CVE-2009-4144: WPA enterprise network not verified when certificate is removed

Debian Bug report logs - #560067
CVE-2009-4144: WPA enterprise network not verified when certificate is removed

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Witold Baryluk <baryluk@smp.if.uj.edu.pl>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: network-manager-gnome: nm connects to WPA2 with certificate after .pem file was delated

Date: Tue, 08 Dec 2009 18:40:44 +0100

Package: network-manager-gnome
Version: 0.7.2-1
Severity: grave
Tags: security
Justification: user security hole

After configuring WPA2 Enterprise with TTLS and PAP, I was using certificate file
in /etc/ssl/certs/...pem  (autmatically imported from /usr/local/share/ca-certificates/domain/certrootfile.crt)


Then i reinstalled system, and not configured certifcates yet.

After reinstalling system and restoring /home directory, i logged into my new stystem.

After giving password to gnome-keyring NM automatically connected to my network,
even cosindering that it is not existing:

** (nm-applet:6704): WARNING **: utils_fill_connection_certs: couldn't read CA certificate: 4 Nie można otworzyć pliku "/etc/ssl/certs/SMP_Root_Certification_Authority_2.pem": Nie ma takiego pliku ani katalogu



But NM thinks that it should connect anyway. And it connects,
possibly leaking my credentials, login and password, and all
keys, and of course network traffic.


It should be considerebly more verbose error provided to an user (using nm-applet),
and NM should abort connecting.



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.31-1-686-bigmem (SMP w/1 CPU core)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to pl_PL.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager-gnome depends on:
ii  dbus-x11                      1.2.16-2   simple interprocess messaging syst
ii  gconf2                        2.28.0-1   GNOME configuration database syste
ii  gnome-icon-theme              2.28.0-1   GNOME Desktop icon theme
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries
ii  libdbus-1-3                   1.2.16-2   simple interprocess messaging syst
ii  libdbus-glib-1-2              0.82-2     simple interprocess messaging syst
ii  libgconf2-4                   2.28.0-1   GNOME configuration database syste
ii  libglade2-0                   1:2.6.4-1  library to load .glade files at ru
ii  libglib2.0-0                  2.22.3-1   The GLib library of C routines
ii  libgnome-keyring0             2.28.1-2   GNOME keyring services library
ii  libgtk2.0-0                   2.18.4-1   The GTK+ graphical user interface 
ii  libnm-glib-vpn0               0.7.2-2    network management framework (GLib
ii  libnm-glib0                   0.7.2-2    network management framework (GLib
ii  libnm-util1                   0.7.2-2    network management framework (shar
ii  libnotify1 [libnotify1-gtk2.1 0.4.5-1    sends desktop notifications to a n
ii  libpango1.0-0                 1.26.1-1   Layout and rendering of internatio
ii  libpolkit-gnome0              0.9.2-2    PolicyKit-gnome library
ii  libpolkit2                    0.9-4      library for accessing PolicyKit
ii  network-manager               0.7.2-2    network management framework daemo
ii  policykit-gnome               0.9.2-2    GNOME dialogs for PolicyKit

Versions of packages network-manager-gnome recommends:
ii  libpam-gnome-keyring [libpam- 2.28.1-2   PAM module to unlock the GNOME key
ii  notification-daemon           0.4.0-2    a daemon that displays passive pop

Versions of packages network-manager-gnome suggests:
ii  network-manager-openvpn-gnome 0.7.2-1    network management framework (Open
ii  network-manager-pptp-gnome    0.7.2-1    network management framework (PPTP
ii  network-manager-vpnc-gnome    0.7.2-1    network management framework (VPNC

-- no debconf information

Message #10 received at 560067@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Witold Baryluk <baryluk@smp.if.uj.edu.pl>, 560067@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#560067: network-manager-gnome: nm connects to WPA2 with certificate after .pem file was delated

