This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 824660 - (CVE-2012-2389) CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf
CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 824661 826109
  Show dependency treegraph
Reported: 2012-05-23 18:32 EDT by Vincent Danen
Modified: 2015-07-31 02:51 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-19 17:11:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-05-23 18:32:47 EDT
It was reported [1] that the default permissions of /etc/hostapd/hostapd.conf were insecure (0644) considering they could contain credentials (PSKs, shared radius secrets, etc.) that would then be world readable.

This is a low-impact flaw that be mitigated by changing the permissions to the file (upstream has done this now).

This was assigned CVE-2012-2389 [2] (although no credentials are written by any tools or by default to this file, so an administrator should logically tighten up the permissions if saving sensitive information to the file).

Comment 1 Vincent Danen 2012-05-23 18:33:42 EDT
Created hostapd tracking bugs for this issue

Affects: fedora-all [bug 824661]
Comment 2 Vincent Danen 2012-06-19 17:11:27 EDT
This is corrected via hostapd-0.7.3-9.fc17 and hostapd-0.7.3-9.fc16.

Note You need to log in before you can comment on or make changes to this bug.