Debian Bug report logs -
#560067
CVE-2009-4144: WPA enterprise network not verified when certificate is removed
Reported by: Witold Baryluk <baryluk@smp.if.uj.edu.pl>
Date: Tue, 8 Dec 2009 17:42:05 UTC
Severity: important
Tags: security
Found in version network-manager-applet/0.7.2-1
Fixed in version network-manager-applet/0.7.2-2
Done: Michael Biebl <biebl@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, baryluk@smp.if.uj.edu.pl, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#560067
; Package network-manager-gnome
.
(Tue, 08 Dec 2009 17:42:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Witold Baryluk <baryluk@smp.if.uj.edu.pl>
:
New Bug report received and forwarded. Copy sent to baryluk@smp.if.uj.edu.pl, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Tue, 08 Dec 2009 17:42:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: network-manager-gnome
Version: 0.7.2-1
Severity: grave
Tags: security
Justification: user security hole
After configuring WPA2 Enterprise with TTLS and PAP, I was using certificate file
in /etc/ssl/certs/...pem (autmatically imported from /usr/local/share/ca-certificates/domain/certrootfile.crt)
Then i reinstalled system, and not configured certifcates yet.
After reinstalling system and restoring /home directory, i logged into my new stystem.
After giving password to gnome-keyring NM automatically connected to my network,
even cosindering that it is not existing:
** (nm-applet:6704): WARNING **: utils_fill_connection_certs: couldn't read CA certificate: 4 Nie można otworzyć pliku "/etc/ssl/certs/SMP_Root_Certification_Authority_2.pem": Nie ma takiego pliku ani katalogu
But NM thinks that it should connect anyway. And it connects,
possibly leaking my credentials, login and password, and all
keys, and of course network traffic.
It should be considerebly more verbose error provided to an user (using nm-applet),
and NM should abort connecting.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.31-1-686-bigmem (SMP w/1 CPU core)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to pl_PL.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages network-manager-gnome depends on:
ii dbus-x11 1.2.16-2 simple interprocess messaging syst
ii gconf2 2.28.0-1 GNOME configuration database syste
ii gnome-icon-theme 2.28.0-1 GNOME Desktop icon theme
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.16-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.82-2 simple interprocess messaging syst
ii libgconf2-4 2.28.0-1 GNOME configuration database syste
ii libglade2-0 1:2.6.4-1 library to load .glade files at ru
ii libglib2.0-0 2.22.3-1 The GLib library of C routines
ii libgnome-keyring0 2.28.1-2 GNOME keyring services library
ii libgtk2.0-0 2.18.4-1 The GTK+ graphical user interface
ii libnm-glib-vpn0 0.7.2-2 network management framework (GLib
ii libnm-glib0 0.7.2-2 network management framework (GLib
ii libnm-util1 0.7.2-2 network management framework (shar
ii libnotify1 [libnotify1-gtk2.1 0.4.5-1 sends desktop notifications to a n
ii libpango1.0-0 1.26.1-1 Layout and rendering of internatio
ii libpolkit-gnome0 0.9.2-2 PolicyKit-gnome library
ii libpolkit2 0.9-4 library for accessing PolicyKit
ii network-manager 0.7.2-2 network management framework daemo
ii policykit-gnome 0.9.2-2 GNOME dialogs for PolicyKit
Versions of packages network-manager-gnome recommends:
ii libpam-gnome-keyring [libpam- 2.28.1-2 PAM module to unlock the GNOME key
ii notification-daemon 0.4.0-2 a daemon that displays passive pop
Versions of packages network-manager-gnome suggests:
ii network-manager-openvpn-gnome 0.7.2-1 network management framework (Open
ii network-manager-pptp-gnome 0.7.2-1 network management framework (PPTP
ii network-manager-vpnc-gnome 0.7.2-1 network management framework (VPNC
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#560067
; Package network-manager-gnome
.
(Wed, 09 Dec 2009 19:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Biebl <biebl@debian.org>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Wed, 09 Dec 2009 19:15:05 GMT) (full text, mbox, link).
Message #10 received at 560067@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 560067 important
thanks
Witold Baryluk wrote:
> Package: network-manager-gnome
> Version: 0.7.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> After configuring WPA2 Enterprise with TTLS and PAP, I was using certificate file
> in /etc/ssl/certs/...pem (autmatically imported from /usr/local/share/ca-certificates/domain/certrootfile.crt)
>
>
> Then i reinstalled system, and not configured certifcates yet.
