Bug 1169886

Summary: kde-plasma-networkmanagement, kde-plasma-nm: creates OpenVPN connections vulnerable to MITM attack
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jgrulich, jrusnack, kevin, ltinkl, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 21:11:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1169887, 1169888    
Bug Blocks: 1169890    

Description Martin Prpič 2014-12-02 15:56:43 UTC 
The following issue was filed against the upstream versions of kde-plasma-networkmanagement [1] and kde-plasma-nm [2], a plasma applet to control wired and wireless network(s) in KDE 4 using the default NetworkManager service:

"""
KDE's network manager plasmoid does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this at start:

Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
"""

Upstream patches are available at:

plasma-nm - http://commits.kde.org/plasma-nm/863851110191d0480375d6c86ba8082dae9ac950
kde-plasma-networkmanagement - http://commits.kde.org/networkmanagement/918786c28f7657ad8deff084ae44a257a7d471f6

[1] https://bugs.kde.org/show_bug.cgi?id=341387
[2] https://bugs.kde.org/show_bug.cgi?id=341069
Comment 1 Martin Prpič 2014-12-02 15:57:13 UTC 
Created kde-plasma-nm tracking bugs for this issue:

Affects: fedora-all [bug 1169888]
Comment 2 Martin Prpič 2014-12-02 15:57:15 UTC 
Created kde-plasma-networkmanagement tracking bugs for this issue:

Affects: fedora-19 [bug 1169887]
Comment 4 Ján Rusnačko 2014-12-03 12:25:17 UTC 
References:

http://commits.kde.org/plasma-nm/863851110191d0480375d6c86ba8082dae9ac950
http://commits.kde.org/networkmanagement/918786c28f7657ad8deff084ae44a257a7d471f6
https://bugs.kde.org/show_bug.cgi?id=341387
https://bugs.kde.org/show_bug.cgi?id=341069
Comment 5 Fedora Update System 2014-12-13 09:37:29 UTC 
kde-plasma-nm-0.9.3.5-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-13 09:49:06 UTC 
kde-plasma-networkmanagement-0.9.0.11-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-13 09:49:46 UTC 
kde-plasma-nm-0.9.3.5-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.