546795 – (CVE-2009-4144) CVE-2009-4144 NetworkManager: WPA enterprise network not verified when certificate is removed

Bug 546795 (CVE-2009-4144) - CVE-2009-4144 NetworkManager: WPA enterprise network not verified when certificate is removed

Summary: CVE-2009-4144 NetworkManager: WPA enterprise network not verified when certif...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2009-4144
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	546793 548190 548191
Blocks:
TreeView+	depends on / blocked

Reported:	2009-12-11 23:52 UTC by Dan Williams
Modified:	2019-09-29 12:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	546793
Environment:
Last Closed:	2018-09-07 16:16:43 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0108	0	normal	SHIPPED_LIVE	Moderate: NetworkManager security update	2010-02-16 15:50:34 UTC

Description Dan Williams 2009-12-11 23:52:08 UTC

+++ This bug was initially created as a clone of Bug #546793 +++

See also:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560067

If the user had set up a WPA Enterprise or 802.1x connection that used a CA certificate to verify the identity of the network to which the user was connecting, and the user deleted or moved that CA certificate file at a later point, NetworkManager will still connect to that network but without using the CA certificate.  This could result in connections to a rogue network that is spoofing the original network as the identity of the network is not verified with the CA certificate after the certificate has been deleted.

Obviously requires direct interaction by the user that configured the connection in the first place to remove the CA certificate file.

--- Additional comment from dcbw on 2009-12-11 18:50:57 EDT ---

Upstream fix is:

http://git.gnome.org/cgit/network-manager-applet/commit/?h=NETWORKMANAGER_APPLET_0_7&id=4020594dfbf566f1852f0acb36ad631a9e73a82b

Comment 5 Fedora Update System 2009-12-23 19:27:56 UTC

NetworkManager-0.7.2-2.git20091223.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.2-2.git20091223.fc11

Comment 6 Fedora Update System 2010-01-02 21:30:22 UTC

NetworkManager-0.7.2-2.git20091223.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2010-02-16 15:50:40 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0108 https://rhn.redhat.com/errata/RHSA-2010-0108.html

Comment 14 Dan Williams 2018-09-07 16:16:43 UTC

Long since fixed; we can close this.

Note You need to log in before you can comment on or make changes to this bug.