Privacy and Legal Notice

DOE-CIRCTECHNICAL BULLETIN

T-287: NetworkManager Security Bypass and Information Disclosure Vulnerabilities

January 02, 2009 2:28PM GMT

PROBLEM:

NetworkManager Security Bypass and Information Disclosure Vulnerabilities

PLATFORM:

Linux: GNOME NetworkManager 0.7.2

ABSTRACT:

NetworkManager is prone to a security-bypass vulnerability and an information-disclosure vulnerability.
Attackers can exploit theses issues to obtain sensitive information or entice a user to connect to a network without certificate verification.
NetworkManager 0.7.2 is vulnerable; other versions may also be affected.

 

 

LINKS:

 

  DOE-CIRC BULLETIN:

http://www.doecirc.energy.gov/bulletins/t-287.shtml

  OTHER LINKS:

CVE-2009-4144

CVE-2009-4145

http://www.securityfocus.com/bid/37580

·  core: fix CA cert mishandling after cert file deletion (deb #560067) (rh #546793 (GNOME)

·  CVE-2009-4144 NetworkManager: WPA enterprise network not verified when certifica (Red Hat)

·  CVE-2009-4145 NetworkManager: information disclosure by nm-connection-editor (Red Hat)

·  editor: prevent any registration of objects on the system bus (GNOME)

·  NetworkManager Homepage (GNOME)

 

 

IMPACT ASSESSMENT:

Low

 

Discussion: 
 
NetworkManager Security Bypass and Information Disclosure Vulnerabilities
 
If a connection was created with a CA certificate, but the user later moved or deleted that CA certificate, the applet would simply provide the connection to NetworkManager without any CA certificate. This could cause NM to connect to the original network (or a network spoofing the original network) without verifying the identity of the network as the user expects.
 
Also:
 
nm-connection-editor may inadvertently publish network configuration settings
over D-Bus when a user changes those settings using the connection editor. 
D-Bus gives all clients a bus name (usually 1:XXX where XXX is an
ever-increasing number) whenever the client connects to the bus.  Even though
this client is not exporting a /named/ service, it is still on the bus and if
the client exports an object (even inadvertently, without registering a
well-known bus name) signals emitted by that object will also be proxied onto
the bus.
 
nm-connection-editor inadvertently exported connection objects on the bus, and
when a user changes those connections though the connection editor GUI, the
editor may emit a summary of those changes onto the bus, leading to the
information disclosure.
 
Both of these vulnerabilites are solved by upgrading to the latest version.
 
Solution:
Updates are available. 
 
 
 
 

DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 

    Voice:           866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov