Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Rclone generating weak passwords - CVE-2020-28924 #4783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ncw opened this issue Nov 18, 2020 · 0 comments
Closed

Rclone generating weak passwords - CVE-2020-28924 #4783

ncw opened this issue Nov 18, 2020 · 0 comments
Labels
bug security Potential security problem
Milestone
v1.54

Comments

@ncw
Copy link
Member

ncw commented Nov 18, 2020
edited
Loading

Rclone security problem - CVE-2020-28924

Passwords users have generated using rclone config with rclone 1.49.0 (released 2019-08-26) to 1.53.2 (released 2020-10-26) may be insecure and should be changed.

Passwords you made up yourself are fine.

This is known as CVE-2020-28924.

There is a tool to check your rclone config file for bad passwords here: https://github.com/rclone/passwordcheck

See this forum post for additional help.

Analysis

In this commit

193c30d

random.Password was factored out into lib/random.

At that time the library crypto/rand was accidentally replaced with math/rand leading to the pseudo random number generator being used instead of the crypto strong random number generator.

Consequences:

Callers of random.Password will have been getting a password based on math/rand instead of crypto/rand which reduces the amount of entropy for passwords enormously.

  • fs/config/config.go: Password = random.Password
    • This is choosing random passwords for users in the config generator.
    • This is a problem since users may have used these to configure services.
  • fs/rc/rcserver/rcserver.go: randomPass, err := random.Password(128)
    • This is choosing short lived random passwords for use with the web ui.
    • This is a minor problem since these passwords are regenerated every time rclone is run.
  • lib/oauthutil/oauthutil.go: state, err := random.Password(128)
    • This is making some random state for the oauth callback.
    • This isn't a security problem

Rclone initialised the seed of math/rand in cmd/cmd.go Main with

rand.Seed(time.Now().Unix())

However time.Now().Unix() only changes every second, meaning passwords generated only change every second. The passwords generated by random.Password are therefore completely determinstic based on the unix second that rclone was started.

Consequences

Passwords users have generated using rclone config may be insecure. In particular if you generated a password like this with rclone config using rclone 1.49.0 (released 2019-08-26) to 1.53.2 (released 2020-10-26) then it will have been selected from a limited set of passwords and should be changed.

Password or pass phrase for encryption.
y) Yes type in my own password
g) Generate random password
y/g> g
Password strength in bits.
64 is just about memorable
128 is secure
1024 is the maximum
Bits> 64 <- the number you typed in here is irrelevant
Your password is: XXXXXXXXXXXX

Versions

This commit is present in these released version of rclone

  • v1.49.0
  • v1.49.1
  • v1.49.2
  • v1.49.3
  • v1.49.4
  • v1.49.5
  • v1.50.0
  • v1.50.1
  • v1.50.2
  • v1.51.0
  • v1.52.0
  • v1.52.1
  • v1.52.2
  • v1.52.3
  • v1.53.0
  • v1.53.1
  • v1.53.2

The faulty commit went into rclone at "Sun Aug 25 08:39:31 2019 +0100"

Fixes

This issue is easily fixed with commit 7985df3

All uses of math/rand were reviewed in the code

An additional commit f090549 was added to seed the random number generator with a crypto strong seed as a mitigation for any future problems.

Demonstration of the problem

Save this bash script to a file called test-rclone-password.sh and make it executable.

#!/bin/bash
# Test the password generation of rclone
# optionally pass in a path to an rclone binary to use as the first argument

RCLONE="${1:-rclone}"

# Check the binary exists
if ! ${RCLONE} version >/dev/null 2>&1; then
    echo "Rclone binary ${RCLONE} not found"
    exit 1
fi

(
    # Run through the rclone config generator creating a crypt backend
    echo "n" ; sleep .1
    echo "test" ; sleep .1
    echo "crypt" ; sleep .1
    echo "/tmp" ; sleep .1
    echo "1" ; sleep .1
    echo "1" ; sleep .1
    echo "g" ; sleep .1
    echo "64" ; sleep .1
) | ${RCLONE} config 2>&1 | grep "Your password is"

If you run multiple copies of it at once which start at the same second, you can see that with a vulnerable rclone all the passwords generated are the same. Pass it an rclone binary to test (or leave off to use the one on the path)

$ ./test-rclone-password.sh rclone-v1.53.2 & ./test-rclone-password.sh rclone-v1.53.2 & ./test-rclone-password.sh rclone-v1.53.2
Bits> Your password is: eULvaUR9A_A
Bits> Your password is: eULvaUR9A_A
Bits> Your password is: eULvaUR9A_A

However if this is done with a non vulnerable rclone you will get all different passwords

$ ./test-rclone-password.sh rclone-v1.48 & ./test-rclone-password.sh rclone-v1.48 & ./test-rclone-password.sh rclone-v1.48
Bits> Your password is: G5dODi-AoFo
Bits> Your password is: KL1QRvaRSXw
Bits> Your password is: b6sVRzjfdkg

Authors

This problem was reported to the rclone team by Victor9. Nick Craig-Wood (@ncw) fixed the problem, wrote up the advisory and made the checking tool. Klaus Post (@klauspost) reviewed the post and patches.
@ncw ncw added bug security Potential security problem labels Nov 18, 2020
@ncw ncw added this to the v1.54 milestone Nov 18, 2020
ncw added a commit to rclone/passwordcheck that referenced this issue Nov 19, 2020
@ncw
Rclone insecure password checker
8fab234 
See rclone/rclone#4783 for more details
ncw added a commit to rclone/passwordcheck that referenced this issue Nov 19, 2020
@ncw
Rclone insecure password checker
8217624 
See rclone/rclone#4783 for more details
ncw added a commit that referenced this issue Nov 19, 2020
@ncw
random: seed math/rand in one place with crypto strong seed #4783
f090549 
This shouldn't be read as encouraging the use of math/rand instead of
crypto/rand in security sensitive contexts, rather as a safer default
if that does happen by accident.
@ncw ncw closed this as completed in 7985df3 Nov 19, 2020
ncw added a commit that referenced this issue Nov 19, 2020
@ncw
random: fix incorrect use of math/rand instead of crypto/rand CVE-202…
4c215cc 
…0-28924

For implications see the linked issue.