>
> After reinstalling system and restoring /home directory, i logged into my new stystem.
>
> After giving password to gnome-keyring NM automatically connected to my network,
> even cosindering that it is not existing:
>
> ** (nm-applet:6704): WARNING **: utils_fill_connection_certs: couldn't read CA certificate: 4 Nie można otworzyć pliku "/etc/ssl/certs/SMP_Root_Certification_Authority_2.pem": Nie ma takiego pliku ani katalogu
>
>
>
> But NM thinks that it should connect anyway. And it connects,
> possibly leaking my credentials, login and password, and all
> keys, and of course network traffic.
>
>
> It should be considerebly more verbose error provided to an user (using nm-applet),
> and NM should abort connecting.
I agree it is a security issue, but imho not such a severe one that severity
grave is justified, especially as it only happens under very particular
circumstances (thus downgrading to important).
This bug is supposedly fixed in the upcoming 0.8 release. If you want to try, I
have preliminary packages at [1] and I would be interested if this packages
behave better.
Cheers,
Michael
[1] http://debs.michaelbiebl.de/network-manager/
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Severity set to 'important' from 'grave'
Request was from Michael Biebl <biebl@debian.org>
to control@bugs.debian.org
.
(Wed, 09 Dec 2009 19:15:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#560067
; Package network-manager-gnome
.
(Wed, 09 Dec 2009 20:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Witold Baryluk" <baryluk@smp.if.uj.edu.pl>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Wed, 09 Dec 2009 20:18:03 GMT) (full text, mbox, link).
Message #17 received at 560067@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 12-09 20:14, Michael Biebl wrote:
>
> I agree it is a security issue, but imho not such a severe one that severity
> grave is justified, especially as it only happens under very particular
> circumstances (thus downgrading to important).
Ok, it is anyway quite rare. And need to be trigered by deleting certificate file,
so it is quite unprobable to be a malicious vector attack.
>
> This bug is supposedly fixed in the upcoming 0.8 release. If you want to try, I
> have preliminary packages at [1] and I would be interested if this packages
> behave better.
I would be happy to check this.
> [1] http://debs.michaelbiebl.de/network-manager/
I added this repositoy to sources.list.
On upgrade (or apt-get install network-manager-gnome network-manager),
apt-get (and aptitude) want to remove policykit. for no apparent reason.
I checked briefly and I have *pol*kit* in versions 0.9-4 or 0.95-1 or greater,
and your network-manager packages depends on libpolkit* (>= 0.7)
and recommends policykit. I don't know why aptitude wants to remove
it.
Even forcing instalation of policykit doesn't resolve problem:
sredniczarny:/home/baryluk# LC_ALL=C aptitude -d -V install network-manager-gnome network-manager policykit
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information... Done
Initializing package states... Done
Reading task descriptions... Done
The following NEW packages will be installed:
libnm-glib-vpn1{a} [0.7.997-1] libnm-glib2{a} [0.7.997-1]
The following packages will be REMOVED:
libpolkit-dbus2{u} [0.9-4] libpolkit-gnome0{u} [0.9.2-2] libpolkit-grant2{u} [0.9-4] libpolkit2{u} [0.9-4] policykit{u} [0.9-4] policykit-gnome{u} [0.9.2-2]
The following packages will be upgraded:
libnm-util1 [0.7.2-2 -> 0.7.997-1] network-manager [0.7.2-2 -> 0.7.997-1] network-manager-gnome [0.7.2-1 -> 0.7.997-1]
3 packages upgraded, 2 newly installed, 6 to remove and 118 not upgraded.
Need to get 0B/2598kB of archives. After unpacking 274kB will be freed.
Do you want to continue? [Y/n/?]
...
It still wants to remove policykit. It is nonsensical.
Mayby it is something broken in unstable, i will wait few days.
Regards.
--
Witold Baryluk
JID: witold.baryluk // jabster.pl
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#560067
; Package network-manager-gnome
.
(Sat, 02 Jan 2010 15:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Sat, 02 Jan 2010 15:03:06 GMT) (full text, mbox, link).
