Bug 708876 (CVE-2011-1943)

Summary: CVE-2011-1943 NetworkManager: Password to unlock the certificate is being logged
Product: [Other] Security Response Reporter: Robert Marcano <robert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: choeger, dcbw, huzaifas, jlieskov, libin.charles, rmccabe, skr, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-0.8.9997-1.git20110531.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-02 07:54:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 709798, 709799    
Bug Blocks:    

Description Robert Marcano 2011-05-30 00:28:01 UTC 
Description of problem:

Password to unlock certificate is logged to /var/log/messages

May 29 19:46:42 localhost NetworkManager[4791]: destroy_one_secret: destroying ********

Version-Release number of selected component (if applicable):

NetworkManager-openvpn-0.8.999-1.fc15.x86_64


Additional info:

I would love to have the option to type the password at connection time instead of it being stored, but adding the password to the system log is wrong
Comment 1 Bin Li 2011-06-01 10:43:51 UTC 
Robert,

 I can't find any related source code which could print'destroy_one_secret: destroying'
Comment 2 Jan Lieskovsky 2011-06-01 16:39:45 UTC 
The CVE identifier of CVE-2011-1943 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2011/05/31/7
Comment 3 Jan Lieskovsky 2011-06-01 16:43:52 UTC 
Created NetworkManager-openvpn tracking bugs for this issue

Affects: fedora-all [bug 709798]
Affects: epel-all [bug 709799]
Comment 4 Robert Marcano 2011-06-01 16:56:26 UTC 
(In reply to comment #1)
> Robert,
> 
>  I can't find any related source code which could print'destroy_one_secret:
> destroying'

Run nm-connection-editor from console, and try to change a password, a message like the one in the log file is shown every time you add a something to the password

** Message: destroy_one_secret: destroying asasdasdasdasd
** Message: destroy_one_secret: destroying asasdasdasdasda
** Message: destroy_one_secret: destroying asasdasdasdasdas

Probably both messages are related
Comment 5 Jan Lieskovsky 2011-06-01 17:10:44 UTC 
*** Bug 709733 has been marked as a duplicate of this bug. ***
Comment 6 Huzaifa S. Sidhpurwala 2011-06-02 07:52:40 UTC 
This is not a  NetworkManager-openvpn issue, the flaw lies in the libnm-util library which is shipped with the NetworkManager package.

The flaw was introduced in the following commit (on 21st May 2011):
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=ef71c5cca1f43b09fe90e52950a176bb4cee2ab2

and removed in the following commit (on 27th May 2011):
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=78ce088843d59d4494965bfc40b30a2e63d065f6

This issue does not affect the version of NetworkManager shipped in Fedora 13 or Fedora 14.

This issue has been addressed in the following update for Fedora 15:
https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-1.git20110531.fc15
Comment 7 Huzaifa S. Sidhpurwala 2011-06-02 07:53:29 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of NetworkManager as
shipped with Red Hat Enterprise Linux 4, 5, or 6.
Comment 8 Bin Li 2011-06-02 08:08:33 UTC 
Huzaifa,

 Cool!! Thanks!
Comment 9 Jan Lieskovsky 2011-06-03 11:40:23 UTC 
*** Bug 708583 has been marked as a duplicate of this bug. ***
Comment 10 Dan Williams 2011-06-03 19:58:06 UTC 
https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-2.git20110531.fc15