.55.1-1.3 rclone-bash-completion-1.53.3-bp151.4.6.1 rclone-bash-completion-1.53.3-bp152.2.4.11 rclone-bash-completion-1.53.3-lp151.3.6.1 rclone-bash-completion-1.53.3-lp152.2.3.1 rclone-bash-completion-1.55.1-1.3 rclone-zsh-completion-1.53.3-bp151.4.6.1 rclone-zsh-completion-1.53.3-bp152.2.4.11 rclone-zsh-completion-1.53.3-lp151.3.6.1 rclone-zsh-completion-1.53.3-lp152.2.3.1 rclone-zsh-completion-1.55.1-1.3 rclone-1.53.3-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 rclone-bash-completion-1.53.3-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 rclone-zsh-completion-1.53.3-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 rclone-1.53.3-bp152.2.4.11 as a component of SUSE Package Hub 15 SP2 rclone-bash-completion-1.53.3-bp152.2.4.11 as a component of SUSE Package Hub 15 SP2 rclone-zsh-completion-1.53.3-bp152.2.4.11 as a component of SUSE Package Hub 15 SP2 rclone-1.53.3-lp151.3.6.1 as a component of openSUSE Leap 15.1 rclone-bash-completion-1.53.3-lp151.3.6.1 as a component of openSUSE Leap 15.1 rclone-zsh-completion-1.53.3-lp151.3.6.1 as a component of openSUSE Leap 15.1 rclone-1.53.3-lp152.2.3.1 as a component of openSUSE Leap 15.2 rclone-bash-completion-1.53.3-lp152.2.3.1 as a component of openSUSE Leap 15.2 rclone-zsh-completion-1.53.3-lp152.2.3.1 as a component of openSUSE Leap 15.2 rclone-1.55.1-1.3 as a component of openSUSE Tumbleweed rclone-bash-completion-1.55.1-1.3 as a component of openSUSE Tumbleweed rclone-zsh-completion-1.55.1-1.3 as a component of openSUSE Tumbleweed An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. CVE-2020-28924 SUSE Package Hub 15 SP1:rclone-1.53.3-bp151.4.6.1 SUSE Package Hub 15 SP1:rclone-bash-completion-1.53.3-bp151.4.6.1 SUSE Package Hub 15 SP1:rclone-zsh-completion-1.53.3-bp151.4.6.1 SUSE Package Hub 15 SP2:rclone-1.53.3-bp152.2.4.11 SUSE Package Hub 15 SP2:rclone-bash-completion-1.53.3-bp152.2.4.11 SUSE Package Hub 15 SP2:rclone-zsh-completion-1.53.3-bp152.2.4.11 openSUSE Leap 15.1:rclone-1.53.3-lp151.3.6.1 openSUSE Leap 15.1:rclone-bash-completion-1.53.3-lp151.3.6.1 openSUSE Leap 15.1:rclone-zsh-completion-1.53.3-lp151.3.6.1 openSUSE Leap 15.2:rclone-1.53.3-lp152.2.3.1 openSUSE Leap 15.2:rclone-bash-completion-1.53.3-lp152.2.3.1 openSUSE Leap 15.2:rclone-zsh-completion-1.53.3-lp152.2.3.1 openSUSE Tumbleweed:rclone-1.55.1-1.3 openSUSE Tumbleweed:rclone-bash-completion-1.55.1-1.3 openSUSE Tumbleweed:rclone-zsh-completion-1.55.1-1.3 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N