Bugzilla – Bug 574266
VUL-0: NetworkManager unsafe for WPA2 Enterprise networks
Last modified: 2019-08-06 07:38:52 UTC
This issue is not public yet, please keep any information about it inside SUSE. WPA2 Enterprise networks using EAP-TTLS or PEAP rely on clients to verify the certificate of the RADIUS server even more than EAP-TLS. Failure to verify the certificate allows attackers to forge the network and the RADIUS server to steal user credentials. There are three ways of how a certificate can be signed: 1. self signed 2. signed by a custom CA wherein a) the CA certificate is available to the client b) the CA certificate is not available to the client 3. signed by a standard CA as used on the internet Those cases different methods to verify the certificate are needed. The client software - case 1: MUST verify that the certificate presented by the RADIUS server matches a local reference copy. - case 2: a) - MUST verify that the certificate presented by the RADIUS server is signed by the specified CA certificate. - MUST verify that the CN of the certificate presented by the RADIUS server matches a specified string. This is OPTIONAL if the CA certificate is guaranteed to be only used for signing the certificate of the RADIUS server. b) MUST verify that the certificate presented by the RADIUS server matches a local reference copy. - case 3: - MUST verify that the certificate presented by the RADIUS server is signed by one of the system's CA certificates. - MUST verify that the CN of the certificate presented by the RADIUS server matches a specified string. NetworkManager lacks options to match the RADIUS' servers certificate against a local reference copy. NetworkManager also doesn't allow to specify a CN. NetworkManager does allow to specify a CA certificate for verfication of the RADIUS' servers certificate. Therefore NetworkManager is only safe to use in case 2a. NetworkManager cannot perform the required checks for case 1, 2b and 3. If used in those cases nevertheless NetworkManager jeopardizes the security of the wireless network.
meanwhile I've contacted upstream. Jouni started implementing the needed features in wpa_supplicant: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=log;h=00468b4650998144f794762206c695c962c54734
So it's NetworkManager's turn to make use of this interface I guess. Dan Williams could use some help AFAICT.
Meanwhile I've published the paper: http://www.openwall.com/lists/oss-security/2010/04/22/2
https://bugzilla.novell.com/show_bug.cgi?id=574266 https://bugzilla.gnome.org/show_bug.cgi?id=341323 https://bugzilla.gnome.org/show_bug.cgi?id=621484
https://features.opensuse.org/309931
Hi, Someone already arrive first and submit the patch for NetworkManager. What we need to do is backport the patch. And also the NetworkManager-gnome's patch will be come soon. http://mail.gnome.org/archives/networkmanager-list/2011-July/msg00212.html
CVE-2006-7246
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/89232 11.4 / wpa_supplicant https://build.opensuse.org/request/show/89233 11.4 / NetworkManager https://build.opensuse.org/request/show/89234 11.4 / NetworkManager-gnome https://build.opensuse.org/request/show/89235 11.3 / wpa_supplicant https://build.opensuse.org/request/show/89236 11.3 / NetworkManager https://build.opensuse.org/request/show/89237 11.3 / NetworkManager-gnome
Is there any way to warn the user if he uses an old connection that does not perform the necessary certificate checks? Right now users will install the NM update but will not gain any security unless the manually delete and add their connection again AFAICS.
A possible solution is to check the subject and ca_cert/cert_hash when connecting to a TTLS/PEAP AP and marked the connection as NEED_SECRET to force nm-applet to show the settings dialog to setup the connection properly. The problem is: any NM client other than nm-applet, e.g. NetworkManager Plasmoid, will not be able to connect to TTLS/PEAP APs unless it also implements the feature.
That would increase the pressure to fix the bug in KDE as well I guess :-)
Let's proceed with the current state to not delay the update for GNOME any further. As soon as KDE is fixed too we may release another NM update that also converts the existing connections.
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/91468 12.1 / wpa_supplicant https://build.opensuse.org/request/show/91471 12.1 / NetworkManager https://build.opensuse.org/request/show/91474 12.1 / NetworkManager-gnome https://build.opensuse.org/request/show/91476 12.1 / gnome-control-center
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-debugsource, NetworkManager-devel, NetworkManager-doc, NetworkManager-glib, NetworkManager-glib-debuginfo, NetworkManager-gnome, NetworkManager-gnome-debuginfo, NetworkManager-gnome-debugsource, NetworkManager-gnome-lang, NetworkManager-lang, wpa_supplicant, wpa_supplicant-debuginfo, wpa_supplicant-debugsource, wpa_supplicant-gui, wpa_supplicant-gui-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-debugsource, NetworkManager-devel, NetworkManager-doc, NetworkManager-glib, NetworkManager-gnome, NetworkManager-gnome-debuginfo, NetworkManager-gnome-debugsource, wpa_supplicant, wpa_supplicant-debuginfo, wpa_supplicant-debugsource, wpa_supplicant-gui Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/98818 11.3 / NetworkManager-gnome https://build.opensuse.org/request/show/98819 11.4 / NetworkManager-gnome https://build.opensuse.org/request/show/98820 12.1 / NetworkManager-gnome
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/99575 Factory / wpa_supplicant
Created attachment 471436 [details] NetworkManager 0.6.6 set eap subject
Created attachment 471437 [details] nm-applet 0.6.6 add the subject entry to the WPA-EAP settings dialog Besides adding the subject entry, this patch also does a simple validation for the WPA-EAP settings, by checking the identity, password, client certificate file, and private key. The most important of all, both the CA certificate file and the subject are now mandatory.
AFAICT the patch works fine, thanks!
Created attachment 473209 [details] nm-applet 0.6.6 add the subject entry to the WPA-EAP settings dialog Update the nm-applet patch to remove the identity check for EAP-TLS.
Update released for: NetworkManager-gnome, NetworkManager-gnome-debuginfo, NetworkManager-gnome-debugsource Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-devel, NetworkManager-glib, NetworkManager-gnome, wpa_supplicant, wpa_supplicant-debuginfo, wpa_supplicant-gui Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: NetworkManager, NetworkManager-debuginfo, NetworkManager-devel, NetworkManager-glib, NetworkManager-gnome, wpa_supplicant, wpa_supplicant-debuginfo, wpa_supplicant-gui Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/162340 Maintenance /
openSUSE-RU-2013:0673-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 574266,798793 CVE References: Sources used: openSUSE 12.3 (src): NetworkManager-0.9.6.4-5.6.1, NetworkManager-gnome-0.9.6.4-2.5.1, gnome-control-center-3.6.3-3.14.1
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/175192 Factory / NetworkManager
This is an autogenerated message for OBS integration: This bug (574266) was mentioned in https://build.opensuse.org/request/show/202472 Factory / NetworkManager-gnome https://build.opensuse.org/request/show/202475 Factory / gnome-control-center