Bug 708876 (CVE-2011-1943)

Summary: CVE-2011-1943 NetworkManager: Password to unlock the certificate is being logged
Product: [Other] Security Response Reporter: Robert Marcano <robert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: choeger, dcbw, huzaifas, jlieskov, libin.charles, rmccabe, skr, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-0.8.9997-1.git20110531.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-02 07:54:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 709798, 709799    
Bug Blocks:    

Description Robert Marcano 2011-05-30 00:28:01 UTC
Description of problem:

Password to unlock certificate is logged to /var/log/messages

May 29 19:46:42 localhost NetworkManager[4791]: destroy_one_secret: destroying ********

Version-Release number of selected component (if applicable):

NetworkManager-openvpn-0.8.999-1.fc15.x86_64


Additional info:

I would love to have the option to type the password at connection time instead of it being stored, but adding the password to the system log is wrong

Comment 1 Bin Li 2011-06-01 10:43:51 UTC
Robert,

 I can't find any related source code which could print'destroy_one_secret: destroying'

Comment 2 Jan Lieskovsky 2011-06-01 16:39:45 UTC
The CVE identifier of CVE-2011-1943 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2011/05/31/7

Comment 3 Jan Lieskovsky 2011-06-01 16:43:52 UTC
Created NetworkManager-openvpn tracking bugs for this issue

Affects: fedora-all [bug 709798]
Affects: epel-all [bug 709799]

Comment 4 Robert Marcano 2011-06-01 16:56:26 UTC
(In reply to comment #1)
> Robert,
> 
>  I can't find any related source code which could print'destroy_one_secret:
> destroying'

Run nm-connection-editor from console, and try to change a password, a message like the one in the log file is shown every time you add a something to the password

** Message: destroy_one_secret: destroying asasdasdasdasd
** Message: destroy_one_secret: destroying asasdasdasdasda
** Message: destroy_one_secret: destroying asasdasdasdasdas

Probably both messages are related

Comment 5 Jan Lieskovsky 2011-06-01 17:10:44 UTC
*** Bug 709733 has been marked as a duplicate of this bug. ***

Comment 6 Huzaifa S. Sidhpurwala 2011-06-02 07:52:40 UTC
This is not a  NetworkManager-openvpn issue, the flaw lies in the libnm-util library which is shipped with the NetworkManager package.

The flaw was introduced in the following commit (on 21st May 2011):
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=ef71c5cca1f43b09fe90e52950a176bb4cee2ab2

and removed in the following commit (on 27th May 2011):
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=78ce088843d59d4494965bfc40b30a2e63d065f6

This issue does not affect the version of NetworkManager shipped in Fedora 13 or Fedora 14.

This issue has been addressed in the following update for Fedora 15:
https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-1.git20110531.fc15

Comment 7 Huzaifa S. Sidhpurwala 2011-06-02 07:53:29 UTC
Statement:

Not vulnerable. This issue did not affect the versions of NetworkManager as
shipped with Red Hat Enterprise Linux 4, 5, or 6.

Comment 8 Bin Li 2011-06-02 08:08:33 UTC
Huzaifa,

 Cool!! Thanks!

Comment 9 Jan Lieskovsky 2011-06-03 11:40:23 UTC
*** Bug 708583 has been marked as a duplicate of this bug. ***