Date: Wed, 09 Dec 2009 20:14:26 +0100

[Message part 1 (text/plain, inline)]

severity 560067 important
thanks

Witold Baryluk wrote:
> Package: network-manager-gnome
> Version: 0.7.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> After configuring WPA2 Enterprise with TTLS and PAP, I was using certificate file
> in /etc/ssl/certs/...pem  (autmatically imported from /usr/local/share/ca-certificates/domain/certrootfile.crt)
> 
> 
> Then i reinstalled system, and not configured certifcates yet.
> 
> After reinstalling system and restoring /home directory, i logged into my new stystem.
> 
> After giving password to gnome-keyring NM automatically connected to my network,
> even cosindering that it is not existing:
> 
> ** (nm-applet:6704): WARNING **: utils_fill_connection_certs: couldn't read CA certificate: 4 Nie można otworzyć pliku "/etc/ssl/certs/SMP_Root_Certification_Authority_2.pem": Nie ma takiego pliku ani katalogu
> 
> 
> 
> But NM thinks that it should connect anyway. And it connects,
> possibly leaking my credentials, login and password, and all
> keys, and of course network traffic.
> 
> 
> It should be considerebly more verbose error provided to an user (using nm-applet),
> and NM should abort connecting.

I agree it is a security issue, but imho not such a severe one that severity
grave is justified, especially as it only happens under very particular
circumstances (thus downgrading to important).

This bug is supposedly fixed in the upcoming 0.8 release. If you want to try, I
have preliminary packages at [1] and I would be interested if this packages
behave better.

Cheers,
Michael

[1] http://debs.michaelbiebl.de/network-manager/

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 560067@bugs.debian.org (full text, mbox, reply):

From: "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>

To: Michael Biebl <biebl@debian.org>

Cc: 560067@bugs.debian.org

Subject: Re: [Pkg-utopia-maintainers] Bug#560067: network-manager-gnome: nm connects to WPA2 with certificate after .pem file was delated

Date: Wed, 9 Dec 2009 21:11:32 +0100

[Message part 1 (text/plain, inline)]

On 12-09 20:14, Michael Biebl wrote:
> 
> I agree it is a security issue, but imho not such a severe one that severity
> grave is justified, especially as it only happens under very particular
> circumstances (thus downgrading to important).

Ok, it is anyway quite rare. And need to be trigered by deleting certificate file,
so it is quite unprobable to be a malicious vector attack.


> 
> This bug is supposedly fixed in the upcoming 0.8 release. If you want to try, I
> have preliminary packages at [1] and I would be interested if this packages
> behave better.

I would be happy to check this.

> [1] http://debs.michaelbiebl.de/network-manager/

I added this repositoy to sources.list.

On upgrade (or  apt-get  install network-manager-gnome network-manager),
apt-get (and aptitude) want to remove policykit. for no apparent reason.
I checked briefly and I have *pol*kit* in versions 0.9-4 or 0.95-1 or greater,
and your network-manager packages depends on libpolkit* (>= 0.7)
and recommends policykit. I don't know why aptitude wants to remove
it.

Even forcing instalation of policykit doesn't resolve problem:

sredniczarny:/home/baryluk# LC_ALL=C aptitude -d -V install network-manager-gnome network-manager policykit 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Reading extended state information... Done
Initializing package states... Done       
Reading task descriptions... Done  
The following NEW packages will be installed:
  libnm-glib-vpn1{a} [0.7.997-1]  libnm-glib2{a} [0.7.997-1]  
The following packages will be REMOVED:
  libpolkit-dbus2{u} [0.9-4]  libpolkit-gnome0{u} [0.9.2-2]  libpolkit-grant2{u} [0.9-4]  libpolkit2{u} [0.9-4]  policykit{u} [0.9-4]  policykit-gnome{u} [0.9.2-2]  
The following packages will be upgraded:
  libnm-util1 [0.7.2-2 -> 0.7.997-1]  network-manager [0.7.2-2 -> 0.7.997-1]  network-manager-gnome [0.7.2-1 -> 0.7.997-1]  
3 packages upgraded, 2 newly installed, 6 to remove and 118 not upgraded.
Need to get 0B/2598kB of archives. After unpacking 274kB will be freed.
Do you want to continue? [Y/n/?] 
...

It still wants to remove policykit. It is nonsensical.

Mayby it is something broken in unstable, i will wait few days.

Regards.

