Bug 708876 (CVE-2011-1943) - CVE-2011-1943 NetworkManager: Password to unlock the certificate is being logged
Summary: CVE-2011-1943 NetworkManager: Password to unlock the certificate is being logged
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1943
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 708583 709733 (view as bug list)
Depends On: 709798 709799
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-30 00:28 UTC by Robert Marcano
Modified: 2021-02-24 15:23 UTC (History)
8 users (show)

Fixed In Version: NetworkManager-0.8.9997-1.git20110531.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-02 07:54:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Robert Marcano 2011-05-30 00:28:01 UTC 
Description of problem:

Password to unlock certificate is logged to /var/log/messages

May 29 19:46:42 localhost NetworkManager[4791]: destroy_one_secret: destroying ********

Version-Release number of selected component (if applicable):

NetworkManager-openvpn-0.8.999-1.fc15.x86_64


Additional info:

I would love to have the option to type the password at connection time instead of it being stored, but adding the password to the system log is wrong
Comment 1 Bin Li 2011-06-01 10:43:51 UTC 
Robert,

 I can't find any related source code which could print'destroy_one_secret: destroying'
Comment 2 Jan Lieskovsky 2011-06-01 16:39:45 UTC 
The CVE identifier of CVE-2011-1943 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2011/05/31/7
Comment 3 Jan Lieskovsky 2011-06-01 16:43:52 UTC 
Created NetworkManager-openvpn tracking bugs for this issue

Affects: fedora-all [bug 709798]
Affects: epel-all [bug 709799]
Comment 4 Robert Marcano 2011-06-01 16:56:26 UTC 
(In reply to comment #1)
> Robert,
> 
>  I can't find any related source code which could print'destroy_one_secret:
> destroying'

Run nm-connection-editor from console, and try to change a password, a message like the one in the log file is shown every time you add a something to the password

** Message: destroy_one_secret: destroying asasdasdasdasd
** Message: destroy_one_secret: destroying asasdasdasdasda
** Message: destroy_one_secret: destroying asasdasdasdasdas

Probably both messages are related
Comment 5 Jan Lieskovsky 2011-06-01 17:10:44 UTC 
*** Bug 709733 has been marked as a duplicate of this bug. ***
Comment 6 Huzaifa S. Sidhpurwala 2011-06-02 07:52:40 UTC 
This is not a  NetworkManager-openvpn issue, the flaw lies in the libnm-util library which is shipped with the NetworkManager package.

The flaw was introduced in the following commit (on 21st May 2011):
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=ef71c5cca1f43b09fe90e52950a176bb4cee2ab2

and removed in the following commit (on 27th May 2011):
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=78ce088843d59d4494965bfc40b30a2e63d065f6

This issue does not affect the version of NetworkManager shipped in Fedora 13 or Fedora 14.

This issue has been addressed in the following update for Fedora 15:
https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-1.git20110531.fc15
Comment 7 Huzaifa S. Sidhpurwala 2011-06-02 07:53:29 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of NetworkManager as
shipped with Red Hat Enterprise Linux 4, 5, or 6.
Comment 8 Bin Li 2011-06-02 08:08:33 UTC 
Huzaifa,

 Cool!! Thanks!
Comment 9 Jan Lieskovsky 2011-06-03 11:40:23 UTC 
*** Bug 708583 has been marked as a duplicate of this bug. ***
Comment 10 Dan Williams 2011-06-03 19:58:06 UTC 
https://admin.fedoraproject.org/updates/NetworkManager-0.8.9997-2.git20110531.fc15
Note You need to log in before you can comment on or make changes to this bug.