A security flaw was found in the way NetworkManager, a network connection manager, and wpa_supplicant, a WPA/WPA2/IEEE 802.1X supplicant, performed certificate's subject against ESSID verification, when 802.11X (WPA Enterprise) authentication scheme was used. A remote attacker, with the privilege to change a certificate on an access point, could use this flaw to conduct MITM attacks via other, valid certificate, issued by the same certification authority (CA) as that one, for the original network. In the case of password based authentication (PEAP or EAP-TTLS) a remote attacker could use this flaw to obtain and potentially discover the plaintext version of the password hashes of the victims.
Upstream bug reports:
wpa_supplicant upstream patch:
Some of the proposed GUI patches has been reported to be able to cause (post patching) resurrection of CVE-2006-7246 (wpa_supplicant to not to completely check certificates again):
We expect this to be fixed upstream in a future release.
NetworkManager-1.2.0-0.8.beta3.fc24, NetworkManager-fortisslvpn-1.2.0-0.4.beta3.fc24, NetworkManager-libreswan-1.2.0-0.4.beta3.fc24, NetworkManager-openconnect-1.2.0-0.3.beta3.fc24, NetworkManager-openvpn-1.2.0-0.3.beta3.fc24, NetworkManager-pptp-1.2.0-0.3.beta3.fc24, NetworkManager-strongswan-1.3.1-3.20160330libnm.fc24, NetworkManager-vpnc-1.2.0-0.4.beta3.fc24, network-manager-applet-1.2.0-0.3.beta3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.