-- 
Witold Baryluk
JID: witold.baryluk // jabster.pl

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 560067@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 560067@bugs.debian.org

Subject: CVE-2009-4144: WPA enterprise network not verified when certificate is removed

Date: Sat, 02 Jan 2010 15:47:58 +0100

[Message part 1 (text/plain, inline)]

Hi,

this issue got a CVE id:

CVE-2009-4144[0]:
| NetworkManager (NM) 0.7.2 does not ensure that the configured
| Certification Authority (CA) certificate file for a (1) WPA Enterprise
| or (2) 802.1x network remains present upon a connection attempt, which
| might allow remote attackers to obtain sensitive information or cause
| a denial of service (connectivity disruption) by spoofing the identity
| of a wireless network.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4144
    http://security-tracker.debian.org/tracker/CVE-2009-4144
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 560067-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 560067-close@bugs.debian.org

Subject: Bug#560067: fixed in network-manager-applet 0.7.2-2

Date: Sat, 23 Jan 2010 03:21:53 +0000

Source: network-manager-applet
Source-Version: 0.7.2-2

We believe that the bug you reported is fixed in the latest version of
network-manager-applet, which is due to be installed in the Debian FTP archive:

network-manager-applet_0.7.2-2.diff.gz
  to main/n/network-manager-applet/network-manager-applet_0.7.2-2.diff.gz
network-manager-applet_0.7.2-2.dsc
  to main/n/network-manager-applet/network-manager-applet_0.7.2-2.dsc
network-manager-gnome_0.7.2-2_i386.deb
  to main/n/network-manager-applet/network-manager-gnome_0.7.2-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560067@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager-applet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Jan 2010 23:33:06 +0100
Source: network-manager-applet
Binary: network-manager-gnome
Architecture: source i386
Version: 0.7.2-2
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 network-manager-gnome - network management framework (GNOME frontend)
Closes: 560067 563371
Changes: 
 network-manager-applet (0.7.2-2) unstable; urgency=low
 .
   * debian/control
     - Bump Build-Depends on libdbus-glib-1-dev to (>= 0.74).
     - Bump Build-Depends on libgtk2.0-dev to (>= 2.14).
   * debian/patches/02-CVE-2009-4145_fix_leakage_of_secrets_on_system_bus.patch
     - Fix potential leakage of secrets onto the system bus. (Closes: #563371)
       Patch backported from upstream Git.
       Fixes: CVE-2009-4145
   * debian/patches/03-CVE-2009-4144_fix_ca_cert_handling_after_cert_file_deletion.patch
     - Fix possible connections to spoofed WPA Enterprise networks when
       certification file is deleted. (Closes: #560067)
       Patch backported from upstream Git.
       Fixes: CVE-2009-4144
Checksums-Sha1: 
 15becbfe6aead279afc52538459a694761df360d 1759 network-manager-applet_0.7.2-2.dsc
 cf76986a4d1711f141719efd7d02a9741591fbac 14785 network-manager-applet_0.7.2-2.diff.gz
 2dc386a749baf58b92507ca090b18d42d7e93b0d 917806 network-manager-gnome_0.7.2-2_i386.deb
Checksums-Sha256: 
 5b941473679ea6728e94e37d9a3f857577fbb2c6a0aeeaa6efc346bf32230e0d 1759 network-manager-applet_0.7.2-2.dsc
 3823228b3428f1f0441fc73248e452d42cdf90e609647a4c0b2c259dfae84504 14785 network-manager-applet_0.7.2-2.diff.gz
 d18f6e81ac89cc18f7d58965b83504f1a54f1e8dcd3c4a1ffafcbb356f890659 917806 network-manager-gnome_0.7.2-2_i386.deb
Files: 
 67c8fb551ed5d0b176e23b87e6b19b5e 1759 gnome optional network-manager-applet_0.7.2-2.dsc
 b6be6cf6066090e988f2bbf137265a75 14785 gnome optional network-manager-applet_0.7.2-2.diff.gz
 5562f0367cae62ec89f8d0c2a01e17b2 917806 gnome optional network-manager-gnome_0.7.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktaVe4ACgkQh7PER70FhVSxrgCdGC8g/1a4zUEKbsMldTFve3pA
HoIAn3dZU6me/MqwORVMN8H/MCqcV9pu
=mz+I
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.