824660 – (CVE-2012-2389) CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf

Bug 824660 (CVE-2012-2389) - CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf

Summary: CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-2389
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	824661 826109
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-23 22:32 UTC by Vincent Danen
Modified:	2019-09-29 12:53 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-19 21:11:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2012-05-23 22:32:47 UTC

It was reported [1] that the default permissions of /etc/hostapd/hostapd.conf were insecure (0644) considering they could contain credentials (PSKs, shared radius secrets, etc.) that would then be world readable.

This is a low-impact flaw that be mitigated by changing the permissions to the file (upstream has done this now).

This was assigned CVE-2012-2389 [2] (although no credentials are written by any tools or by default to this file, so an administrator should logically tighten up the permissions if saving sensitive information to the file).

[1] https://bugzilla.novell.com/show_bug.cgi?id=740964
[2] http://www.openwall.com/lists/oss-security/2012/05/23/13

Comment 1 Vincent Danen 2012-05-23 22:33:42 UTC

Created hostapd tracking bugs for this issue

Affects: fedora-all [bug 824661]

Comment 2 Vincent Danen 2012-06-19 21:11:27 UTC

This is corrected via hostapd-0.7.3-9.fc17 and hostapd-0.7.3-9.fc16.

Note You need to log in before you can comment on or make changes to this bug.