Fixes #4783
ncw added a commit that referenced this issue Nov 19, 2020
@ncw
random: seed math/rand in one place with crypto strong seed #4783
c8b11d2 
This shouldn't be read as encouraging the use of math/rand instead of
crypto/rand in security sensitive contexts, rather as a safer default
if that does happen by accident.
@ncw ncw changed the title Place holder issue for security issue Rclone generating weak passwords - CVE-2020-28924 Nov 19, 2020
@x0b x0b mentioned this issue Nov 19, 2020
Closed
bob-beck pushed a commit to openbsd/ports that referenced this issue Nov 20, 2020
@bket
Update to rclone-1.53.3
a8d7493 
Security fix release to fix CVE-2020-28924. Some passwords generated
with rclone config may be insecure. In particular if you used the 'g'
generate option with rclone v1.49 - v1.53.2 then your password will
based on the second it was generated in. This means that there are fixed
number of passwords in that period. Additional information:
rclone/rclone#4783.
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Nov 20, 2020
@iamleot
rclone: Update to 1.53.3
f3884de 
pkgsrc changes:
 - Move all GO_MODULE_FILES to a separate go-modules.mk file (a bit easier to
   maintain), NFCI.

Changes:
1.53.3
------
* Bug Fixes
    * random: Fix incorrect use of math/rand instead of crypto/rand
      CVE-2020-28924 (Nick Craig-Wood)
        * Passwords you have generated with `rclone config` may be insecure
        * See [issue #4783](rclone/rclone#4783) for
	  more details and a checking tool
    * random: Seed math/rand in one place with crypto strong seed (Nick Craig-Wood)
* VFS
    * Fix vfs/refresh calls with fs= parameter (Nick Craig-Wood)
* Sharefile
    * Fix backend due to API swapping integers for strings (Nick Craig-Wood)

1.53.2
------
* Bug Fixes
    * acounting
        * Fix incorrect speed and transferTime in core/stats (Nick Craig-Wood)
        * Stabilize display order of transfers on Windows (Nick Craig-Wood)
    * operations
        * Fix use of --suffix without --backup-dir (Nick Craig-Wood)
        * Fix spurious "--checksum is in use but the source and destination
	  have no hashes in common" (Nick Craig-Wood)
    * build
        * Work around GitHub actions brew problem (Nick Craig-Wood)
        * Stop using set-env and set-path in the GitHub actions
	  (Nick Craig-Wood)
* Mount
    * mount2: Fix the swapped UID / GID values (Russell Cattelan)
* VFS
    * Detect and recover from a file being removed externally from the cache
      (Nick Craig-Wood)
    * Fix a deadlock vulnerability in downloaders.Close (Leo Luan)
    * Fix a race condition in retryFailedResets (Leo Luan)
    * Fix missed concurrency control between some item operations and reset
      (Leo Luan)
    * Add exponential backoff during ENOSPC retries (Leo Luan)
    * Add a missed update of used cache space (Leo Luan)
    * Fix --no-modtime to not attempt to set modtimes (as documented)
      (Nick Craig-Wood)
* Local
    * Fix sizes and syncing with --links option on Windows (Nick Craig-Wood)
* Chunker
    * Disable ListR to fix missing files on GDrive (workaround) (Ivan Andreev)
    * Fix upload over crypt (Ivan Andreev)
* Fichier
    * Increase maximum file size from 100GB to 300GB (gyutw)
* Jottacloud
    * Remove clientSecret from config when upgrading to token based
      authentication (buengese)
    * Avoid double url escaping of device/mountpoint (albertony)
    * Remove DirMove workaround as it's not required anymore - also (buengese)
* Mailru
    * Fix uploads after recent changes on server (Ivan Andreev)
    * Fix range requests after june changes on server (Ivan Andreev)
    * Fix invalid timestamp on corrupted files (fixes) (Ivan Andreev)
* Onedrive
    * Fix disk usage for sharepoint (Nick Craig-Wood)
* S3
    * Add missing regions for AWS (Anagh Kumar Baranwal)
* Seafile
    * Fix accessing libraries > 2GB on 32 bit systems (Muffin King)
* SFTP
    * Always convert the checksum to lower case (buengese)
* Union
    * Create root directories if none exist (Nick Craig-Wood)
@Evernow Evernow mentioned this issue Feb 17, 2021
Open
1 task
@pchristod pchristod mentioned this issue Jan 26, 2022
Closed
G-Leopard added a commit to G-Leopard/rclone-passwordcheck that referenced this issue Jan 28, 2023
@G-Leopard
Rclone insecure password checker
3e660c6 
See rclone/rclone#4783 for more details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security Potential security problem
Projects
None yet
Milestone
v1.54
Development

No branches or pull requests
1 participant
@ncw