Message #22 received at 560067@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
this issue got a CVE id:
CVE-2009-4144[0]:
| NetworkManager (NM) 0.7.2 does not ensure that the configured
| Certification Authority (CA) certificate file for a (1) WPA Enterprise
| or (2) 802.1x network remains present upon a connection attempt, which
| might allow remote attackers to obtain sensitive information or cause
| a denial of service (connectivity disruption) by spoofing the identity
| of a wireless network.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4144
http://security-tracker.debian.org/tracker/CVE-2009-4144
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
[signature.asc (application/pgp-signature, attachment)]
Changed Bug title to 'CVE-2009-4144: WPA enterprise network not verified when certificate is removed' from 'network-manager-gnome: nm connects to WPA2 with certificate after .pem file was delated'
Request was from Giuseppe Iuculano <iuculano@debian.org>
to control@bugs.debian.org
.
(Sat, 02 Jan 2010 15:03:16 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Sat, 23 Jan 2010 03:24:08 GMT) (full text, mbox, link).
Notification sent
to Witold Baryluk <baryluk@smp.if.uj.edu.pl>
:
Bug acknowledged by developer.
(Sat, 23 Jan 2010 03:24:08 GMT) (full text, mbox, link).
Message #29 received at 560067-close@bugs.debian.org (full text, mbox, reply):
Source: network-manager-applet
Source-Version: 0.7.2-2
We believe that the bug you reported is fixed in the latest version of
network-manager-applet, which is due to be installed in the Debian FTP archive:
network-manager-applet_0.7.2-2.diff.gz
to main/n/network-manager-applet/network-manager-applet_0.7.2-2.diff.gz
network-manager-applet_0.7.2-2.dsc
to main/n/network-manager-applet/network-manager-applet_0.7.2-2.dsc
network-manager-gnome_0.7.2-2_i386.deb
to main/n/network-manager-applet/network-manager-gnome_0.7.2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560067@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager-applet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 22 Jan 2010 23:33:06 +0100
Source: network-manager-applet
Binary: network-manager-gnome
Architecture: source i386
Version: 0.7.2-2
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
network-manager-gnome - network management framework (GNOME frontend)
Closes: 560067 563371
Changes:
network-manager-applet (0.7.2-2) unstable; urgency=low
.
* debian/control
- Bump Build-Depends on libdbus-glib-1-dev to (>= 0.74).
- Bump Build-Depends on libgtk2.0-dev to (>= 2.14).
* debian/patches/02-CVE-2009-4145_fix_leakage_of_secrets_on_system_bus.patch
- Fix potential leakage of secrets onto the system bus. (Closes: #563371)
Patch backported from upstream Git.
Fixes: CVE-2009-4145
* debian/patches/03-CVE-2009-4144_fix_ca_cert_handling_after_cert_file_deletion.patch
- Fix possible connections to spoofed WPA Enterprise networks when
certification file is deleted. (Closes: #560067)
Patch backported from upstream Git.
Fixes: CVE-2009-4144
Checksums-Sha1:
15becbfe6aead279afc52538459a694761df360d 1759 network-manager-applet_0.7.2-2.dsc
cf76986a4d1711f141719efd7d02a9741591fbac 14785 network-manager-applet_0.7.2-2.diff.gz
2dc386a749baf58b92507ca090b18d42d7e93b0d 917806 network-manager-gnome_0.7.2-2_i386.deb
Checksums-Sha256:
5b941473679ea6728e94e37d9a3f857577fbb2c6a0aeeaa6efc346bf32230e0d 1759 network-manager-applet_0.7.2-2.dsc
3823228b3428f1f0441fc73248e452d42cdf90e609647a4c0b2c259dfae84504 14785 network-manager-applet_0.7.2-2.diff.gz
d18f6e81ac89cc18f7d58965b83504f1a54f1e8dcd3c4a1ffafcbb356f890659 917806 network-manager-gnome_0.7.2-2_i386.deb
Files:
67c8fb551ed5d0b176e23b87e6b19b5e 1759 gnome optional network-manager-applet_0.7.2-2.dsc
b6be6cf6066090e988f2bbf137265a75 14785 gnome optional network-manager-applet_0.7.2-2.diff.gz
5562f0367cae62ec89f8d0c2a01e17b2 917806 gnome optional network-manager-gnome_0.7.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktaVe4ACgkQh7PER70FhVSxrgCdGC8g/1a4zUEKbsMldTFve3pA
HoIAn3dZU6me/MqwORVMN8H/MCqcV9pu
=mz+I
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 22 Feb 2010 07:39:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:51:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.