Bug 1841041 (CVE-2020-10754) - CVE-2020-10754 NetworkManager: user configuration not honoured leaving the connection unauthenticated via insecure defaults
Summary: CVE-2020-10754 NetworkManager: user configuration not honoured leaving the co...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10754
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1841395 1841398 1841397 1843360
Blocks: 1840621
TreeView+ depends on / blocked
 
Reported: 2020-05-28 08:28 UTC by msiddiqu
Modified: 2020-09-29 20:30 UTC (History)
18 users (show)

Fixed In Version: NetworkManager 1.24.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nmcli, where the command-line interface to the NetworkManager did not accept the 802-1x.ca-path and 802-1x.phase2-ca-path settings when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and an insecure connection occurs.
Clone Of:
Environment:
Last Closed: 2020-07-21 13:27:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3011 None None None 2020-07-21 11:06:01 UTC
Red Hat Product Errata RHSA-2020:4003 None None None 2020-09-29 20:30:25 UTC

Description msiddiqu 2020-05-28 08:28:13 UTC
The ifcfg-rh settings plugin does not handle the 802-1x.ca-path and 802-1x.phase2-ca-path settings. When a user uses nmcli to configure a profile, it seemingly succeeds, while the modification gets silently lost leaving the connection unauthenticated.

Upstream issue:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448

Upstream merge request:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/518

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1840210

Comment 4 Huzaifa S. Sidhpurwala 2020-05-29 04:41:57 UTC
Created NetworkManager tracking bugs for this issue:

Affects: fedora-all [bug 1841395]

Comment 8 Fedora Update System 2020-06-01 01:24:48 UTC
FEDORA-2020-3857463d30 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2020-06-14 17:10:34 UTC
NetworkManager-1.20.12-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2020-07-21 11:05:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3011 https://access.redhat.com/errata/RHSA-2020:3011

Comment 11 Product Security DevOps Team 2020-07-21 13:27:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10754

Comment 12 errata-xmlrpc 2020-09-29 20:30:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4003 https://access.redhat.com/errata/RHSA-2020:4003


Note You need to log in before you can comment on or make changes to this bug.