CVE-2020-8631: 
NixOS vulnerability analysis and mitigation

CVE-2020-8631 affects cloud-init through version 19.4, where the software relies on Mersenne Twister for generating random passwords. The vulnerability was discovered in January 2020 and publicly disclosed in February 2020. The issue specifically relates to the rand_str function in cloudinit/util.py which calls the random.choice function, making it easier for attackers to predict generated passwords (Debian LTS, Launchpad Bug).

The vulnerability stems from the use of Python's random.choice() function, which utilizes the Mersenne Twister algorithm. This algorithm is deterministic and explicitly documented as being unsuitable for cryptographic purposes. The implementation in cloud-init's util.py relied on this predictable random number generator for password generation, compromising the security of generated passwords (GitHub PR).

The use of a predictable random number generator makes it easier for attackers to predict passwords generated by the system, potentially leading to unauthorized access to cloud instances. This is particularly concerning in environments where password authentication is enabled by default or commonly used (Red Hat Advisory).

The issue was fixed by replacing the Mersenne Twister-based random number generator with Python's SystemRandom, which uses the operating system's cryptographically secure random number generator. The fix was implemented in cloud-init version 20.1 (GitHub PR, Launchpad Bug).