Bug 911126 - (CVE-2013-4218) CVE-2013-4218 wimax: Supplicant agent ships RSA private key in the package
CVE-2013-4218 wimax: Supplicant agent ships RSA private key in the package
Status: CLOSED EOL
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130808,repor...
: Reopened, Security
Depends On: 995160
Blocks: 909233
  Show dependency treegraph
 
Reported: 2013-02-14 07:46 EST by Florian Weimer
Modified: 2015-02-19 04:26 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 11:48:37 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2013-02-14 07:46:18 EST
The wimax package installs a RSA private key in /usr/share/wimax/supplicant_key.pem.  We should never ship hard-coded private keys.  The embedded CA certificate in /usr/share/wimax/cacert.pem is suspicious as well.  It is unclear how device key management is supposed to work.
Comment 4 Jan Lieskovsky 2013-08-08 11:39:19 EDT
A security flaw was found in the way supplicant agent of WiMAX, an user space daemon for the Intel 2400m Wireless WiMAX link, used to manage its private key (private key was shipped together with the source code). A local attacker could use this flaw to obtain security sensitive data or, to conduct actions on behalf of private key owner.
Comment 5 Jan Lieskovsky 2013-08-08 12:45:35 EDT
Acknowledgements:

This issue was found by Florian Weimer of Red Hat Product Security Team.
Comment 6 Jan Lieskovsky 2013-08-08 12:48:21 EDT
Created wimax tracking bugs for this issue:

Affects: fedora-all [bug 995160]
Comment 7 Jan Lieskovsky 2013-08-08 12:57:04 EDT
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/08/08/10
Comment 8 Jan Lieskovsky 2013-08-09 03:22:18 EDT
The CVE identifier of CVE-2013-4218 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/08/08/17
Comment 9 Florian Weimer 2015-02-17 11:48:37 EST
Only Fedora 19 shipped the wimax packages, and it is now EOL.

Note You need to log in before you can comment on or make changes to this bug.